fabookie | ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1

Resubmissions

04-02-2024 20:53

240204-zppqysaee3 10

18-12-2023 05:04

231218-fqrgdsaeh8 10

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Size

735KB
MD5

9f5cb3a9a4053a53063a9da9afbf6273
SHA1

b1ad9fe9cd4e8ddf11909751a2e0334c86ff206e
SHA256

ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1
SHA512

aaa720bb50f26f0508f1a3403da7189e7915c5663f08b35dd35299bfb6815c3f20bfb143d35cb57a0a95f623505809434ec28ecb7b90374e674a40381c079b26
SSDEEP

12288:xYRY4kQvFK/hSB8W5yWz2izHvqIknzbUtaD0Drt+/wQVbAV:/48SB8W5lzfqIknzCaoDWwWA

Score

10^/10

fabookie glupteba discovery dropper evasion loader persistence rootkit spyware stealer trojan upx

Malware Config

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/2160-573-0x0000000003580000-0x00000000036AC000-memory.dmp	family_fabookie
behavioral1/memory/2160-589-0x0000000003580000-0x00000000036AC000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 12 IoCs

resource	yara_rule
behavioral1/memory/2208-327-0x00000000028E0000-0x00000000031CB000-memory.dmp	family_glupteba
behavioral1/memory/2208-328-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2568-343-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2568-374-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2676-402-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2856-611-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2856-653-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2856-677-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2856-693-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2856-695-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2856-743-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2856-975-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	conhost.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Windows security bypass 2 TTPs 50 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AplGwAcKU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZmXCVzpeviUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\cAagwmwWSSyWmtVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\tisqMnSmFJrmHkYA = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ZmXCVzpeviUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	schtasks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\tisqMnSmFJrmHkYA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hzVOasbgcFlU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\TewsSzADpkOsC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JRVpvbxjaPuSbI8qGamTCM0d.exe = "0"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\cAagwmwWSSyWmtVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	schtasks.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AplGwAcKU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\tisqMnSmFJrmHkYA = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\tisqMnSmFJrmHkYA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ckohdYgysRxr33MAwPiccM33.exe = "0"	ckohdYgysRxr33MAwPiccM33.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\TewsSzADpkOsC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hzVOasbgcFlU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
87	2620	rundll32.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
584	netsh.exe
2172	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\Geo\Nation	vQhwyfU.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jUQndZDjwVj4xCQWG7inxu6o.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pKiXMrns47j4Ap72X4B2KQdn.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hPFWQpBtdcEJrsPtJM9pR8wp.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NSi0Vcn7a13uJvj8eMzB59Wu.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9yOqb4RPqvltbupbMjvFfbMr.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xthWVKNB6g7kWh7rQOsec0Om.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BRKi17piI4UUq2ZOfo1gYQcB.bat	CasPol.exe

Executes dropped EXE 18 IoCs

pid	Process
2208	JRVpvbxjaPuSbI8qGamTCM0d.exe
2568	ckohdYgysRxr33MAwPiccM33.exe
2680	conhost.exe
1884	vgHWKB5DqWwTBYwBhIFCdukk.tmp
2676	ckohdYgysRxr33MAwPiccM33.exe
2632	Process not Found
2860	schtasks.exe
2856	csrss.exe
1140	patch.exe
2160	RcenwU1bsRtZdfRYEZhPBjhg.exe
2540	injector.exe
1776	nGv2XBNL9tgTRgmp8mG712ay.exe
2372	Install.exe
852	Install.exe
1316	lZWhfzl.exe
1448	windefender.exe
588	windefender.exe
2940	vQhwyfU.exe

Loads dropped DLL 38 IoCs

pid	Process
2388	CasPol.exe
2388	CasPol.exe
2388	CasPol.exe
2388	CasPol.exe
2388	CasPol.exe
2680	conhost.exe
2388	CasPol.exe
2860	schtasks.exe
2676	ckohdYgysRxr33MAwPiccM33.exe
2676	ckohdYgysRxr33MAwPiccM33.exe
872	Process not Found
1140	patch.exe
1140	patch.exe
1140	patch.exe
1140	patch.exe
1140	patch.exe
2388	CasPol.exe
2856	csrss.exe
2860	schtasks.exe
2388	CasPol.exe
1776	nGv2XBNL9tgTRgmp8mG712ay.exe
1776	nGv2XBNL9tgTRgmp8mG712ay.exe
1776	nGv2XBNL9tgTRgmp8mG712ay.exe
1776	nGv2XBNL9tgTRgmp8mG712ay.exe
2372	Install.exe
2372	Install.exe
2372	Install.exe
2372	Install.exe
852	Install.exe
852	Install.exe
852	Install.exe
1140	patch.exe
1140	patch.exe
1140	patch.exe
2620	rundll32.exe
2620	rundll32.exe
2620	rundll32.exe
2620	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2860-401-0x0000000000A80000-0x0000000000F68000-memory.dmp	upx
behavioral1/files/0x0007000000016d26-397.dat	upx
behavioral1/files/0x0007000000016d26-395.dat	upx
behavioral1/files/0x0007000000016d26-393.dat	upx
behavioral1/memory/2860-544-0x0000000000A80000-0x0000000000F68000-memory.dmp	upx
behavioral1/memory/1448-657-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/588-676-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/588-694-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ckohdYgysRxr33MAwPiccM33.exe = "0"	ckohdYgysRxr33MAwPiccM33.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	Process not Found

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	Install.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	vQhwyfU.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	vQhwyfU.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
6	pastebin.com

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Modifies boot configuration data using bcdedit 1 IoCs

pid	Process
1896	bcdedit.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	lZWhfzl.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	lZWhfzl.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	vQhwyfU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_5715DE550AA680C2FBA40D3A4F6608E9	vQhwyfU.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	lZWhfzl.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	vQhwyfU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	vQhwyfU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_8CFD0F060456F65ABC9E95E41A1F781C	vQhwyfU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_D50E9269859FFB5A738F673D82E63752	vQhwyfU.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	vQhwyfU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	vQhwyfU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_D50E9269859FFB5A738F673D82E63752	vQhwyfU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_8CFD0F060456F65ABC9E95E41A1F781C	vQhwyfU.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	vQhwyfU.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_5715DE550AA680C2FBA40D3A4F6608E9	vQhwyfU.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 776 set thread context of 2388	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	29

