09aa06e14f501a96ff62a08140a8f5ab4277f6bc2c76b1497cf352ea67eae3ab

Analysis

max time kernel
1800s
max time network
1452s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
20-12-2023 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Restoro.exe
Size

910KB
MD5

39fef85fe114d96dde745b8ce0659b2e
SHA1

c30e2b541a5268f731824342dc3c3c02671891d7
SHA256

08333e61156e2ccfd7843a924fb671862fc226c89bf98f20ab95ea6125130ef7
SHA512

b5ecb8f469ed8ea2b351b7333356b15f0c73e3101052aa2dbcda8db00b9eabf94f1523601cab71dadb5ac83581f18c76f43ff704355be96af0a981567b9f6bab
SSDEEP

12288:SEiLRLvq1HB+OP6YyUCRXXzE4tyMgq/q7dps1XG2YZhH30DVUr0JImhySZP9ZerJ:StRLvGTK1RzE4t7D1Y4VUwJ77P4J

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nssB353.tmp\AccessControl.dll	acprotect

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\nssB353.tmp\AccessControl.dll	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

RestoroSetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Restoro = "\"C:\\Program Files\\Restoro\\bin\\RestoroApp.exe\""	RestoroSetup.exe

Downloads MZ/PE file
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 32 IoCs

Processes:

RestoroSetup.exeRestoroServiceSetup.exelzma.exelzma.exe

description	ioc	process
File opened for modification	C:\Program Files\Restoro\Restoro.exe	RestoroSetup.exe
File created	C:\Program Files\Restoro\ax.lza	RestoroSetup.exe
File created	C:\Program Files\Restoro\Restoroicon.ico	RestoroSetup.exe
File opened for modification	C:\Program Files\Restoro\Restoro Terms of Use.url	RestoroSetup.exe
File opened for modification	C:\Program Files\Restoro\Restoro Privacy Policy.url	RestoroSetup.exe
File created	C:\Program Files\Restoro\bin\RestoroApp.exe	RestoroSetup.exe
File created	C:\Program Files\Restoro\TechSupportApp.exe	RestoroSetup.exe
File created	C:\Program Files\Restoro\Restoro.exe	RestoroSetup.exe
File created	C:\Program Files\Restoro\msvcr120.dll	RestoroSetup.exe
File created	C:\Program Files\Restoro\RestoroSafeMode.exe	RestoroSetup.exe
File created	C:\Program Files\Restoro\RestoroAM.exe	RestoroSetup.exe
File created	C:\Program Files\Restoro\bin\RestoroService.exe	RestoroServiceSetup.exe
File created	C:\Program Files\Restoro\LZMA.EXE	RestoroSetup.exe
File created	C:\Program Files\Restoro\engine.dat	RestoroSetup.exe
File created	C:\Program Files\Restoro\Restoro_uninstall.ico	RestoroSetup.exe
File created	C:\Program Files\Restoro\bin\RestoroProtection.exe	RestoroServiceSetup.exe
File created	C:\Program Files\Restoro\RestoroMain.exe	RestoroSetup.exe
File created	C:\Program Files\Restoro\engine.dll	lzma.exe
File created	C:\Program Files\Restoro\bin\RestoroScanner.exe	RestoroServiceSetup.exe
File opened for modification	C:\Program Files\Restoro\Restoro Uninstall Instructions.url	RestoroSetup.exe
File created	C:\Program Files\Restoro\uninst.exe	RestoroSetup.exe
File created	C:\Program Files\Restoro\ax.dll	lzma.exe
File created	C:\Program Files\Restoro\Restoro_website.ico	RestoroSetup.exe
File created	C:\Program Files\Restoro\savapi.dll	RestoroSetup.exe
File created	C:\Program Files\Restoro\Restoro_SafeMode.ico	RestoroSetup.exe
File opened for modification	C:\Program Files\Restoro\Restoro Help & Support.url	RestoroSetup.exe
File created	C:\Program Files\Restoro\bin\RestoroUI.exe	RestoroServiceSetup.exe
File created	C:\Program Files\Restoro\Restoro.dat	RestoroSetup.exe
File opened for modification	C:\Program Files\Restoro\Restoro.dat	RestoroSetup.exe
File opened for modification	C:\Program Files\Restoro\engine.dat	RestoroSetup.exe
File created	C:\Program Files\Restoro\engine.lza	RestoroSetup.exe
File created	C:\Program Files\Restoro\bin\RestoroUpdater.exe	RestoroServiceSetup.exe

Drops file in Windows directory 4 IoCs

Processes:

Restoro.exeRestoroUpdater.exeRestoroServiceSetup.exeRestoroSetup.exe

description	ioc	process
File opened for modification	C:\Windows\restoro.ini	Restoro.exe
File opened for modification	C:\Windows\restoro.ini	RestoroUpdater.exe
File opened for modification	C:\Windows\restoro.ini	RestoroServiceSetup.exe
File opened for modification	C:\Windows\restoro.ini	RestoroSetup.exe

