dcrat | a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1

Analysis

max time kernel
304s
max time network
306s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exe
Size

238KB
MD5

8c20d9745afb54a1b59131314c15d61c
SHA1

1975f997e2db1e487c1caf570263a6a3ba135958
SHA256

a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1
SHA512

580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7
SSDEEP

3072:ZWTAKLhXk2EYjcc9ct9cccX83bNryx6mshaIX7x5XIJG:lKL9EYjF9JccM3RdLwc3I

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exea613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exeE957.exeschtasks.exe

pid	process
2848	schtasks.exe
1332	schtasks.exe
1628	schtasks.exe
396	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\be70e527-c4d0-40a6-a0b6-da5418c70436\\E957.exe\" --AutoStart"	E957.exe
2248	schtasks.exe

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2228-112-0x0000000000230000-0x0000000000260000-memory.dmp	family_vidar_v7
behavioral1/memory/2148-113-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2148-116-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2148-117-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2148-274-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1880-33-0x0000000001D70000-0x0000000001E8B000-memory.dmp	family_djvu
behavioral1/memory/364-38-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/364-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/364-42-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/364-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2028-73-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2028-74-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2028-87-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2028-88-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2028-92-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2028-94-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2028-95-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2028-118-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2028-129-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2816-490-0x0000000002B90000-0x000000000347B000-memory.dmp	family_glupteba
behavioral1/memory/2816-496-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2816-578-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2816-603-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3068-626-0x0000000002AC0000-0x00000000033AB000-memory.dmp	family_glupteba
behavioral1/memory/3068-627-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3068-638-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1312-658-0x0000000002A80000-0x000000000336B000-memory.dmp	family_glupteba
behavioral1/memory/1312-659-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1312-780-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

c53cfff621a84792162f70e790980e38.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\c53cfff621a84792162f70e790980e38.exe = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	c53cfff621a84792162f70e790980e38.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
432	bcdedit.exe
1104	bcdedit.exe
2752	bcdedit.exe
1268	bcdedit.exe
368	bcdedit.exe
2700	bcdedit.exe
2308	bcdedit.exe
936	bcdedit.exe
1184	bcdedit.exe
756	bcdedit.exe
2076	bcdedit.exe
2364	bcdedit.exe
1296	bcdedit.exe
1176	bcdedit.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2772 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Deletes itself 1 IoCs

Processes:

pid process

1260

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
2772	netsh.exe

pid	process
1260

Executes dropped EXE 35 IoCs

Processes:

D24D.exeE957.exeE957.exeE957.exeE957.exebuild2.exebuild2.exebuild3.exebuild3.exe6EFB.exe7A50.exe97FE.exeInstallSetup3.exeBroomSetup.exeapril.exec53cfff621a84792162f70e790980e38.exeapril.tmpnszA1DD.tmpmstsca.exewebsocketconnectionroutine.exewebsocketconnectionroutine.exemstsca.exec53cfff621a84792162f70e790980e38.execsrss.exepatch.exeinjector.exedsefix.exemstsca.exewindefender.exewindefender.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
1060	D24D.exe
1880	E957.exe
364	E957.exe
2184	E957.exe
2028	E957.exe
2228	build2.exe
2148	build2.exe
2360	build3.exe
2728	build3.exe
2512	6EFB.exe
1744	7A50.exe
2092	97FE.exe
812	InstallSetup3.exe
3056	BroomSetup.exe
1592	april.exe
2816	c53cfff621a84792162f70e790980e38.exe
2468	april.tmp
2880	nszA1DD.tmp
2072	mstsca.exe
2964	websocketconnectionroutine.exe
636	websocketconnectionroutine.exe
1532	mstsca.exe
3068	c53cfff621a84792162f70e790980e38.exe
1312	csrss.exe
1080	patch.exe
1332	injector.exe
1096	dsefix.exe
2496	mstsca.exe
2400	windefender.exe
2392	windefender.exe
1084	mstsca.exe
1072	mstsca.exe
2876	mstsca.exe
2900	mstsca.exe
856	mstsca.exe

Loads dropped DLL 51 IoCs

Processes:

E957.exeE957.exeE957.exeE957.exeWerFault.exeWerFault.exe97FE.exeInstallSetup3.exeapril.exeapril.tmpc53cfff621a84792162f70e790980e38.exenszA1DD.tmppatch.execsrss.exe

pid	process
1880	E957.exe
364	E957.exe
364	E957.exe
2184	E957.exe
2028	E957.exe
2028	E957.exe
2028	E957.exe
2028	E957.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2008	WerFault.exe
2092	97FE.exe
812	InstallSetup3.exe
812	InstallSetup3.exe
2092	97FE.exe
2092	97FE.exe
2092	97FE.exe
1592	april.exe
2468	april.tmp
2468	april.tmp
2468	april.tmp
2468	april.tmp
812	InstallSetup3.exe
812	InstallSetup3.exe
812	InstallSetup3.exe
2468	april.tmp
3068	c53cfff621a84792162f70e790980e38.exe
3068	c53cfff621a84792162f70e790980e38.exe
2880	nszA1DD.tmp
2880	nszA1DD.tmp
868
1080	patch.exe
1080	patch.exe
1080	patch.exe
1080	patch.exe
1080	patch.exe
1312	csrss.exe
812	InstallSetup3.exe
1080	patch.exe
1080	patch.exe
1080	patch.exe
1312	csrss.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1908 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1908	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2400-824-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2392-825-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 152.89.198.214

description	ioc
Destination IP	152.89.198.214

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

c53cfff621a84792162f70e790980e38.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\c53cfff621a84792162f70e790980e38.exe = "0"	c53cfff621a84792162f70e790980e38.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c53cfff621a84792162f70e790980e38.execsrss.exeE957.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\be70e527-c4d0-40a6-a0b6-da5418c70436\\E957.exe\" --AutoStart"	E957.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 api.2ip.ua
28 api.2ip.ua
43 api.2ip.ua
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
27	api.2ip.ua
28	api.2ip.ua
43	api.2ip.ua