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	ckohdYgysRxr33MAwPiccM33.exe
File opened (read-only)	\??\VBoxMiniRdrDN	Process not Found

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	vQhwyfU.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	vQhwyfU.exe
File created	C:\Program Files (x86)\AplGwAcKU\UCGPwHv.xml	vQhwyfU.exe
File created	C:\Program Files (x86)\hzVOasbgcFlU2\CUZWZhgdSQNtN.dll	vQhwyfU.exe
File created	C:\Program Files (x86)\hzVOasbgcFlU2\dihDQDb.xml	vQhwyfU.exe
File created	C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR\KNVfXhT.xml	vQhwyfU.exe
File created	C:\Program Files (x86)\TewsSzADpkOsC\XodqImo.xml	vQhwyfU.exe
File created	C:\Program Files (x86)\AplGwAcKU\UWhdQt.dll	vQhwyfU.exe
File created	C:\Program Files (x86)\ZmXCVzpeviUn\JpKTeUI.dll	vQhwyfU.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	vQhwyfU.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	vQhwyfU.exe
File created	C:\Program Files (x86)\TewsSzADpkOsC\hrNRKvs.dll	vQhwyfU.exe
File created	C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR\WSBSeGq.dll	vQhwyfU.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\unins000.dat	vgHWKB5DqWwTBYwBhIFCdukk.tmp
File created	C:\Windows\is-B26I3.tmp	vgHWKB5DqWwTBYwBhIFCdukk.tmp
File created	C:\Windows\rss\csrss.exe	Process not Found
File created	C:\Windows\Tasks\XwMyCejzLOqQPkTJD.job	schtasks.exe
File created	C:\Windows\Tasks\rzGcUtIiGGHHJZZ.job	schtasks.exe
File opened for modification	C:\Windows\unins000.dat	vgHWKB5DqWwTBYwBhIFCdukk.tmp
File opened for modification	C:\Windows\rss	ckohdYgysRxr33MAwPiccM33.exe
File opened for modification	C:\Windows\rss\csrss.exe	ckohdYgysRxr33MAwPiccM33.exe
File created	C:\Windows\Tasks\bvgvHgqNgKCzXIKVFa.job	conhost.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\dHRDOHpkQTLgzSbMl.job	schtasks.exe
File opened for modification	C:\Windows\rss	Process not Found
File created	C:\Windows\Logs\CBS\CbsPersist_20240204205401.cab	reg.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1832	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2348	schtasks.exe
1224	schtasks.exe
2820	schtasks.exe
1256	schtasks.exe
2780	schtasks.exe
2212	schtasks.exe
300	schtasks.exe
1980	schtasks.exe
2012	schtasks.exe
2860	schtasks.exe
1040	schtasks.exe
3056	schtasks.exe
1888	schtasks.exe
2072	schtasks.exe
2144	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-492 = "India Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	ckohdYgysRxr33MAwPiccM33.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	vQhwyfU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	vQhwyfU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	ckohdYgysRxr33MAwPiccM33.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	vQhwyfU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	ckohdYgysRxr33MAwPiccM33.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	vQhwyfU.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	ckohdYgysRxr33MAwPiccM33.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-32-1a-47-f5-f5	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	vQhwyfU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	vQhwyfU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	vQhwyfU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	ckohdYgysRxr33MAwPiccM33.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	vQhwyfU.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	conhost.exe
2208	JRVpvbxjaPuSbI8qGamTCM0d.exe
2568	ckohdYgysRxr33MAwPiccM33.exe
2676	ckohdYgysRxr33MAwPiccM33.exe
2676	ckohdYgysRxr33MAwPiccM33.exe
2676	ckohdYgysRxr33MAwPiccM33.exe
2676	ckohdYgysRxr33MAwPiccM33.exe
2676	ckohdYgysRxr33MAwPiccM33.exe
2632	Process not Found
2632	Process not Found
2632	Process not Found
2632	Process not Found
2632	Process not Found
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2556	powershell.EXE
2556	powershell.EXE
2556	powershell.EXE
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe
2540	injector.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	CasPol.exe
Token: SeDebugPrivilege	2988	conhost.exe
Token: SeDebugPrivilege	2208	JRVpvbxjaPuSbI8qGamTCM0d.exe
Token: SeImpersonatePrivilege	2208	JRVpvbxjaPuSbI8qGamTCM0d.exe
Token: SeDebugPrivilege	2568	ckohdYgysRxr33MAwPiccM33.exe
Token: SeImpersonatePrivilege	2568	ckohdYgysRxr33MAwPiccM33.exe
Token: SeSystemEnvironmentPrivilege	2856	csrss.exe
Token: SeDebugPrivilege	2556	powershell.EXE
Token: SeDebugPrivilege	1380	powershell.EXE
Token: SeSecurityPrivilege	1832	sc.exe
Token: SeSecurityPrivilege	1832	sc.exe
Token: SeDebugPrivilege	2660	powershell.EXE
Token: SeDebugPrivilege	2992	powershell.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1884	vgHWKB5DqWwTBYwBhIFCdukk.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2988	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	215
PID 776 wrote to memory of 2988	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	215
PID 776 wrote to memory of 2988	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	215
PID 776 wrote to memory of 2988	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	215
PID 776 wrote to memory of 2388	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	29
PID 776 wrote to memory of 2388	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	29
PID 776 wrote to memory of 2388	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	29
PID 776 wrote to memory of 2388	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	29
PID 776 wrote to memory of 2388	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	29
PID 776 wrote to memory of 2388	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	29
PID 776 wrote to memory of 2388	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	29
PID 776 wrote to memory of 2388	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	29
PID 776 wrote to memory of 2388	776	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	29
PID 2388 wrote to memory of 2208	2388	CasPol.exe	31
PID 2388 wrote to memory of 2208	2388	CasPol.exe	31
PID 2388 wrote to memory of 2208	2388	CasPol.exe	31
PID 2388 wrote to memory of 2208	2388	CasPol.exe	31
PID 2388 wrote to memory of 2568	2388	CasPol.exe	36
PID 2388 wrote to memory of 2568	2388	CasPol.exe	36
PID 2388 wrote to memory of 2568	2388	CasPol.exe	36
PID 2388 wrote to memory of 2568	2388	CasPol.exe	36
PID 2388 wrote to memory of 2680	2388	CasPol.exe	95
PID 2388 wrote to memory of 2680	2388	CasPol.exe	95
PID 2388 wrote to memory of 2680	2388	CasPol.exe	95
PID 2388 wrote to memory of 2680	2388	CasPol.exe	95
PID 2388 wrote to memory of 2680	2388	CasPol.exe	95
PID 2388 wrote to memory of 2680	2388	CasPol.exe	95
PID 2388 wrote to memory of 2680	2388	CasPol.exe	95
PID 2680 wrote to memory of 1884	2680	conhost.exe	40
PID 2680 wrote to memory of 1884	2680	conhost.exe	40
PID 2680 wrote to memory of 1884	2680	conhost.exe	40
PID 2680 wrote to memory of 1884	2680	conhost.exe	40
PID 2680 wrote to memory of 1884	2680	conhost.exe	40
PID 2680 wrote to memory of 1884	2680	conhost.exe	40
PID 2680 wrote to memory of 1884	2680	conhost.exe	40
PID 2388 wrote to memory of 2860	2388	CasPol.exe	94
PID 2388 wrote to memory of 2860	2388	CasPol.exe	94
PID 2388 wrote to memory of 2860	2388	CasPol.exe	94
PID 2388 wrote to memory of 2860	2388	CasPol.exe	94
PID 2388 wrote to memory of 2860	2388	CasPol.exe	94
PID 2388 wrote to memory of 2860	2388	CasPol.exe	94
PID 2388 wrote to memory of 2860	2388	CasPol.exe	94
PID 2676 wrote to memory of 1588	2676	ckohdYgysRxr33MAwPiccM33.exe	166
PID 2676 wrote to memory of 1588	2676	ckohdYgysRxr33MAwPiccM33.exe	166
PID 2676 wrote to memory of 1588	2676	ckohdYgysRxr33MAwPiccM33.exe	166
PID 2676 wrote to memory of 1588	2676	ckohdYgysRxr33MAwPiccM33.exe	166
PID 1588 wrote to memory of 2172	1588	reg.exe	46
PID 1588 wrote to memory of 2172	1588	reg.exe	46
PID 1588 wrote to memory of 2172	1588	reg.exe	46
PID 2632 wrote to memory of 1776	2632	Process not Found	60
PID 2632 wrote to memory of 1776	2632	Process not Found	60
PID 2632 wrote to memory of 1776	2632	Process not Found	60
PID 2632 wrote to memory of 1776	2632	Process not Found	60
PID 1776 wrote to memory of 584	1776	nGv2XBNL9tgTRgmp8mG712ay.exe	44
PID 1776 wrote to memory of 584	1776	nGv2XBNL9tgTRgmp8mG712ay.exe	44
PID 1776 wrote to memory of 584	1776	nGv2XBNL9tgTRgmp8mG712ay.exe	44
PID 2676 wrote to memory of 2856	2676	ckohdYgysRxr33MAwPiccM33.exe	48
PID 2676 wrote to memory of 2856	2676	ckohdYgysRxr33MAwPiccM33.exe	48
PID 2676 wrote to memory of 2856	2676	ckohdYgysRxr33MAwPiccM33.exe	48
PID 2676 wrote to memory of 2856	2676	ckohdYgysRxr33MAwPiccM33.exe	48
PID 2388 wrote to memory of 2160	2388	CasPol.exe	51
PID 2388 wrote to memory of 2160	2388	CasPol.exe	51
PID 2388 wrote to memory of 2160	2388	CasPol.exe	51
PID 2388 wrote to memory of 2160	2388	CasPol.exe	51