Executes dropped EXE 14 IoCs

Processes:

sqlite3.exesqlite3.exesqlite3.exesqlite3.exeRestoroSetup.exelzma.exelzma.exeRestoroUpdater.exeRestoroServiceSetup.exeRestoroProtection.exeRestoroProtection.exeRestoroService.exeRestoroApp.exeRestoroMain.exe

pid	process
3036	sqlite3.exe
948	sqlite3.exe
1052	sqlite3.exe
3320	sqlite3.exe
4060	RestoroSetup.exe
1056	lzma.exe
3516	lzma.exe
2728	RestoroUpdater.exe
4968	RestoroServiceSetup.exe
4836	RestoroProtection.exe
608	RestoroProtection.exe
4232	RestoroService.exe
1588	RestoroApp.exe
2404	RestoroMain.exe

Loads dropped DLL 64 IoCs

Processes:

Restoro.exeRestoroSetup.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeRestoroUpdater.exe

pid	process
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4416	Restoro.exe
4060	RestoroSetup.exe
4060	RestoroSetup.exe
4060	RestoroSetup.exe
4060	RestoroSetup.exe
4060	RestoroSetup.exe
4060	RestoroSetup.exe
4060	RestoroSetup.exe
4060	RestoroSetup.exe
4060	RestoroSetup.exe
4060	RestoroSetup.exe
4060	RestoroSetup.exe
2752	regsvr32.exe
2024	regsvr32.exe
2024	regsvr32.exe
1016	regsvr32.exe
3692	regsvr32.exe
4060	RestoroSetup.exe
2728	RestoroUpdater.exe
2728	RestoroUpdater.exe
2728	RestoroUpdater.exe
2728	RestoroUpdater.exe
2728	RestoroUpdater.exe

Registers COM server for autorun 1 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE198C69-7358-4856-9029-F4C0FAD524C1}\InprocServer32\ = "C:\\Program Files\\Restoro\\ax.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\INPROCSERVER32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE198C69-7358-4856-9029-F4C0FAD524C1}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE198C69-7358-4856-9029-F4C0FAD524C1}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}\InprocServer32\ = "C:\\Program Files\\Restoro\\ax.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates processes with tasklist 1 TTPs 16 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
4776	tasklist.exe
4540	tasklist.exe
480	tasklist.exe
1888	tasklist.exe
2356	tasklist.exe
3416	tasklist.exe
4692	tasklist.exe
640	tasklist.exe
4988	tasklist.exe
2456	tasklist.exe
4828	tasklist.exe
3736	tasklist.exe
4916	tasklist.exe
1936	tasklist.exe
1924	tasklist.exe
5008	tasklist.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE198C69-7358-4856-9029-F4C0FAD524C1}\TypeLib\ = "{C661BE9A-11D8-47DD-A980-6494B09F3AF3}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C661BE9A-11D8-47DD-A980-6494B09F3AF3}\1.0\ = "Restoro 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Restoro.Engine\ = "Restoro Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C661BE9A-11D8-47DD-A980-6494B09F3AF3}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\ECMASCRIPT AUTHOR\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}\AppID = "{9CD2C2AE-A4C8-4DFA-863E-609979849E3A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C661BE9A-11D8-47DD-A980-6494B09F3AF3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\TypeLib\ = "{C661BE9A-11D8-47DD-A980-6494B09F3AF3}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.2\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C661BE9A-11D8-47DD-A980-6494B09F3AF3}\1.0	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\system32\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA827421-E282-479E-AE60-34796877B8AE}\Version\ = "1.0"	regsvr32.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RestoroProtection.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	RestoroProtection.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	RestoroProtection.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	RestoroProtection.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

RestoroProtection.exe

pid	process
608	RestoroProtection.exe
608	RestoroProtection.exe
608	RestoroProtection.exe
608	RestoroProtection.exe
608	RestoroProtection.exe
608	RestoroProtection.exe
608	RestoroProtection.exe
608	RestoroProtection.exe
608	RestoroProtection.exe
608	RestoroProtection.exe
608	RestoroProtection.exe
608	RestoroProtection.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	4828	tasklist.exe
Token: SeDebugPrivilege	1888	tasklist.exe
Token: SeDebugPrivilege	5008	tasklist.exe
Token: SeDebugPrivilege	4692	tasklist.exe
Token: SeDebugPrivilege	4776	tasklist.exe
Token: SeDebugPrivilege	4540	tasklist.exe
Token: SeDebugPrivilege	3736	tasklist.exe
Token: SeDebugPrivilege	640	tasklist.exe
Token: SeDebugPrivilege	3416	tasklist.exe
Token: SeDebugPrivilege	4916	tasklist.exe
Token: SeDebugPrivilege	4988	tasklist.exe
Token: SeDebugPrivilege	1936	tasklist.exe
Token: SeDebugPrivilege	2456	tasklist.exe
Token: SeDebugPrivilege	1924	tasklist.exe
Token: SeDebugPrivilege	2356	tasklist.exe
Token: SeDebugPrivilege	480	tasklist.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