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

E957.exeE957.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 1880 set thread context of 364	1880	E957.exe	E957.exe
PID 2184 set thread context of 2028	2184	E957.exe	E957.exe
PID 2228 set thread context of 2148	2228	build2.exe	build2.exe
PID 2360 set thread context of 2728	2360	build3.exe	build3.exe
PID 2072 set thread context of 1532	2072	mstsca.exe	mstsca.exe
PID 2496 set thread context of 1084	2496	mstsca.exe	mstsca.exe
PID 1072 set thread context of 2876	1072	mstsca.exe	mstsca.exe
PID 2900 set thread context of 856	2900	mstsca.exe	mstsca.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

c53cfff621a84792162f70e790980e38.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN c53cfff621a84792162f70e790980e38.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	c53cfff621a84792162f70e790980e38.exe

Drops file in Windows directory 5 IoCs

Processes:

c53cfff621a84792162f70e790980e38.exemakecab.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	c53cfff621a84792162f70e790980e38.exe
File created	C:\Windows\rss\csrss.exe	c53cfff621a84792162f70e790980e38.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240204074512.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2784 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2320 2148 WerFault.exe build2.exe
2008 2512 WerFault.exe 6EFB.exe

pid	process
2784	sc.exe

pid	pid_target	process	target process
2320	2148	WerFault.exe	build2.exe
2008	2512	WerFault.exe	6EFB.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exeD24D.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D24D.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D24D.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D24D.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nszA1DD.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nszA1DD.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nszA1DD.tmp

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

396 schtasks.exe
2248 schtasks.exe
2848 schtasks.exe
1332 schtasks.exe
1628 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

652 timeout.exe

pid	process
396	schtasks.exe
2248	schtasks.exe
2848	schtasks.exe
1332	schtasks.exe
1628	schtasks.exe

pid	process
652	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

windefender.exec53cfff621a84792162f70e790980e38.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	c53cfff621a84792162f70e790980e38.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	c53cfff621a84792162f70e790980e38.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	windefender.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exepatch.execsrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exe

pid	process
2212	a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exe
2212	a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exeD24D.exe

pid process

2212 a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exe
1060 D24D.exe

pid	process
464

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

c53cfff621a84792162f70e790980e38.execsrss.exesc.exe

description	pid	process
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeDebugPrivilege	2816	c53cfff621a84792162f70e790980e38.exe
Token: SeImpersonatePrivilege	2816	c53cfff621a84792162f70e790980e38.exe
Token: SeSystemEnvironmentPrivilege	1312	csrss.exe
Token: SeSecurityPrivilege	2784	sc.exe
Token: SeSecurityPrivilege	2784	sc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

april.tmp

pid process

1260
1260
2468 april.tmp
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1260
1260
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BroomSetup.exe