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
"C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\Pictures\JRVpvbxjaPuSbI8qGamTCM0d.exe
    "C:\Users\Admin\Pictures\JRVpvbxjaPuSbI8qGamTCM0d.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2208
  - - C:\Users\Admin\Pictures\JRVpvbxjaPuSbI8qGamTCM0d.exe
      "C:\Users\Admin\Pictures\JRVpvbxjaPuSbI8qGamTCM0d.exe"
      4⤵
      PID:2632
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1776
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:584
- - C:\Users\Admin\Pictures\ckohdYgysRxr33MAwPiccM33.exe
    "C:\Users\Admin\Pictures\ckohdYgysRxr33MAwPiccM33.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
  - - C:\Users\Admin\Pictures\ckohdYgysRxr33MAwPiccM33.exe
      "C:\Users\Admin\Pictures\ckohdYgysRxr33MAwPiccM33.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1588
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:2172
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2540
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1140
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:1556
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2012
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1896
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2072
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:1260
- - C:\Users\Admin\Pictures\vgHWKB5DqWwTBYwBhIFCdukk.exe
    "C:\Users\Admin\Pictures\vgHWKB5DqWwTBYwBhIFCdukk.exe" /VERYSILENT
    3⤵
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\is-RH867.tmp\vgHWKB5DqWwTBYwBhIFCdukk.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-RH867.tmp\vgHWKB5DqWwTBYwBhIFCdukk.tmp" /SL5="$D0124,831488,831488,C:\Users\Admin\Pictures\vgHWKB5DqWwTBYwBhIFCdukk.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of FindShellTrayWindow
      PID:1884
- - C:\Users\Admin\Pictures\jhXDFxVAGPsWvxEhPvxD7AvB.exe
    "C:\Users\Admin\Pictures\jhXDFxVAGPsWvxEhPvxD7AvB.exe" --silent --allusers=0
    3⤵
    PID:2860
- - C:\Users\Admin\Pictures\RcenwU1bsRtZdfRYEZhPBjhg.exe
    "C:\Users\Admin\Pictures\RcenwU1bsRtZdfRYEZhPBjhg.exe"
    3⤵
    - Executes dropped EXE
    PID:2160
- - C:\Users\Admin\Pictures\nGv2XBNL9tgTRgmp8mG712ay.exe
    "C:\Users\Admin\Pictures\nGv2XBNL9tgTRgmp8mG712ay.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\7zS784B.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe" -Force
  2⤵
  PID:2988