RestoroApp.exeRestoroMain.exe

pid process

1588 RestoroApp.exe
2404 RestoroMain.exe
1588 RestoroApp.exe
1588 RestoroApp.exe
1588 RestoroApp.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

RestoroApp.exeRestoroMain.exe

pid process

1588 RestoroApp.exe
2404 RestoroMain.exe
1588 RestoroApp.exe
1588 RestoroApp.exe
1588 RestoroApp.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

RestoroMain.exe

pid process

2404 RestoroMain.exe
2404 RestoroMain.exe
2404 RestoroMain.exe
2404 RestoroMain.exe

pid	process
1588	RestoroApp.exe
2404	RestoroMain.exe
1588	RestoroApp.exe
1588	RestoroApp.exe
1588	RestoroApp.exe

pid	process
1588	RestoroApp.exe
2404	RestoroMain.exe
1588	RestoroApp.exe
1588	RestoroApp.exe
1588	RestoroApp.exe

pid	process
2404	RestoroMain.exe
2404	RestoroMain.exe
2404	RestoroMain.exe
2404	RestoroMain.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Restoro.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4416 wrote to memory of 2024	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 2024	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 2024	4416	Restoro.exe	cmd.exe
PID 2024 wrote to memory of 3036	2024	cmd.exe	sqlite3.exe
PID 2024 wrote to memory of 3036	2024	cmd.exe	sqlite3.exe
PID 2024 wrote to memory of 3036	2024	cmd.exe	sqlite3.exe
PID 4416 wrote to memory of 1720	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 1720	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 1720	4416	Restoro.exe	cmd.exe
PID 1720 wrote to memory of 948	1720	cmd.exe	sqlite3.exe
PID 1720 wrote to memory of 948	1720	cmd.exe	sqlite3.exe
PID 1720 wrote to memory of 948	1720	cmd.exe	sqlite3.exe
PID 4416 wrote to memory of 3420	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 3420	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 3420	4416	Restoro.exe	cmd.exe
PID 3420 wrote to memory of 1052	3420	cmd.exe	sqlite3.exe
PID 3420 wrote to memory of 1052	3420	cmd.exe	sqlite3.exe
PID 3420 wrote to memory of 1052	3420	cmd.exe	sqlite3.exe
PID 4416 wrote to memory of 1464	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 1464	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 1464	4416	Restoro.exe	cmd.exe
PID 1464 wrote to memory of 4828	1464	cmd.exe	tasklist.exe
PID 1464 wrote to memory of 4828	1464	cmd.exe	tasklist.exe
PID 1464 wrote to memory of 4828	1464	cmd.exe	tasklist.exe
PID 4416 wrote to memory of 2932	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 2932	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 2932	4416	Restoro.exe	cmd.exe
PID 2932 wrote to memory of 1888	2932	cmd.exe	tasklist.exe
PID 2932 wrote to memory of 1888	2932	cmd.exe	tasklist.exe
PID 2932 wrote to memory of 1888	2932	cmd.exe	tasklist.exe
PID 4416 wrote to memory of 3380	4416	Restoro.exe	regsvr32.exe
PID 4416 wrote to memory of 3380	4416	Restoro.exe	regsvr32.exe
PID 4416 wrote to memory of 896	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 896	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 896	4416	Restoro.exe	cmd.exe
PID 896 wrote to memory of 5008	896	cmd.exe	tasklist.exe
PID 896 wrote to memory of 5008	896	cmd.exe	tasklist.exe
PID 896 wrote to memory of 5008	896	cmd.exe	tasklist.exe
PID 4416 wrote to memory of 1744	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 1744	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 1744	4416	Restoro.exe	cmd.exe
PID 1744 wrote to memory of 4692	1744	cmd.exe	tasklist.exe
PID 1744 wrote to memory of 4692	1744	cmd.exe	tasklist.exe
PID 1744 wrote to memory of 4692	1744	cmd.exe	tasklist.exe
PID 4416 wrote to memory of 2356	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 2356	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 2356	4416	Restoro.exe	cmd.exe
PID 2356 wrote to memory of 4776	2356	cmd.exe	tasklist.exe
PID 2356 wrote to memory of 4776	2356	cmd.exe	tasklist.exe
PID 2356 wrote to memory of 4776	2356	cmd.exe	tasklist.exe
PID 4416 wrote to memory of 1692	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 1692	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 1692	4416	Restoro.exe	cmd.exe
PID 1692 wrote to memory of 3320	1692	cmd.exe	sqlite3.exe
PID 1692 wrote to memory of 3320	1692	cmd.exe	sqlite3.exe
PID 1692 wrote to memory of 3320	1692	cmd.exe	sqlite3.exe
PID 4416 wrote to memory of 2184	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 2184	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 2184	4416	Restoro.exe	cmd.exe
PID 2184 wrote to memory of 4540	2184	cmd.exe	tasklist.exe
PID 2184 wrote to memory of 4540	2184	cmd.exe	tasklist.exe
PID 2184 wrote to memory of 4540	2184	cmd.exe	tasklist.exe
PID 4416 wrote to memory of 2180	4416	Restoro.exe	cmd.exe
PID 4416 wrote to memory of 2180	4416	Restoro.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Restoro.exe
"C:\Users\Admin\AppData\Local\Temp\Restoro.exe"
1⤵
- Drops file in Windows directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq RestoroMain.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq avupdate.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\SYSTEM32\regsvr32.exe
regsvr32 /s "C:\Windows\system32\jscript.dll"
2⤵
- Registers COM server for autorun
- Modifies registry class
PID:3380