pid process

3056 BroomSetup.exe

pid	process
1260
1260
2468	april.tmp

pid	process
1260
1260

pid	process
3056	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

E957.exeE957.exeE957.exeE957.exebuild2.exebuild3.exe

description	pid	process	target process
PID 1260 wrote to memory of 1060	1260		D24D.exe
PID 1260 wrote to memory of 1060	1260		D24D.exe
PID 1260 wrote to memory of 1060	1260		D24D.exe
PID 1260 wrote to memory of 1060	1260		D24D.exe
PID 1260 wrote to memory of 1880	1260		E957.exe
PID 1260 wrote to memory of 1880	1260		E957.exe
PID 1260 wrote to memory of 1880	1260		E957.exe
PID 1260 wrote to memory of 1880	1260		E957.exe
PID 1880 wrote to memory of 364	1880	E957.exe	E957.exe
PID 1880 wrote to memory of 364	1880	E957.exe	E957.exe
PID 1880 wrote to memory of 364	1880	E957.exe	E957.exe
PID 1880 wrote to memory of 364	1880	E957.exe	E957.exe
PID 1880 wrote to memory of 364	1880	E957.exe	E957.exe
PID 1880 wrote to memory of 364	1880	E957.exe	E957.exe
PID 1880 wrote to memory of 364	1880	E957.exe	E957.exe
PID 1880 wrote to memory of 364	1880	E957.exe	E957.exe
PID 1880 wrote to memory of 364	1880	E957.exe	E957.exe
PID 1880 wrote to memory of 364	1880	E957.exe	E957.exe
PID 1880 wrote to memory of 364	1880	E957.exe	E957.exe
PID 364 wrote to memory of 1908	364	E957.exe	icacls.exe
PID 364 wrote to memory of 1908	364	E957.exe	icacls.exe
PID 364 wrote to memory of 1908	364	E957.exe	icacls.exe
PID 364 wrote to memory of 1908	364	E957.exe	icacls.exe
PID 364 wrote to memory of 2184	364	E957.exe	E957.exe
PID 364 wrote to memory of 2184	364	E957.exe	E957.exe
PID 364 wrote to memory of 2184	364	E957.exe	E957.exe
PID 364 wrote to memory of 2184	364	E957.exe	E957.exe
PID 2184 wrote to memory of 2028	2184	E957.exe	E957.exe
PID 2184 wrote to memory of 2028	2184	E957.exe	E957.exe
PID 2184 wrote to memory of 2028	2184	E957.exe	E957.exe
PID 2184 wrote to memory of 2028	2184	E957.exe	E957.exe
PID 2184 wrote to memory of 2028	2184	E957.exe	E957.exe
PID 2184 wrote to memory of 2028	2184	E957.exe	E957.exe
PID 2184 wrote to memory of 2028	2184	E957.exe	E957.exe
PID 2184 wrote to memory of 2028	2184	E957.exe	E957.exe
PID 2184 wrote to memory of 2028	2184	E957.exe	E957.exe
PID 2184 wrote to memory of 2028	2184	E957.exe	E957.exe
PID 2184 wrote to memory of 2028	2184	E957.exe	E957.exe
PID 2028 wrote to memory of 2228	2028	E957.exe	build2.exe
PID 2028 wrote to memory of 2228	2028	E957.exe	build2.exe
PID 2028 wrote to memory of 2228	2028	E957.exe	build2.exe
PID 2028 wrote to memory of 2228	2028	E957.exe	build2.exe
PID 2228 wrote to memory of 2148	2228	build2.exe	build2.exe
PID 2228 wrote to memory of 2148	2228	build2.exe	build2.exe
PID 2228 wrote to memory of 2148	2228	build2.exe	build2.exe
PID 2228 wrote to memory of 2148	2228	build2.exe	build2.exe
PID 2228 wrote to memory of 2148	2228	build2.exe	build2.exe
PID 2228 wrote to memory of 2148	2228	build2.exe	build2.exe
PID 2228 wrote to memory of 2148	2228	build2.exe	build2.exe
PID 2228 wrote to memory of 2148	2228	build2.exe	build2.exe
PID 2228 wrote to memory of 2148	2228	build2.exe	build2.exe
PID 2228 wrote to memory of 2148	2228	build2.exe	build2.exe
PID 2228 wrote to memory of 2148	2228	build2.exe	build2.exe
PID 2028 wrote to memory of 2360	2028	E957.exe	build3.exe
PID 2028 wrote to memory of 2360	2028	E957.exe	build3.exe
PID 2028 wrote to memory of 2360	2028	E957.exe	build3.exe
PID 2028 wrote to memory of 2360	2028	E957.exe	build3.exe
PID 2360 wrote to memory of 2728	2360	build3.exe	build3.exe
PID 2360 wrote to memory of 2728	2360	build3.exe	build3.exe
PID 2360 wrote to memory of 2728	2360	build3.exe	build3.exe
PID 2360 wrote to memory of 2728	2360	build3.exe	build3.exe
PID 2360 wrote to memory of 2728	2360	build3.exe	build3.exe
PID 2360 wrote to memory of 2728	2360	build3.exe	build3.exe
PID 2360 wrote to memory of 2728	2360	build3.exe	build3.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exe
"C:\Users\Admin\AppData\Local\Temp\a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2212

C:\Users\Admin\AppData\Local\Temp\D24D.exe
C:\Users\Admin\AppData\Local\Temp\D24D.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1060

C:\Users\Admin\AppData\Local\Temp\E957.exe
C:\Users\Admin\AppData\Local\Temp\E957.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\E957.exe
C:\Users\Admin\AppData\Local\Temp\E957.exe
2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\be70e527-c4d0-40a6-a0b6-da5418c70436" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1908

C:\Users\Admin\AppData\Local\Temp\E957.exe
"C:\Users\Admin\AppData\Local\Temp\E957.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\E957.exe
"C:\Users\Admin\AppData\Local\Temp\E957.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\3e04ae29-41ff-4572-85b4-73e1b6428a87\build2.exe
"C:\Users\Admin\AppData\Local\3e04ae29-41ff-4572-85b4-73e1b6428a87\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228

C:\Users\Admin\AppData\Local\3e04ae29-41ff-4572-85b4-73e1b6428a87\build2.exe
"C:\Users\Admin\AppData\Local\3e04ae29-41ff-4572-85b4-73e1b6428a87\build2.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 1476
7⤵
- Loads dropped DLL
- Program crash
PID:2320

C:\Users\Admin\AppData\Local\3e04ae29-41ff-4572-85b4-73e1b6428a87\build3.exe
"C:\Users\Admin\AppData\Local\3e04ae29-41ff-4572-85b4-73e1b6428a87\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\3e04ae29-41ff-4572-85b4-73e1b6428a87\build3.exe
"C:\Users\Admin\AppData\Local\3e04ae29-41ff-4572-85b4-73e1b6428a87\build3.exe"
6⤵
- Executes dropped EXE
PID:2728