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240204205401.log C:\Windows\Logs\CBS\CbsPersist_20240204205401.cab
1⤵
PID:1376

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
1⤵
PID:1096
- C:\Windows\SysWOW64\cmd.exe
  /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
  2⤵
  PID:564
- - \??\c:\windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
    3⤵
    PID:2500

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
1⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
1⤵
PID:2288
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
  2⤵
  PID:1128
- \??\c:\windows\SysWOW64\reg.exe
  REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
  2⤵
  PID:2928

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
1⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\7zS7A10.tmp\Install.exe
.\Install.exe /JPdidKxawB "385118" /S
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:852
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gMgMirEkp" /SC once /ST 10:54:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:1888
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gMgMirEkp"
  2⤵
  PID:1972
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gMgMirEkp"
  2⤵
  PID:2248
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "bvgvHgqNgKCzXIKVFa" /SC once /ST 20:55:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\lZWhfzl.exe\" Lc /ILsite_idrlJ 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1256

C:\Windows\system32\taskeng.exe
taskeng.exe {2500720F-FB99-40E2-93F9-E3EC46C64D84} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1892

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2820

C:\Windows\system32\taskeng.exe
taskeng.exe {D1ED3361-F796-4C8E-ABBC-85E4BAEFA97F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2156
- C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\lZWhfzl.exe
  C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\lZWhfzl.exe Lc /ILsite_idrlJ 385118 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1316
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gWxVRIRAm" /SC once /ST 00:42:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Creates scheduled task(s)
    PID:2860
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gWxVRIRAm"
    3⤵
    PID:824
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gWxVRIRAm"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:2296
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      PID:2264
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gKnjbKJhF" /SC once /ST 09:40:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2780
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gKnjbKJhF"
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gKnjbKJhF"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tisqMnSmFJrmHkYA" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tisqMnSmFJrmHkYA" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\tisqMnSmFJrmHkYA\LYFPOHLb\EfDUeDRdcznSneHj.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1936
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tisqMnSmFJrmHkYA" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2472
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tisqMnSmFJrmHkYA" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1712
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2844
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tisqMnSmFJrmHkYA" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1924
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tisqMnSmFJrmHkYA" /t REG_DWORD /d 0 /reg:64
        5⤵
        Windows security bypass
        
        PID:2608
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tisqMnSmFJrmHkYA" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2928
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:576
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cAagwmwWSSyWmtVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cAagwmwWSSyWmtVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hzVOasbgcFlU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2280
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hzVOasbgcFlU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1588
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZmXCVzpeviUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZmXCVzpeviUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1248
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TewsSzADpkOsC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1708
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TewsSzADpkOsC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2564
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AplGwAcKU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AplGwAcKU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1068
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      Drops file in Windows directory
      PID:1376
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:300
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2780
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cAagwmwWSSyWmtVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2296
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cAagwmwWSSyWmtVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:3060
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hzVOasbgcFlU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1900
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hzVOasbgcFlU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1940
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZmXCVzpeviUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1172
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ZmXCVzpeviUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2204
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TewsSzADpkOsC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1732
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TewsSzADpkOsC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2256
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2600
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1600
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AplGwAcKU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2060
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AplGwAcKU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1260
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gHFPhGVlQ"
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gHFPhGVlQ" /SC once /ST 09:30:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\tisqMnSmFJrmHkYA\LYFPOHLb\EfDUeDRdcznSneHj.wsf"
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tisqMnSmFJrmHkYA" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tisqMnSmFJrmHkYA" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gHFPhGVlQ"
    3⤵
    PID:964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:1456
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:2208
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:2252
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:1628
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "XwMyCejzLOqQPkTJD" /SC once /ST 18:36:26 /RU "SYSTEM" /TR "\"C:\Windows\Temp\tisqMnSmFJrmHkYA\kiXpwMNefFEyhlW\vQhwyfU.exe\" Pt /dAsite_idGBi 385118 /S" /V1 /F
    3⤵
    - Windows security bypass
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:2348
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "XwMyCejzLOqQPkTJD"
    3⤵
    PID:108
- C:\Windows\Temp\tisqMnSmFJrmHkYA\kiXpwMNefFEyhlW\vQhwyfU.exe
  C:\Windows\Temp\tisqMnSmFJrmHkYA\kiXpwMNefFEyhlW\vQhwyfU.exe Pt /dAsite_idGBi 385118 /S
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:2940
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bvgvHgqNgKCzXIKVFa"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:2552
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:1068
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\AplGwAcKU\UWhdQt.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "rzGcUtIiGGHHJZZ" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:1224
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "rzGcUtIiGGHHJZZ2" /F /xml "C:\Program Files (x86)\AplGwAcKU\UCGPwHv.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "rzGcUtIiGGHHJZZ"
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "rzGcUtIiGGHHJZZ"
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "znkJCAEyDBfVBb" /F /xml "C:\Program Files (x86)\hzVOasbgcFlU2\dihDQDb.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:300
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "sqdcfvEhbfSqC2" /F /xml "C:\ProgramData\cAagwmwWSSyWmtVB\thXJFuK.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:3056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "kIZjYIiOiOcCcskeG2" /F /xml "C:\Program Files (x86)\KpccCTQHFwdaQGGjlLR\KNVfXhT.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1980
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "hLfWoLfTBNTItANDgYs2" /F /xml "C:\Program Files (x86)\TewsSzADpkOsC\XodqImo.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2144
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "dHRDOHpkQTLgzSbMl" /SC once /ST 05:51:20 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\tisqMnSmFJrmHkYA\YgPUBTXG\tMnMHTF.dll\",#1 /Bhsite_idZbA 385118" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:2820
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "dHRDOHpkQTLgzSbMl"
    3⤵
    PID:452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
      4⤵
      PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:2500
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
      4⤵
      PID:1884
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "XwMyCejzLOqQPkTJD"
    3⤵
    PID:1824
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\tisqMnSmFJrmHkYA\YgPUBTXG\tMnMHTF.dll",#1 /Bhsite_idZbA 385118
  2⤵
  PID:2980
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\tisqMnSmFJrmHkYA\YgPUBTXG\tMnMHTF.dll",#1 /Bhsite_idZbA 385118
    3⤵
    - Blocklisted process makes network request
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    PID:2620
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "dHRDOHpkQTLgzSbMl"
      4⤵
      PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2033288350-371384013-12734900112040697128-1693488208-17767657001044836461139436788"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2224