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq RestoroSetup.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq RestoroSetup.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq HMA! Pro VPN.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq GeoProxy.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq GeoProxy.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\a5y7taxj.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_country_product_24';"
3⤵
- Executes dropped EXE
PID:3320

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Wireshark.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Wireshark.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4540

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq Fiddler.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
2⤵
PID:2180

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq Fiddler.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq smsniff.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
2⤵
PID:1140

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq smsniff.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Users\Admin\AppData\Local\Temp\RestoroSetup.exe
"C:\Users\Admin\AppData\Local\Temp\RestoroSetup.exe" /GUI=http://www.restoro.com/ui/2106/layout.php?consumer=1&trackutil=&MinorSessionID=8e8a487dce6a47658c8547a7b8&lang_code=en&trial=0&ShowSettings=false "/Location=C:\Users\Admin\AppData\Local\Temp\Restoro.exe" /uninstallX86=TRUE /trackutil= /CookieTracking= /CookieCampaign= /EventUser=New /Update=1 /DownloaderVersion=2100 /RunSilent=false /SessionID=f8188189-b9e8-44d0-8f00-e59efecb830e /IDMinorSession=8e8a487dce6a47658c8547a7b8 /pxkp=Delete /Language=1033 /GuiLang=en /AgentStatus=ENABLED /StartScan=0 /VersionInfo=versionInfo /ShowSettings=true
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
PID:4060

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq RestoroMain.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:2820

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq RestoroMain.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:4020

C:\Program Files\Restoro\lzma.exe
"C:\Program Files\Restoro\lzma.exe" "d" "C:\Program Files\Restoro\ax.lza" "C:\Program Files\Restoro\ax.dll"
3⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:1056

C:\Program Files\Restoro\lzma.exe
"C:\Program Files\Restoro\lzma.exe" "d" "C:\Program Files\Restoro\engine.lza" "C:\Program Files\Restoro\engine.dll"
3⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:3516

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq RestoroAM.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:4200

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq RestoroAM.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files\Restoro\ax.dll"
3⤵
- Loads dropped DLL
PID:2752

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Restoro\ax.dll"
4⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2024

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files\Restoro\engine.dll"
3⤵
- Loads dropped DLL
PID:1016

C:\Users\Admin\AppData\Local\Temp\nse9DD8.tmp\RestoroUpdater.exe
"C:\Users\Admin\AppData\Local\Temp\nse9DD8.tmp\RestoroUpdater.exe" /S /MinorSessionID=8e8a487dce6a47658c8547a7b8 /SessionID=f8188189-b9e8-44d0-8f00-e59efecb830e /TrackID= /AgentLogLocation=C:\C:\ProgramData\Restoro\bin\results /CflLocation=C:\ProgramData\Restoro\cfl.rei /Install=True /DownloaderVersion=2100 /Iav=False
3⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
PID:2728

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq RestoroServiceSetup.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
4⤵
PID:1992

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq RestoroServiceSetup.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Users\Admin\AppData\Local\Temp\RestoroServiceSetup.exe
"C:\Users\Admin\AppData\Local\Temp\RestoroServiceSetup.exe" /S /MinorSessionID=8e8a487dce6a47658c8547a7b8 /SessionID=f8188189-b9e8-44d0-8f00-e59efecb830e /Install=true /UpdateOnly=default /InstallPath= /Iav=False /SessionOk=true
4⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
PID:4968

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq RestoroScanner.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
5⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq RestoroUI.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
5⤵
PID:3128

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq RestoroUI.exe"
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Program Files\Restoro\bin\RestoroProtection.exe
"C:\Program Files\Restoro\bin\RestoroProtection.exe" -install
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4836

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq RestoroProtection.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:3052

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq RestoroProtection.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq RestoroApp.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:4932

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq RestoroApp.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /TN RestoroActiveProtection /F
3⤵
PID:1796

C:\Program Files\Restoro\bin\RestoroApp.exe
"C:\Program Files\Restoro\bin\RestoroApp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1588

C:\Program Files\Restoro\RestoroMain.exe
"C:\Program Files\Restoro\RestoroMain.exe" http://www.restoro.com/ui/2106/layout.php?consumer=1&trackutil=&MinorSessionID=8e8a487dce6a47658c8547a7b8&lang_code=en&trial=0&ShowSettings=false /Locale=1033
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2404