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- DcRat
- Creates scheduled task(s)
PID:2848

C:\Users\Admin\AppData\Local\Temp\6EFB.exe
C:\Users\Admin\AppData\Local\Temp\6EFB.exe
1⤵
- Executes dropped EXE
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 96
2⤵
- Loads dropped DLL
- Program crash
PID:2008

C:\Users\Admin\AppData\Local\Temp\7A50.exe
C:\Users\Admin\AppData\Local\Temp\7A50.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Users\Admin\AppData\Local\Temp\97FE.exe
C:\Users\Admin\AppData\Local\Temp\97FE.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092

C:\Users\Admin\AppData\Local\Temp\InstallSetup3.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup3.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3056

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
4⤵
PID:1456

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:1332

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\nszA1DD.tmp
C:\Users\Admin\AppData\Local\Temp\nszA1DD.tmp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nszA1DD.tmp" & del "C:\ProgramData\*.dll"" & exit
4⤵
PID:2848

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:652

C:\Users\Admin\AppData\Local\Temp\april.exe
"C:\Users\Admin\AppData\Local\Temp\april.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592

C:\Users\Admin\AppData\Local\Temp\is-GQ430.tmp\april.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GQ430.tmp\april.tmp" /SL5="$A015C,7683695,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2468

C:\Users\Admin\AppData\Local\WebSocket connection routine\websocketconnectionroutine.exe
"C:\Users\Admin\AppData\Local\WebSocket connection routine\websocketconnectionroutine.exe" -i
4⤵
- Executes dropped EXE
PID:2964

C:\Users\Admin\AppData\Local\WebSocket connection routine\websocketconnectionroutine.exe
"C:\Users\Admin\AppData\Local\WebSocket connection routine\websocketconnectionroutine.exe" -s
4⤵
- Executes dropped EXE
PID:636

C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
"C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
"C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe"
3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:3024

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2772

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1080

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:432

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:1104

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:2752

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:1268

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:368

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:2700

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:2308

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:936

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:1184

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:756

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:2076

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:2364

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:1296

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:1332

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
5⤵
- Modifies boot configuration data using bcdedit
PID:1176

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
5⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:2248

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
- Executes dropped EXE
PID:2400

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:1504

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\taskeng.exe
taskeng.exe {E2E187D4-B1E2-4C5E-B2F6-42B64DFC485A} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]
1⤵
PID:284

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2072

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1532

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- DcRat
- Creates scheduled task(s)
PID:1628

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2496

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1084

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1072

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2876

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2900

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:856

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240204074512.log C:\Windows\Logs\CBS\CbsPersist_20240204074512.cab
1⤵
- Drops file in Windows directory
PID:788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16718146942107315938-1932496848-1583011448649724950-6950576751404821607-193653357"
1⤵
PID:1456

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2392

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
3769f53ac22cdf6658c874805d9983a5

SHA1
53ba470f9cd12bbfde1d1149bcad0029e0f8a84f

SHA256
87ec66df2ed0afbd05a6094ba5ad5bc5b3ef6807828d00323b1addb6addd1c17

SHA512
56ce76ea6aeaaafac14128912b31e12a16a2ca85b97ece7f3034bea5ca3b249c0cfe974b2823f35d38c46d6b3faa7278732b183a86c85f469c422384f08f2925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
ef0abc329c70e541a9a19ba971615338

SHA1
526bedf50f8820089d84fd59d51163dd2f1ad7e3

SHA256
a1d8681c9359dcbafd1015a23206621a5174741b42a86d58aea1e2c192f8b39a

SHA512
50309c0290a40454c515ba129366a29c3e98667d355673e774030e937a6ec829e4f64fcbfb037c4cabd31e28b4af58f46c5384cf25ac9155013ae4ad88822e39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a416dc487daa2a138ab85e595662c2bc

SHA1
1b9a6feddd62564ac3ac3725f16fcf710e98a338

SHA256
03434454b93e067848d7a69150f10936c1e8a7ba650ef4a89ed41b60794604dd

SHA512
c8338763bf3783e710005d2251de0eab456b5a9f4dbb54fb5a1c3d823f699f440d6b97dc2c94743deb45a50385561d4298c4b08a28129f2b8c542f5c1b003625

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4febceef1c2d401d8c4aeff378246f05

SHA1
22b837287398f6703c1653fe51471482bff482a5

SHA256
e51133b7313015fb7569c95c2e363e6e57bdc0db03ae5fbad08f0b4f2854ed42

SHA512
0018c8fd6c69fba6a7eb73bc7788bce9456cfd9f577f2f473278829eeea8c232af03cfb0ede21b9f854822c3fc326e970e7e617e4ad2feed19fd9c162a4cbb36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
81d711bd4701a1b69a007ec71cac8372

SHA1
b89686e9029157068957025db95bc69524207e97

SHA256
d73bfecd2041de59fcde7425768e864ceef900d62f8a0e020f5d2b941e8f147d

SHA512
ec07602127a4786ea26f8b5e5a761b63b99e31a6e7e42c595fc2480ce9c133f4e109818a15e1e3d0cc74a87c2e8e9af4364d91459378b488be4e124045f95fb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
ce6e790cf9fa196d82f8b7b1dd61a80c