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:588

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
1⤵
- Modifies Windows Defender Real-time Protection settings
PID:1984

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tisqMnSmFJrmHkYA" /t REG_DWORD /d 0 /reg:64
1⤵
PID:1040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-35683686112501344263993439081787864445738192800-14330960051798271347-397748949"
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-187599782671047826-5380536013056757262737596522048499530-40868845-131478566"
1⤵
PID:2740

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1592

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-167151771110939339631354407400129095160311279739176544256447061395321082902314"
1⤵
PID:2084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-85823201058803855-2140110537-1936787348-350968538117314719-1508251202-2019066180"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tisqMnSmFJrmHkYA" /t REG_DWORD /d 0 /reg:32
1⤵
PID:2356

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\tisqMnSmFJrmHkYA" /t REG_DWORD /d 0 /reg:32
1⤵
- Windows security bypass
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1368155260-1811494111121707088-1372286716-1601283889-269967616-252178008-40402996"
1⤵
PID:2432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "497208042-6037864712060355305-2093435476-793217537198729017155974260491220014"
1⤵
- Modifies Windows Defender Real-time Protection settings
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-629430916275551531387213168-427374269695476681002180055-358680921-1314735637"
1⤵
- Drops file in Windows directory
PID:1256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "796006101-2064108032-1016885859674150659126167347145920814027301679161099"
1⤵
- Windows security bypass
PID:300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
1.2MB

MD5
e5976a99b6807bdbe546c51d8158a4ce

SHA1
fc8c72e6433992b77e83e97bb91130f27e1e1399

SHA256
deb30dd02a767dbe9a0280e48edc6a13069b6a6f98749bcac6f5a05454386b75

SHA512
57c309e7c652ae55e58ce0e4243874824b21a3a55167e99d079cb83e270080e2b0c7c116e170f3f03d7e3cd22775046cdf0bc9ce91aa850b1901326baac67d8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
45KB

MD5
dc38d629e51926a750b443772d7c8c65

SHA1
2868765523e76b2e6706f18ecb665f4631a00d00

SHA256
21a98ea45d4ca76fc03cd769b01345da379395b41295e1506644149d0a378883

SHA512
beb8198332e8771a0475a925a4b31a8a80df9a04dc889442d1a4e024b1b66709acc3e347d50af1868d5d0c351d489cd454fc2523f752ea9dec56b9a9d6048ef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
54b159d75116e0021ee87301ad950205

SHA1
1fa69ad8399de1157c8fc50071b575499dd53803

SHA256
78f861f44c076b83d63e20717ead9df3febd0e389692e0a978aef2451eb123e8

SHA512
73700e7b5c367002ece780a260da333daea755454e7050c255879aff82b1a7b62581b42fcab9522262362ffdc9557b63cf6bed9df5debe190643969d88b6881d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
94855b2609db5097726bf157de8cacf9

SHA1
0fff09d9e04def2dba40def092380083997d1b40

SHA256
67d70759b2e3de0128b35f23b5924d6838765cb72fd2cc9d578e40fa80fd8821

SHA512
6eaa7bdb611f49c7356dc86b232edcf0adbd38099ef8ceafd7bf64abf63c711dc5a58ec96c299d415d2cdeb21aa1ca43d049bb9f289a8d172fe0543d0360596c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba1852f9c5b1f89bf59fd2fa1f9b9c33

SHA1
b7df081fdd5ff5ab67d13d5983fd0187b51cd86a

SHA256
2192fdaf4284246ebb6c76bebed7bc81f168a02345052d925506445a7680ccff

SHA512
048fb63f0b78cd75e5ffc5a7ba32b2b576460ae9f19e278e5da7e58bb63ad7cbe5c02650959480446264f136b1afb0c9731e8a753c476c054a5d4be5c89bf609

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
36c29a4d35a98b18dbae16153e514aac

SHA1
c709d02b03360dc85882b865a8353c0573cf815f

SHA256
b6205e2485a18ae0b0c6f2ebcfc2ab0ff7c77c795503398e9a54fe971399ea62

SHA512
f17a89d1cd92cb64e8dbb8baebed1e26b75cbbce03e0757d8f5726a7428d7ee7c31a747581ff3da7e397cb87c12462b732bc9cc1f457a043fd0737966a4396eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
06bdd3b932d029f1e9fa572204425872

SHA1
c47dfdc5b63e0ade123b37f844404f53a805535b

SHA256
19853565aff0219ace0cc817d251021b6338470cd10240cc5c91db0f30290c77

SHA512
377007fc199f218da273416683d988f97c6c9452e10a609fe76b048c7def2f11dbf8e61f5eeb895aed555bd5ca2a0466ffb677b51c612ba274fddce7d6342b3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
352b53b1297196e39022649856a06ace