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq RestoroMain.exe"
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\a5y7taxj.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_campaign_product_24';"
1⤵
- Executes dropped EXE
PID:1052

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\a5y7taxj.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_tracking_product_24';"
1⤵
- Executes dropped EXE
PID:948

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\a5y7taxj.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_trackid_product_24';"
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq avupdate.exe"
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Restoro\engine.dll"
1⤵
- Loads dropped DLL
PID:3692

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq RestoroScanner.exe"
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Program Files\Restoro\bin\RestoroProtection.exe
"C:\Program Files\Restoro\bin\RestoroProtection.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:608

C:\Program Files\Restoro\bin\RestoroService.exe
"C:\Program Files\Restoro\bin\RestoroService.exe"
2⤵
- Executes dropped EXE
PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Restoro\Restoro.exe

Filesize
248KB

MD5
3aedab160aeeeef6e58bbcf66d40374c

SHA1
89c93ac15b66387e0a1cf93b39c08d2388ee5294

SHA256
526b2092f43e5b1e08b403f60d8c5bc88fae6065c280333b5038928880256609

SHA512
240a8e915415d51605ecef56f31cc9c815f34073e78cb49adb52586db40be553a26865d7d16bbb0acea85a56e1e002d8c1012a12e2fbdf3438bf72767552b191

Download Submit
C:\Program Files\Restoro\RestoroMain.exe

Filesize
9.0MB

MD5
9abd7bdd0c57e5f3c16e522a7c4bf4de

SHA1
03861afadec494c3ab5d54c673ed954aa2e66c87

SHA256
1b171987fbb96d2c70e93f07e143018bf697215b909fb7fd074308772d536fec

SHA512
6dd889f0c826209b510970a39f6453dbcbdba985086e508ea1a65b6baeca7329f4d9a7ca6836710dc872da0fb25913dcc190eb6c4d28ca52ce4d79424f58ccbd

Download Submit
C:\Program Files\Restoro\bin\RestoroApp.exe

Filesize
466KB

MD5
e56f4d33f67c9ac623ce2ff6fb2b7def

SHA1
10b82de69181293d78edad38b25745716fa1d702

SHA256
a698f3cefcd0ff4fe7d9664deed26ac167236ddf62ee4df6a2cf2f29bced1521

SHA512
517e8dc7674530ba24a3afb64267fdbe74e253a60311e71ac11811b240cd6379f8bdfd06999481a2362d7da379ff125498ee2d4a0edf6143e5d5d267d094414a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FJU3EXH4\evt_scan[1].htm

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF.bat

Filesize
255B

MD5
9149ae325cb55aefbfe37e6cffc2a931

SHA1
7b36767b37cc55fb89594b8ae54a1d29ae9829f0

SHA256
282a3190c9e2e404afd51f0a58a6295f30e8a96ba1731975426155359d47aaeb

SHA512
8bebcbcf79e1ab43ffe9eabc3c43c0a6429eeb9249538b48fc86a30fc75027f9ab569dc81ea412e5dfff3ad4672423362fc4447ba976e80c606d1321970c37ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF.bat

Filesize
256B

MD5
82d9fe42f3b9b2c384230295b6b3b9f4

SHA1
77552b985d714c7c78e9026e2c0dcb4050bb1b0d

SHA256
1c9369d9fd736580511b2ab39166ed32a4ec1c6b0287a046fb70a88c70347317

SHA512
299ff16944d95ec6d9c08e260a4440a9477c0b4c0e7be59c22264b29111a802eb5b86b8347cfaa49ef18c3ecd953ddf8e32c98938ce8ccace8a739a75199b134

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallationPixel.txt

Filesize
2B

MD5
6bb61e3b7bce0931da574d19d1d82c88

SHA1
7984b0a0e139cabadb5afc7756d473fb34d23819

SHA256
1bad6b8cf97131fceab8543e81f7757195fbb1d36b376ee994ad1cf17699c464

SHA512
4fcdd8c15addb15f1e994008677c740848168cd8d32e92d44301ea12b37a93fbd9f0a0468d04789e1f387b395509bd3b998e8aad5e02dd2625f0aac661fb1100

Download Submit
C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt

Filesize
64B

MD5
dea052a2ad11945b1960577c0192f2eb

SHA1
1d02626a05a546a90c05902b2551f32c20eb3708

SHA256
943b315e065238b7073b033f534ef954b6b6461fb3f03a3f5b8555b11bc4c0a2

SHA512
5496b10e2a77aee11055d71bdaaed835df1770e85fa4d0f9433330470bbcf76c932c04778a0b47f4193eee14813db2e2b19ecc50b4a6a193faa19b4019705917