SHA1
b2e820309ddefedd1ffeba423c6062f5f27582d7

SHA256
bf3f0956fd5221fc350778b38f3fab4231ea7ff364beb00ea4f736a3b86f8a44

SHA512
0e107013ef4e658bd2dbecb84f487817567b3eb416e9e97e2f68e07d3d8cf627fe76334b62c0b461330b4b0fd202e2d1be7f854f913f0cdc192a95c56848c3c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
b712318700cbb1a49926401fbab521c1

SHA1
219c6a6fb88da180098d234026105110b4304947

SHA256
88fcbfb84d26e0f6ab01eaa9f5d859e5d916d5196ad0097bdb1ee451e207f729

SHA512
1055a1f84f462438470df0956acc8f4a78819e323856448c3778271fae265cfeaf5a1da459f57fda32c11d67fd946ae95e06cd4d8eda4dbc288dd72c2b3bc4bd

Download Submit
C:\Users\Admin\AppData\Local\3e04ae29-41ff-4572-85b4-73e1b6428a87\build2.exe
Filesize
138KB

MD5
736d0158fdd55f6e5b13dafb325c427b

SHA1
0c535f7ee36b5d360d124c9452f0018ca1c25a24

SHA256
547b9a18786bfc9ca22bf5923fc9fbe53ceee6663672b8ac8d19192cc0cf6e51

SHA512
8701dd2c52a9a796db49695bae4ae4581ea8a27bb447620c442a679a1b09f01a239321552bbe20a633286fdd61d2383dc6d82a9fa584c6eba0645e85b3e22e3c

Download Submit
C:\Users\Admin\AppData\Local\3e04ae29-41ff-4572-85b4-73e1b6428a87\build2.exe
Filesize
18KB

MD5
719cdad8bad90a32e2fee1be49f72168

SHA1
269653e6e5f8b8923965461f89f541392fa0b461

SHA256
29dc0c0838dfd5b672acd3fe9a0f4ab353b991d5568b5ffac4b0483c5e98aeb3

SHA512
a3914d735c5e103bd254fd5e00c7327016b1a37a6973846a8d4f6805969d37505041cdb2b377550da1e6ec3ccc41548f61b5eb8f0eba5a4b35d7985d15373994

Download Submit
C:\Users\Admin\AppData\Local\3e04ae29-41ff-4572-85b4-73e1b6428a87\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EFB.exe
Filesize
6.0MB

MD5
95e59305ad61119cf15ee95562bd05ba

SHA1
0f0059cda9609c46105cf022f609c407f3718e04

SHA256
dd87f94c961b9612bbd65761bee6ed15318d63652f262e2c425bd177a2341a19

SHA512
5fbcfe79162460080e0c3944df747835f0b8f2cdb35b038eb69eadf2eb85a209f7d5432a328d0f0eeafba036012f48793e3c08d94531b98a12a498bcf3b00ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A50.exe
Filesize
1.3MB

MD5
6543dfd527080cd599e8905c90903b33

SHA1
2e4acc0fa59d8fd5cf6ce164add913216a69ed01

SHA256
a58bc51e98ea724efade706eac4e09fec449312f0ba08362560d551324d179e6

SHA512
3f176226f5b2b2030769a2600566976cb9db79d2072d254e1e9dfe2d4474bcaab75d3929a9d6051cf7b4bb478d9ab292c9adb5690ca3bef63058939c60f64589

Download Submit
C:\Users\Admin\AppData\Local\Temp\7A50.exe
Filesize
456KB

MD5
b9a6c6af5b24760ad8471fdc314a884e

SHA1
d29a52dacee5484170c5d4ef228a94a33c96a585

SHA256
7b3ad9681ee302bef6cb8d36a068461602a17442207829c44cac73a468a9c6fb

SHA512
8d9b35556572252bf616ba6850fa66ca2fab710b5f3c6e59e18dcbe4c8f069dda387c29ecd888695c4ebbc77a9329eb9d806e9d7c25abc47f8fdc528aae9a615

Download Submit
C:\Users\Admin\AppData\Local\Temp\97FE.exe
Filesize
3.8MB

MD5
e17b6fb84223321bc9f32de4cf9b15ad

SHA1
883628fda6e9d33e1c129ae643e0722faa9f89ac

SHA256
869f7460c3aa42767ae259115e877c0c88f809934b3fcb3149f03642d8654bd3

SHA512
676bd563e95362696a0890c013b9254f0ef57400bddcb5c44dcd8dfd3585bce7200d7adfe0f29aecc42b57d8c1fdcf347627e4e3977f8fe749bf80f1010da193

Download Submit
C:\Users\Admin\AppData\Local\Temp\97FE.exe
Filesize
3.9MB

MD5
34b273bb350134bbcf664b51ee0f9486

SHA1
287b6f3674de18a743e1f905af97b8293d57f0ed

SHA256
b2dd1aeae57f632f04347452c901a59c6b94ebf3b833a16f64193443ea5144ff

SHA512
eba2afe683880f096150e6a2ebe0f196aa87505131652720b0df9ee519621df2958220c2c1fb171fead570659ee7d8bd1e36966fabae5e2d0f57b56cc0881fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
1.3MB