SHA1
b34f50bb632e7c4b067e74f6bc86aeefe4c064e1

SHA256
5845318a506db96a05a4ab9d273165846a58b025407e9290030e63f5d19da464

SHA512
8b386360df14163094660eec6b1c1e197d5edd068ac2e167871457b9bac9e527f8506975d9e4d83326632f5793024ec0c18a97162d3465cb01bd3e09f3fd5717

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b64f231cbad3635c4f146591b12da6d2

SHA1
9d6085893a19fcb9e3214539611603f158a75f0c

SHA256
c3f698c01012f6586dbdade17d50d332df46505a0c7257a055c70096e2218e07

SHA512
1b517092ffc6813befd64390b94d5f407231b0eae0996060d045d2d48d521ca85ab86f6bd3f63a516fed36b808d52684a0f9661b4bd6ec8860c39c6871308d06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7e20f70c73d97a7c9ab790423b05eead

SHA1
768acc18ab68f4986dcb3693b77537924d6ffe87

SHA256
a9f9d0b92732178d5b2aa67918c49407df850be0f7c4f99993610261aa3b6fa4

SHA512
83e6c852e345a171d0b51a40e72137631456fb2883bec4fb70ba709869504f60b5db7d373b2e6004637ae5056d5c049fc6c1aa8008c784254d12d2fce36fc0b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
26KB

MD5
81636e5ece5f106d91987ed77b955673

SHA1
6952684b25c4956d87d89609543fea1b0a4b4079

SHA256
7ded13bb7dfe294e4ec14546ca4e85530d27acc9a0787140abe400e9b1e41c8f

SHA512
07d34b06615a7fc7766a78ec39d12edb5a8d58026d3f1eaf7b45a6737f4966297e8dc9ee795b896e1caee0d450f67874b7180c43f0872327079e2d38b5a31170

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS784B.tmp\Install.exe

Filesize
43KB

MD5
45943ad112293d1622ad40a80a6a6361

SHA1
9800202f0990cd8270a363b60ff38c3fbf2f2198

SHA256
6070b05b20dc2ebfdc820aad6e362cf9a1d7c7b3143524c8891dc6fde9e24d4c

SHA512
97adf69ab075f7a87af814762be4ad4f77ac3ae015b29ada63c9998d86505dbff2faa67cd7b12a10722265798ddd95e6fe2ecd857fbeeb5083ba5b01cce2b28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS784B.tmp\Install.exe

Filesize
7KB

MD5
cd94505c2c92cdaa322936c5174fad73

SHA1
ad2d51ef6b66ba9d516c99ca22f0da34f80a9b91

SHA256
22841b65667284367c099f017b7ba2b2fa46ee6923b32961b165edfa053b0037

SHA512
b03882a3f47975cf9011b5ca3b2f683e81700cab739af3971860a8fdf0db8eb01d17af7b731f90427788003d878e0fbc5ff26384bb91dd98379c44f620cce51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A10.tmp\Install.exe

Filesize
86KB

MD5
ae8695de9d1766d4f8358e0bb8e406a8

SHA1
d2e4a0f157e08eb976206f6390ae85b5606df974

SHA256
0b0c3d4091f92c624e605c22aed7020212c5eb7727a683b0f2386d5e37070be9

SHA512
3a9f14506cea2a3b1478117e0fa6bf2c90507f4b0d61235beb2da0935a01e6e137b0bb62db52cf1e10e1e20874a72354477483bb99420f9c3e3ff4f285550e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7A10.tmp\Install.exe

Filesize
78KB

MD5
9fddaa64e313147cfcb70c9ce3f921d4

SHA1
da3c6a86b78095370ee849431fcca7487111029f

SHA256
d0242dc6f37d4a6d67e2c93d6d01a545cbd2f3673abc25152c9e0305e16c53ef

SHA512
df7e9b29ed88ab016cd5b29179bb8c5b5c6a721ac2a2ed37f8fb90285a590e365bd0bac96454fab5b418ff173a0a118bcd5ef5d2b1f2a18a3702df0208ef0776

Download Submit
C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\lZWhfzl.exe

Filesize
5KB

MD5
8fcad68c5e411da0e5914cafee08920f

SHA1
407979388f08438cbb6762cdd952ac42f76b4234

SHA256
f67f2f76fa72a31df59bf83bcf8ff3688ea0687f4e10e81a75a1614766f8cea7

SHA512
b855ba15d3617e2655f945687a4eb8019d7c48f580c039129d10498ee5bb240cecebda3735d010f9032bb54ee516767c6132c9ec0f2ef2f3360536a1f61dbbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\lZWhfzl.exe

Filesize
86KB

MD5
9a1a445cc3876fa0fe853c5143a16d2b

SHA1
2cfee9aa8559fc410f826725100036772d79ef5a

SHA256
0c0cd03b8be73bc55ff7092b0718b89f6f18311bbb9b3c2d59891b52bb138e53

SHA512
b4bce8f6e488dd327ba9b18d19974f187659ff9013b6464ca9ea613a4dadc22d6d027695f4d240b359618826a1fdd37fadd9dff81239f9f68c44b6cd5778cfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\lZWhfzl.exe

Filesize
33KB

MD5
d91f6b89b2561d1ee31d985fc0a8b809

SHA1
b7ac7e1711772b1fa66433d3f591f71a1dd51e1c

SHA256
f9409802a6d581bf28aeeda879200c70c7b63785f448ab1d75c0bb9c09452f37

SHA512
8db44dbd4767804ac41c4f588965372b7b665ec2586fb6b25236e37445b76b17415925d15c9e57c72babdb73bd93aaa00156c72af8d73194cfb00bfa4bf5db04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
64KB

MD5
c9b01a86e63bca4272d6629df216a696

SHA1
0c1a515ca60ca432e7163ec59e9cbb93d12cf84e

SHA256
12e7e556c8c534b4b9e3a772ec266e48b15f92461fb68d8c75a7bc062b21519d

SHA512
7872033f755cb77fd7d46a02b6424ce3deebc9163b4841dafbb0dc42ee5f4246ca574109bcd9c458bddeaab924b2dfc6d447ca3ea102eb86d040a76041188295