Download Submit
C:\Users\Admin\AppData\Local\Temp\RestoroSetup.exe

Filesize
1.8MB

MD5
a054e20fa113cebf31d68ec5d172a479

SHA1
59ab79668487427149d51714fd9c7f9eef6b0a0d

SHA256
8eb84c62a051c5a6770475d1389b4c5957102a5a0b9d6e906655685f81509764

SHA512
2f6951518eb7c1a39d275b23b102f2aecda3b4691731d962ab9440dad2d644e800bf796dcf4e2232219e07183c9bf9a12538ae6ddde5abead449a61a352b3785

Download Submit
C:\Users\Admin\AppData\Local\Temp\RestoroSetup.exe

Filesize
53KB

MD5
d9016c6c492b4bd721cd095edcf24a7e

SHA1
84e05b99d46ff303cf9110a61a3c42cba8deaa1b

SHA256
87f7ba3c4c7f9fba707ac7142c7f8e9ab3ba4900c0d9a15e2325a5ad2e2bc477

SHA512
16bf44c64cce1915129fc8da0f7e846712c95a1d9d4a315bc258a14d0a0f2d080883ea6d01925ff451432138313553aad0b4b7ccaf1f68e872d879c6c1bbc10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RestoroSetup.exe

Filesize
15KB

MD5
a9b6aa0e1dd4ab415ba438af45d5f0b2

SHA1
fa7b43b4790955a231e86a9e1c7fc7bc946021d4

SHA256
3ccd0499632e48ef5eefe151e2655054d66b2c7533d32133f947f6a6b982378a

SHA512
75b542d6339e331d9d9b31f5ac78b70838e888670ebcfcbe94b5d0667f133cc16ebbad07c5a63aef65182a7ec474cce82b37d32d9e46ca065a521bad7d90d422

Download Submit
C:\Users\Admin\AppData\Local\Temp\conf.res

Filesize
963KB

MD5
de832a8d6f28c11df0498ac43a6541ec

SHA1
511024321dd7fc6638b45ff1ae7e1b05c0735628

SHA256
bbe14d9c250c5bf8538afbaf1cac0be95dbf223b224e1ec2bdbc68740b0b8824

SHA512
44578d0e47cb31fe57c1d73fe9278e5ae272bd37b10b8358a1a46a1137462f1056b756685da830cb9414f1f560d8e424e0b0b6d60d11444098b6b3caba98b60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbC94D.tmp\SimpleSC.dll

Filesize
39KB

MD5
3f1be1321461c7b7a3b4322391c818f0

SHA1
f59b7a1e65f60a446f4355e22f0a10bddec3d21b

SHA256
3d7a8cf88fbed3417ff7bf998188f830c2f52da4e9a36da3edb438310ad1b1cd

SHA512
2f11c28694746ad8dcbd1e04988d682152986f81959a425aab542483872aa5e30eadb36af0838f5301867279687b2c4b6417bd4b93053dcab6a13b6802164bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5E61.tmp

Filesize
256B

MD5
2d9f6f09aeaf8b7f0bc2340dac698cb7

SHA1
2d4f7faa2de4c73c7bb34aa33053f1cc5de48c15

SHA256
94048ba2ccaeb4ce28ca4d59add1908b2c1c84baead31f08255a0f992d48a8b9

SHA512
23bce6221c59a04ba960f032464283292e47bb74ec18a29a9f046f094df4aa86e55c6ae4e9df18a50550beaa40dc2c26790cb8c0a8aec6c61d1a4643392bf521

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9DD8.tmp\DcryptDll.dll

Filesize
76KB

MD5
d717930f88aa6bb327eb1669a11ead46

SHA1
a27699458cf8a861fff9a7d11883b1d44ca56b4f

SHA256
98c75d7612afffd9354d5c89fe3c733f7ffcc14518ee7f0223a4336085359181

SHA512
699164d9eb5f760cccfbd1120d56a48bff69d0819738d110a7bfd663872d1c39491222d16e6c28022050a7186ee321ffba76e2d4c7e5f16f908827e6ef3ca3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9DD8.tmp\installer-164x314.bmp

Filesize
152KB

MD5
fb40cbe9c201ec7733ad386de811c69b

SHA1
499a12bdad66923b2851036eaefc5719c9692470

SHA256
3273cce2642e3c737671705a4cd8f4191d0e231fd111c29e8de97f0bbad86374

SHA512
72784ce3fba5a8a3055e21887f57253f831f736fd0beec3f6d9acb637f4a89f8e81dfc397bde773474a28b4581ecc87707c4a23ba34f79efb2062b884b0f2adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9DD8.tmp\modern-header.bmp

Filesize
88KB

MD5
53cc49764910d21e27b75d1a90215445

SHA1
a40b6fa9c210ebbb89ecf572d02db2e1d34f60de

SHA256
5a773d0d991920c5add73c49eec8b0a63dbfd99178c4faea311f2feef322c390

SHA512
58cfead2f2028740d0d64c2c03e3ecca30342229bef9dd148aba4602e18da560b1e8184d8a3c4b0a8e70b7ba2a288f3de846bc561879e881b948ceb857324022