MD5
ab8f0a02292519e3e2a29fd4eeb9c184

SHA1
b169151277ccfced26c1b62664b0bace27c23277

SHA256
91ad60457db009b0a9dfe108ae8953c544040ad3e08d84fb51c7e997b66c3860

SHA512
9ba5c580d5dc81206e202fd16908b67f3a2b24c2481c657ef56c6b01d2fa0e9bfe9e6cffedf99e5a4b5fb0a92e69700ace87f29c6f1bdc9453c6c31eb5121bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF6DD.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D24D.exe
Filesize
238KB

MD5
8c20d9745afb54a1b59131314c15d61c

SHA1
1975f997e2db1e487c1caf570263a6a3ba135958

SHA256
a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1

SHA512
580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\E957.exe
Filesize
819KB

MD5
7fbb43e45972770463e5a905f997960d

SHA1
af53adbdb6dc3ac0636f4874e384aa7bfd423ac4

SHA256
13040cfe161bb47fe3e62a56cf808eef602a989830ff0e3e32714e933fa72b5e

SHA512
6bbd40d8bb8c1ffeaa5ca0d8e3940daa03a0df68c4aecb5d90a73c0880ed8cfce758ac83f26bbd2d79b42bb61273590c2335344c564b5e972bebb7100653d8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup3.exe
Filesize
1.8MB

MD5
b8804e3278e9e8686e616f967a27fe1e

SHA1
32fc9930c5b2495a9d0cd804fdf3c741b3ed3efb

SHA256
6361382c1a7f0145cce0c6f5f73286c872f3e5bc0bb911b84ddc8253fac8bb33

SHA512
5ae8b34e2638d76e78da01a007c2bd1a55afb64c83e44c852cf528b36e7432e31466a00efca9e068bb5b9305c703469ea2713fb450727560cfe2791639a3d2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup3.exe
Filesize
1.1MB

MD5
65d16ebe4f5e9ac48ec68fb703ce40d8

SHA1
651589742968a4b49a892a760cf4a4069a2c27fc

SHA256
002812746896aa50235dcf1b76515888b8f89d644ea10bd012609aff4dca6f95

SHA512
78616a59eeff2b229ef589b847794c9e40d7bb235b360602b059843c7549b6be46e10040f18f94fd250deeebeffdad9615ef3c30da7da54cb604cc11e3e44d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCCE.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe
Filesize
1.8MB

MD5
6ba94086a3c9d4d5b7b140e200967450

SHA1
5fe34a105b61d787ab00f71d9b362cd661542531

SHA256
e2efa96b98fe194f89c5fdef5327b42fadef64f329db6d71e65758ba871a46cc

SHA512
cd62714bef0e223d8bd10c710214980d877ca1c0d76dba449c92a04c6126d87810b3d9516f505d873b906dda850a11f24961ca1fb6237882f7e2769d8998aa4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe
Filesize
2.1MB

MD5
195e236aeb9a982d90fa706a83bc5ebd

SHA1
9dad21c656de08d3b0819090cfd9d5218dd383af

SHA256
d50f9064943e978cecbe800d0c16a1534177d620e27f35c8289a6f7d063ae6c5

SHA512
23812c81ec761f4a0baf9550493aad6810693b3d1374da3bd5b6972d60fcbce9eed426d079183e0953d2449d1c911567b192ddbaba6d728340f35f5c0906e058

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
Filesize
1.7MB

MD5
ee917f896964cbab9cd339bb3aed565a

SHA1
30285dc7efa3cdb10917f3027f9c20872af8cac2

SHA256
065fbaec252e7394a5c684d73af327b417ec3695c7dd830f5936db86906317b3

SHA512
2baa018f795a7ec33832cd2488407dffb725b08a562d06c32ed553a9f4f5f93bb68672a596648b8264185dc5de7d76471b4476d96fd3c1c9afee9a95a6b7590f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
Filesize
1.6MB

MD5
99ebada947974225bd3f2f993f3fd9d2

SHA1
26a2ceb747e2de8db76e52465dfd4ee29ba70c3e

SHA256
212be2d03ffc8e15eabeaea23384289c7c85b36ab346b18a4f4fc533393df878

SHA512
3865203389b2f288a262a649aa7c7788f8a52d651d4ae0323f11b2c5b2b8d2a2c8265b3161fea88c0c0440985eb3beef51b2fd2787cf8ffec628905cd47d272f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszA1DD.tmp
Filesize
294KB

MD5
627ffd31a7c7b86d813cb8b853c45374

SHA1
e961a97c49e318960ea073998629f9ccec0ac8e1

SHA256
04934437e59c31551119638b9d181bad27c3a5092fe409d0cdcc1769edafb825

SHA512
6bfc8d97bcfe2519815b47642a78f5270da771ff49e0d2145ce858c46c6d304ad0444f6af655d68cf6cb4672cbcf797669129593c0b27cd75f2bd078c9a71831

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
153KB

MD5
2a70f139d942a6f3646110ed9374c999

SHA1
3eeeebf2a1aba14fe518ee8dee54d2675c1d91ab

SHA256
a4c85f5a55042cbcc6752ac9405c57262b409efbd33441ee32cb4547ea38c258

SHA512
214647cdb6a45ace745a9af2e962726484090fe18cd810a8a28e62b2e2dac28f83934f463fec567d2536ef2e9068cf68e7b856cd04426d76c7862cac65caeb99