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
7KB

MD5
8f4e272bc5a13afd09a342ff8d05e884

SHA1
bc8e3c52e1def4ef858fbea11c29262febc977dd

SHA256
fa919c387c283d8e32974f0b8f7fe447fb8ea19a32e317a4af7d8408593e9fcc

SHA512
6d265ec3540d3c5cda394a8c3ce99cab1ac98e594ffdfd165792212064c3d7302f6fc4a3e4c72d50ca178e9dae2e1bde03dfd99dcc20e0109850758354b90b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar22E1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
92KB

MD5
ab69c4c4f2a4cb1639193eda360e9b02

SHA1
f64bf39052207a29696c08187c3f93926f1325e5

SHA256
720f92eea10156eff606fb38ca1c77ec386674851e98756a3a2e116b7103c616

SHA512
e0f0604ee712f4182d2015a653eaca9964e952f9010abf81b7408536fcba84d4cf5b39c11f76d3a01c73d22084b7d54f201d44b3cb04935f48f0fb2d1ae5bb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
68KB

MD5
b7544f5c4314f452b131a869577cc688

SHA1
01eb3a78cef47784110f6a07ab0027faee7f04e5

SHA256
46f020d184d9f8c8fb811188dc61ca5b26cc6b12a0434a95fab8d8e16b7372be

SHA512
a90b6b860e804c5857120d797ae1323189ee443851b4c4d17ab40e7ae58581675635be6ebe4efe3651f03c7001f3e88827d596c17f2115a9ceac29fc786f0370

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RH867.tmp\vgHWKB5DqWwTBYwBhIFCdukk.tmp

Filesize
251KB

MD5
9e725b35e69e014a6e0e3eaffe65856e

SHA1
11e47ef9437339a74dd980b65927f52cd4a0b521

SHA256
701d6b6b6c2d6dc7d355d72346df25f680c26f5f439907dff3316b8ef8b88f84

SHA512
df215a576afbde119e31cfd1cdc97cfa94e79f73d266cf8e09047e842637fcb9aff5748838af2da682ee66a43cc463e2512d3fbb77945c3298ee3651fd9e7c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RH867.tmp\vgHWKB5DqWwTBYwBhIFCdukk.tmp

Filesize
133KB

MD5
c9b7c214af8ec741f978b01b977d59a4

SHA1
84cd95764e79a6b723471e9758e326632ee35333

SHA256
532d817cbd995cdcf389878b49b9d19815d9b6a00789afbfa68d3925d905a198

SHA512
fdb4b4deb5ab9aadbd2ba1097316947a5283ab8bdfc1c505bb0f6760ea059cfc2ae803def685f60dc275cb60ca76605ee29fab313d6434eff0574a1f379aac90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
28KB

MD5
a5b3654fdf0f7fbe7ea8cb8f18430595

SHA1
ce5a9106f550514f7d4ef52ef094f23bc4d301a5

SHA256
8afefed4a1ff338dcaa110c1b76fda5d55de6ca7ad3f66f4f168da6eb9a324ea

SHA512
2f61cec05c41ec143435b74ca35f90c40c98e8e83c3a2a14a0f55474deea892290da91d9ee76258b2b3cb0be18d762873770caa6ed4ab84d810679a6e387ac13

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
33KB

MD5
f30b73bbb501ae0fab3dd51a5bbb6166

SHA1
6f01b8218daa39ffc08019d84d0da734a830b901

SHA256
8e520b837bc3b492abcbce1feff99fbeba3337432ab002b6e47a883783320801

SHA512
cc01d6db40f6b881d979a7d3b32b143c7704e2da642c5cc865581028dbd17991515bacf15f06ec51dc41beec3575e32292e79202d51955bb77b33f6ba6976890

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4UNRHVFLGOO5A54F5HHF.temp

Filesize
7KB

MD5
6cefdd44c8331867f14dee13e801824e

SHA1
b919c557cb57164a242d7de032b3c664ebc2450a

SHA256
72588f66d83ca4a113c514c41a57d323f06bcdcc77fe6264bfcacfb88cb4b6c7

SHA512
9af43d29bf18460148eb74079fca0653ecc88b305ea6a9139e778465568c27a1ce61f055919e01927e06599ec97637c5b3e79ebb97040dcfbb4e8d445e758c12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\olrckem2.default-release\prefs.js

Filesize
6KB

MD5
75c570acc03bfd0b72f1b36fc80237b8

SHA1
65c2acf4b86ec79050fb09afdaee3a7cffcec45e

SHA256
9b81395614bf0aa421a4ab0467f81e6a99804adcefda12d57f30a2008f759e3c

SHA512
0a678044db0f0cfaf23349efa0dd78b61f7d2da185926c25a8c9ca62ddceaf10d4ed473cc0d2fedccae5f5393d0695a0c5c9b0625f959384db70fc033a85f26e

Download Submit
C:\Users\Admin\Pictures\JRVpvbxjaPuSbI8qGamTCM0d.exe

Filesize
184KB

MD5
979d5a050a3f4ca2e5de78f01dbfa0f0

SHA1
5da63abb2b9471ef8e205500a1906b88c340f785

SHA256
d2533f5fdabedb3b4e65b37a1c37e1cf8cc87b1ac0579cbc11225b8b98be9ded

SHA512
b98aee96f493493e325933bba132ee8e9ed96a798b80901b302090fff009b87d06db58c753a8da4d02932c46be50d79fd21fcad983623d34dbe15e3eaf5e5fe6

Download Submit
C:\Users\Admin\Pictures\JRVpvbxjaPuSbI8qGamTCM0d.exe

Filesize
282KB

MD5
dad44ee2cc42155c98bee57d6e63bf98

SHA1
9831021191e5492f9cd71342d217ca4da11356ee

SHA256
c839fab67ccfd34010f82958176b755277af1b8b5d01b3ac573d3e0074aa68df

SHA512
1467160bfa3aca7826937b206da0a8287081a259d5da9d9e0720d99447e3bd778fd0317dde426e92c0105e390836c0317f841da1132ce973bb106feb30961ac8