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh8C19.tmp

Filesize
255B

MD5
d2780bd292a64be8cfcc6ac85e7a0ed2

SHA1
9d0142b5d90c9a6c402307b27c7d7dffff75354a

SHA256
29bd81638608bc000cc825481de92e08fdec42ebfcf3635b670cd39ae187bd97

SHA512
2dd58f6ba340abff6f236f6a9ff05e447704440ecc49febbfbd1f190a706a8c26ea0213b68b27e9c1221b68a6c1708bc45990a0e09cae4d46c875d4c761a7162

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssB353.tmp\AccessControl.dll

Filesize
8KB

MD5
65d017ba65785b43720de6c9979a2e8c

SHA1
0aed2846e1b338077bae5a7f756c345a5c90d8a9

SHA256
ccc6aaf1071d9077475b574d9bf1fc23de40a06547fc90cf4255a44d3bf631ac

SHA512
31a19105892d5a9b49eb81a90a2330c342a5504fa4940b99a12279a63e1a19ee5d4b257d0900794ff7021a09408995a5d12e95cc38f09cf12fb2fd860d205c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5C99.tmp\Banner.dll

Filesize
3KB

MD5
e264d0f91103758bc5b088e8547e0ec1

SHA1
24a94ff59668d18b908c78afd2a9563de2819680

SHA256
501b5935fe8e17516b324e3c1da89773e689359c12263e9782f95836dbab8b63

SHA512
a533278355defd265ef713d4169f06066be41dd60b0e7ed5340454c40aabc47afa47c5ce4c0dbcd6cb8380e2b25dbb1762c3c996d11ac9f70ab9763182850205

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5C99.tmp\LogEx.dll

Filesize
44KB

MD5
0f96d9eb959ad4e8fd205e6d58cf01b8

SHA1
7c45512cbdb24216afd23a9e8cdce0cfeaa7660f

SHA256
57ede354532937e38c4ae9da3710ee295705ea9770c402dfb3a5c56a32fd4314

SHA512
9f3afb61d75ac7b7dc84abcbf1b04f759b7055992d46140dc5dcc269aed22268d044ee8030f5ea260bbb912774e5bbb751560c16e54efa99c700b9fc7d48832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5C99.tmp\System.dll

Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5C99.tmp\UserInfo.dll

Filesize
4KB

MD5
c7ce0e47c83525983fd2c4c9566b4aad

SHA1
38b7ad7bb32ffae35540fce373b8a671878dc54e

SHA256
6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

SHA512
ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5C99.tmp\inetc.dll

Filesize
31KB

MD5
5da9df435ff20853a2c45026e7681cef

SHA1
39b1d70a7a03e7c791cb21a53d82fd949706a4b4

SHA256
9c52c74b8e115db0bde90f56382ebcc12aff05eb2232f80a4701e957e09635e2

SHA512
4ab3b1572485a8a11863adada2c6ec01e809a4b09f99d80903c79a95b91f299b8f2cd6cceaa915567e155a46291a33fb8ccb95141d76d4e7b0e040890d51d09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5C99.tmp\nsDialogs.dll

Filesize
9KB

MD5
4ccc4a742d4423f2f0ed744fd9c81f63

SHA1
704f00a1acc327fd879cf75fc90d0b8f927c36bc

SHA256
416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

SHA512
790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5C99.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5C99.tmp\rCrypt.dll

Filesize
283KB

MD5
b5887aa9fa99286a1b0692047a4bd24d

SHA1
d3d72b7516000788a749d567fb4dfb17e15d43a1

SHA256
9207951ffbe8e7633def52bac1d8923336874534a99ad1815d5eb64c83161bf8

SHA512
cd8f9179f741a7976d5f47b070b52a260c469500881a01a20be0929d3b6ea35c38476c19a19804f55c6f3d4c19eedd617c71ddc9bd8077f9b772a7ba30e59a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5C99.tmp\rCrypt.dll

Filesize
54KB

MD5
bc7c0f195233cf7b5f7826775e988275

SHA1
db91ee37916587a50e273b8f19d12d288c45f092

SHA256
343aaae6532f990711265f96e30f89eb5c70aadc0f626a721de9a8809e81bc19

SHA512
432a85a60f6a0e3597585713450ba0cad0d5dbe5ff2bd16c1fa8dd5bd39fb0817d54f10807a929e1e1cb5da7eefcb4ecf00ce672b6ee32c55eee68cc32315161

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5C99.tmp\registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5C99.tmp\stack.dll

Filesize
10KB

MD5
867af9bea8b24c78736bf8d0fdb5a78e

SHA1
05839fad98aa2bcd9f6ecb22de4816e0c75bf97d

SHA256
732164fb36f46dd23dafb6d7621531e70f1f81e2967b3053727ec7b5492d0ae9

SHA512
b7f54d52ff08b29a04b4f5887e6e3ae0e74fa45a86e55e0a4d362bc3603426c42c1d6a0b2fc2ef574bec0f6c7152de756ff48415e37ae6a7a9c296303562df4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5C99.tmp\stack.dll