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
\Users\Admin\AppData\Local\3e04ae29-41ff-4572-85b4-73e1b6428a87\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
\Users\Admin\AppData\Local\Temp\6EFB.exe
Filesize
2.2MB

MD5
7e2dcd2e5b5cbcca18c70d9e617d1409

SHA1
b0b47ca1c83b06b77fcd95789f51aaca2183c924

SHA256
dcf9e4da7fa9481d8a4d56658abed5e5966b333ac5e6f75c80d1d1061a5d1893

SHA512
38c3d90e0b22157ef601c650c3f5fcfac328f1df6388938aeda1e2d3424bfe15c542805648778cfe46ddf8b484e40735eb6601990d9acc5448e8908503383eb0

Download Submit
\Users\Admin\AppData\Local\Temp\6EFB.exe
Filesize
1.4MB

MD5
5fce7144c77857d9895b477472ac70ac

SHA1
ca275b680348d67fcc49d762d65ce8ea29c89154

SHA256
43f2468d797de2b2b9fa0cfe58c495bdc06b4dfdf71f2cb369f7db103e6e4657

SHA512
70e5b523b4a39545353d6fb3846d6ececc5a90bf22605e2080511b151b3b9a6c8c10333667c462b5d24205c508f952b43331b776652f815f756770c51f51ac01

Download Submit
\Users\Admin\AppData\Local\Temp\6EFB.exe
Filesize
1.3MB

MD5
cce75b4572a281edf7f07b84de015d66

SHA1
a8b8072bef81e7a136ca73ff593826bac81e2805

SHA256
bcfc70796c7355ccd2283e03a285e04f40ebd04c591fa0ffe12274ab5738fcbf

SHA512
e48319b8e6004f3c161224272e43e4f64c841376194f8890bcf32ac84ad4bbbbfa07b4cf84b576f96bfaa290453dea2da01e31114f04d42e00a6210aa5412e9a

Download Submit
\Users\Admin\AppData\Local\Temp\6EFB.exe
Filesize
1.4MB

MD5
136b22e5f629f9e6705f3f5de0b957b7

SHA1
b26b3c8692f1caf27c7cf7394cfe304391f0adff

SHA256
79fad01bb3b02ba88788f4c7a23cf1cf099d236608a05a30009385cae5537cd1

SHA512
aef5391331a98fc5c2f800a6cdecb77b0de6df0a72b7e69f50356e79e199bb682f11d9b36e5a6fa4b01b0545f2fe441275dfa443b73df2123cfcee12715c8e43

Download Submit
\Users\Admin\AppData\Local\Temp\6EFB.exe
Filesize
1.5MB

MD5
67df09fade5c01af8f11af6d5596b6ff

SHA1
10933c459f7585607a10a6286aa1e818dbd54633

SHA256
b6b96f855e17220e375208df8b065300ff402d2a9ac9b13c1604fa270a711c47

SHA512
9ad336d82a8f48a160fca7774ba3140473c2445f2c0813d996568cd8ca05c4d95234324cf63cffd9ba3933a11576cfeac60ea3135986094fdf64fd1694fd61b2

Download Submit
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
1.7MB

MD5
209b8d58d0ac525daab9792372518192

SHA1
6f93000a8b165ac2c1ce8f1ba55db3b2c7dd1199

SHA256
6bcbb10422dc4ace07bb69ee1bf18a6dcebda7db046898307fe779b392dc9182

SHA512
761c472bacbec66fa1b41138714a2cec33a34e04663858d7ac729e571cdf928bd8c81754cdd2751692d2c7c77a5e43dcae5dd7356a9d17679a38dd68d404f30a

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup3.exe
Filesize
1.9MB

MD5
c8f264110cea0104611b54a788528460

SHA1
1b466769243b47d6a63396258a0b2fef34c88456

SHA256
329a328e526c1105ffea6bd6d34b76c88fcb532b95759a15a951cc3afc25764b

SHA512
bf9dc4a0ca8c18714d03150c7fcae6ab6948d1a5ce9ecc76373fdf56ce7d21bd26605c46524a42b24413b55ca7ed91e430df2ee6dcb12c248452f25191bc51a6

Download Submit
\Users\Admin\AppData\Local\Temp\april.exe
Filesize
1.6MB

MD5
df138e824b80657bee74f23f255cb07a

SHA1
22bc55cf108c417243ccef30d4d31246adfaa9cf

SHA256
56eec6e0cb86c9bdca3a654df008200593d1bfc460f9974a713080547bc0bda3

SHA512
596c11cd25f33c2910cf58fde3d9eadd939bf0f4f044a97e6aa6287e38749a140fba03795913b4e7902a2d26cdeb958455492bf2a0b4218defcd7771b1efc7bb

Download Submit
\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
Filesize
1.9MB

MD5
40306b86f909cc684d183f9faccedbf8

SHA1
f82c2071f6a5660880ae3a988f5871d32bceb0f1

SHA256
e009660b3e8a8e29b10714bd0d85fdec5d4a1f383710a04395fe3cb986995cf1

SHA512
87e4804fd0e65842075855205b6e3b097ed3932e5a073fdb3161eaf546b91cad3c5c21164b160bad33aefbf4abfc10678aee70801ff2a966a8b7e5f8cc3fd51f

Download Submit
\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
Filesize
1.7MB

MD5
d192dc6e4b2945182518d30a1dec7d37

SHA1
e8e3bcb45c551d081505561a3b784745a79474c7

SHA256
8e45cceca33b7667763204d8859d38f2d7e6e79fea24e31693c83054a44aa04a

SHA512
9977d740f6a89167aa3a46d8900fd4293b82bad3f5ec75d6956a3222dd0981dac41193cff575882571f0803821db50698256960bca0a6c45c6ce15c2f608d78b

Download Submit
\Users\Admin\AppData\Local\Temp\is-GQ430.tmp\april.tmp
Filesize
692KB

MD5
a6f4254c2f83487e5d23a1af9df029a0

SHA1
595a7d19f7fcde04b31a0beba95f4eac17b7f328

SHA256
b0e8dad847771834904143a67adb46f35d2c18d85f4934ddd9a4a8d6f1d8a174

SHA512
bb575b9e84946068d335222f973480cbc8bcc9668db53f7f8e2e9c0f30d3fb010bb3616ec4c2e2e57c60fb485c65c9b30ccf8cceadee7446340682300393bc41

Download Submit
\Users\Admin\AppData\Local\Temp\is-LUKSC.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-LUKSC.tmp\_isetup\_isdecmp.dll
Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-LUKSC.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9C9E.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
memory/364-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/364-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/364-42-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/364-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/364-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/636-550-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/636-553-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/636-654-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/636-656-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/1060-22-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1060-19-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/1060-20-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1080-683-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1080-678-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1260-4-0x00000000029A0000-0x00000000029B6000-memory.dmp

Filesize
88KB

Download
memory/1260-21-0x0000000002BC0000-0x0000000002BD6000-memory.dmp

Filesize
88KB

Download
memory/1312-657-0x0000000002680000-0x0000000002A78000-memory.dmp

Filesize
4.0MB

Download
memory/1312-658-0x0000000002A80000-0x000000000336B000-memory.dmp

Filesize
8.9MB

Download
memory/1312-659-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1312-780-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1592-575-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1592-449-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1880-31-0x00000000002B0000-0x0000000000342000-memory.dmp

Filesize
584KB

Download
memory/1880-32-0x00000000002B0000-0x0000000000342000-memory.dmp

Filesize
584KB

Download
memory/1880-33-0x0000000001D70000-0x0000000001E8B000-memory.dmp

Filesize
1.1MB

Download
memory/2028-87-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2028-118-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2028-73-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2028-74-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2028-94-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2028-88-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2028-92-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2028-95-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2028-129-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2072-567-0x0000000000292000-0x00000000002A2000-memory.dmp

Filesize
64KB

Download
memory/2092-420-0x0000000072A10000-0x00000000730FE000-memory.dmp

Filesize
6.9MB

Download
memory/2092-465-0x0000000072A10000-0x00000000730FE000-memory.dmp

Filesize
6.9MB

Download
memory/2092-421-0x00000000009B0000-0x0000000001774000-memory.dmp

Filesize
13.8MB

Download
memory/2148-274-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2148-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2148-113-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2148-117-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2148-116-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2184-66-0x00000000002E0000-0x0000000000372000-memory.dmp

Filesize
584KB

Download
memory/2184-65-0x00000000002E0000-0x0000000000372000-memory.dmp

Filesize
584KB

Download
memory/2212-1-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/2212-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2212-8-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2212-5-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2212-3-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2228-110-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2228-112-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2360-253-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/2360-252-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2392-825-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2400-824-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2468-543-0x0000000003720000-0x0000000003A4C000-memory.dmp

Filesize
3.2MB

Download
memory/2468-480-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2468-618-0x0000000003720000-0x0000000003A4C000-memory.dmp

Filesize
3.2MB

Download
memory/2468-576-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2512-284-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2512-289-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2512-323-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2512-491-0x0000000000BC0000-0x000000000171B000-memory.dmp

Filesize
11.4MB

Download
memory/2512-282-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2512-285-0x0000000000BC0000-0x000000000171B000-memory.dmp

Filesize
11.4MB

Download
memory/2512-293-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2512-296-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2512-298-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2512-301-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2512-287-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2512-291-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2512-288-0x0000000000BC0000-0x000000000171B000-memory.dmp

Filesize
11.4MB

Download
memory/2728-260-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2728-255-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-262-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2728-257-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2816-578-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2816-489-0x0000000002790000-0x0000000002B88000-memory.dmp

Filesize
4.0MB

Download
memory/2816-490-0x0000000002B90000-0x000000000347B000-memory.dmp

Filesize
8.9MB

Download
memory/2816-603-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2816-496-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2880-513-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2880-616-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2880-617-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2880-512-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2880-746-0x0000000000740000-0x0000000000840000-memory.dmp

Filesize
1024KB

Download
memory/2880-747-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2880-514-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2964-544-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/2964-547-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/2964-549-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/3056-448-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3068-642-0x00000000026C0000-0x0000000002AB8000-memory.dmp

Filesize
4.0MB

Download
memory/3068-638-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3068-627-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3068-626-0x0000000002AC0000-0x00000000033AB000-memory.dmp

Filesize
8.9MB

Download
memory/3068-622-0x00000000026C0000-0x0000000002AB8000-memory.dmp

Filesize
4.0MB

Download