Filesize
1KB

MD5
be5a054df9c0bb08addca41ece59408d

SHA1
e939fb378d31d1ac8a92359791ef9cc6314f0a1d

SHA256
567a135dc1a28dc85cde04e442f60d8f0b3f125733f049c8a7775d9579b3f932

SHA512
fdb42811880f87436a365f5258eaa01435fff28e7cf4d2f28724e58971d408518107b68ed297e95c99d86d21ad7e9c8c1d11b178e48516fb82395510a1d67475

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst5C99.tmp\xml.dll

Filesize
182KB

MD5
ebce8f5e440e0be57665e1e58dfb7425

SHA1
573dc1abd2b03512f390f569058fd2cf1d02ce91

SHA256
d1aaacc0aaf477b6b9f084697adcb444fc2333b32e8d99d224dca89516e762a7

SHA512
4786c9124973b6543d7291047d4c4a06c05282a3766212dbd3b8ce9b9560afddca20c491f791db2258c14ab767d5d3f480daa4706492949eae2ceb4a35aaef85

Download Submit
C:\Users\Admin\AppData\Local\Temp\restoro-version.xml

Filesize
1KB

MD5
3f95dce786911887a63ec462b3cc57e4

SHA1
baa8080b5be03d19e5808fb7a781574b0682991d

SHA256
b648f504649e83c47c592212f8be7d13e24ce1d06449f8bc7af02f7594dc5f66

SHA512
213665215a52ee8640c98969fde5042e67f2cb953318bcca0f398db27237fe40a9ce8e8669b0ead07ee605595cdc1295697bc95865bda04880692a1704e5f28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

Filesize
420KB

MD5
09232fa8bed6fd47bac0856ee1cb37ee

SHA1
fb596fc3417f32cea50ffceb38e3c166139bf9ea

SHA256
62f473cb420b73d8bcd4e5156107050af09b9867f149c1bdb7bcc7d56f81d3a0

SHA512
8ca7655db69f740f6195779a47d8e7d1f2188810d6f8697b6ea7ca8d3e88cc34067b083c7a06e6948b3864ded5f33407285acc5585975a393d89df127ed1a57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

Filesize
477KB

MD5
91cdcea4be94624e198d3012f5442584

SHA1
fab4043494e4bb02efbaf72bcca86c01992d765c

SHA256
ca4c0f1ec0ccbc9988ea3f43ff73fe84228ffb4d76baddc386051dffe7ddd8c2

SHA512
74edd1e31517acaf4d367521df84e17bda0a60743852076bc2edbd9e634c810fb98a06b29562237dfd61fb98fec0e379c3ce5a86b361ed0f2594d10c1a93c11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.exe

Filesize
369KB

MD5
01804a6350b8febcdeed1190d8d9100b

SHA1
25c1225f771986c9e3ebc9b9543aa02208255da5

SHA256
dcc604c7895b26b9b0d422d1459e7af4ef34afc46851c318195f805045afe3c0

SHA512
7a1fd61309b18a0feaf7bdbf03d61eb8f6cbf20c7f7a7d00997ac299b7e761980fae3741e20d74b1c77ac0dc3fadefe0ec43dc05c0f7d7acf8fb7ec5c80086bd

Download Submit
C:\Windows\restoro.ini

Filesize
110B

MD5
1ba63c7629914eb6b0f344d06fc595fb

SHA1
18c0fb8f7f990fce6bb8518a6cea68ae4e1f4ebe

SHA256
02bef266fe35fcf352fe7a8599076b368a364080a131344f51a14e370c160740

SHA512
be8113d02ed2aa2de96738d6a1ef2801d604a55e465fdf6beecab7636ee3292bc202479b4b9ec747d3fd387c4e99b1670a5316baed5d782bdbf8faea9bc9d78d

Download Submit
memory/948-58-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1052-73-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2728-416-0x0000000002D60000-0x0000000002D6B000-memory.dmp

Filesize
44KB

Download
memory/2728-396-0x0000000074260000-0x000000007426B000-memory.dmp

Filesize
44KB

Download
memory/3036-43-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3320-211-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4060-592-0x0000000005410000-0x000000000541B000-memory.dmp

Filesize
44KB

Download
memory/4060-611-0x00000000069F0000-0x00000000069FB000-memory.dmp

Filesize
44KB

Download
memory/4416-90-0x0000000005280000-0x000000000528B000-memory.dmp

Filesize
44KB

Download
memory/4416-232-0x00000000052A0000-0x00000000052F9000-memory.dmp

Filesize
356KB

Download
memory/4416-144-0x0000000004EA0000-0x0000000004EAB000-memory.dmp

Filesize
44KB

Download
memory/4416-115-0x0000000004E60000-0x0000000004E6B000-memory.dmp

Filesize
44KB

Download
memory/4968-517-0x0000000002850000-0x000000000285B000-memory.dmp

Filesize
44KB

Download