Download Submit
C:\Users\Admin\Pictures\JRVpvbxjaPuSbI8qGamTCM0d.exe

Filesize
159KB

MD5
6dd2c9e16aaafc8a92eafefc87b7f2d0

SHA1
0aef6f5a12f5ab20a2a1057130d4beacc45e6927

SHA256
ad85328df2d4ee9e94603fa762b54ced2309b79e3e9d63d82da4b387b9ed5dba

SHA512
97bd57e56cabc0d22f6d4fdfd2db708fef6fc1957858adeba75d76337191f11f92ba69bbc1874aa611f83b5e62fb3d16763a84a085faa13511de6c2e39a41ff6

Download Submit
C:\Users\Admin\Pictures\JRVpvbxjaPuSbI8qGamTCM0d.exe

Filesize
63KB

MD5
b72e9230b55ac4e4df6ee594e99e0936

SHA1
843dec55b2fa64781e67a0b1595e8d99f593bc4f

SHA256
ca957d79f1ef1fe426476521f4e501aac6b8e59b8ea71d49dee456afbbde4722

SHA512
f953266762f447945efe5e892554ac2bb1c20125aa49f5fdd0e7c09eea3ea92ec0981ae41b846bb87f3c2ef0e6c76542d79c1464fec6dc4cff0aa5dbb8772db9

Download Submit
C:\Users\Admin\Pictures\RcenwU1bsRtZdfRYEZhPBjhg.exe

Filesize
86KB

MD5
5cce603cfcf60fcea9081d06fb474674

SHA1
c23413aba2469ae3edf3286ec23675daada55787

SHA256
d7e54e14c71ab832ceeb5d2527f97f2464dcd93b07278310ec2322b54f358490

SHA512
ad02df71c4c075ed0ec40e1509da734ad85844cc2f74df6a30eb53dd2a9b7551fe6bdbdfceddab43b32a985fc27ccb71945f524281b79129459b710281787302

Download Submit
C:\Users\Admin\Pictures\ckohdYgysRxr33MAwPiccM33.exe

Filesize
96KB

MD5
ad153b83b1faac831283a495ffdc2d89

SHA1
059ac0611a2ed2cee2b6558bc32a7568061e3bb3

SHA256
4646b4c60fbdb33f70f34718d43d049c926dced5f9c4ad9339af85e682d1b5ca

SHA512
f6f188bfd20894fd0c6d6e3f89641f5ebc243d074912f390a1ea8a47104467187be9ff026ec617e6578022ccc5f325dab7656924e244c5d5dbf3c3081a769a27

Download Submit
C:\Users\Admin\Pictures\ckohdYgysRxr33MAwPiccM33.exe

Filesize
64KB

MD5
33dc7576d9e982663b6791af5660290b

SHA1
fb4379bec57e3b94c6e9db58df2295e23772d4a8

SHA256
fc14ce82d0ce7cabbafde244384aa42a9d046d2d242a0c39c0be9cdf992331c1

SHA512
b6cdff9f54951e5d39df30d9a4e55d80df42d0d2136f67bc68af98e1e5d60c600cfe852bc7ab26b8af86a6e511f96ca11d5176bdb7713212cfd2d2550ac9a944

Download Submit
C:\Users\Admin\Pictures\ckohdYgysRxr33MAwPiccM33.exe

Filesize
556KB

MD5
ad07c2d98fec152730cff5c5737633dc

SHA1
4389861b29bf7b01162fd63463492892eee0f975

SHA256
05dbc9edc61e49a579870bcb319c242656ede5d4c58fe1a5ad8c1a29abefd220

SHA512
20a819676bf1aaf9c6b5ef9883619991afd75c21f5189ac49978ca98bae3935e93df1f5e32e7fa9ff80278f156ea3db8065b6aef6c65ad46078781b81c443f39

Download Submit
C:\Users\Admin\Pictures\ckohdYgysRxr33MAwPiccM33.exe

Filesize
533KB

MD5
8b82c152a9ca59356f321e2c55c7f3b0

SHA1
d43a675e87560cd71e4b36e19f42962cf074227d

SHA256
c53d3b3c04b1bd341892ba7cfc6b41d9c4517b3384b88fea1e2225e1ecb43cff

SHA512
f7b93f5679ed93e5a2663599b431fbab4a62892d932002074fd5932c7f82c8679e76f780c33fb40ed709e8ba2ba90f7f88d83277ffbcf1f69b89732cba05b6ce

Download Submit
C:\Users\Admin\Pictures\jhXDFxVAGPsWvxEhPvxD7AvB.exe

Filesize
93KB

MD5
e872c074e9f66bc0a89d2247b8f6cd0b

SHA1
a0efb017222eb5d0763ba75b2501a1d8f1ae5ce4

SHA256
6465b6e5d3168d6595698b2855a1f59c3e4a5a5f446e342c7d64764997c4dadf

SHA512
c0b21bafce4f96afef005f2a8b949d8d0ce03d925ee47eaf20c80395c968a34679820680e471ccb8c693eee6c00432db9e614fbb38a83cbb781db38c26f15143

Download Submit
C:\Users\Admin\Pictures\jhXDFxVAGPsWvxEhPvxD7AvB.exe

Filesize
77KB

MD5
b7add3371271bbb83a11510b46dd254d

SHA1
6247752cae1ef6096e5aaa2ebbeee3402ff955af

SHA256
c71dae10584b64785bc06f821c7722671226b9811aa67c44e01693ea24f3cb78

SHA512
207d43bcd520a48b13ffce5091991e2163d2079be056775ca0e8a52478a90b4cc27c46f1132333c9090e5fa7ba875074e7b789510eb686348c4a630a13c96576

Download Submit
C:\Users\Admin\Pictures\nGv2XBNL9tgTRgmp8mG712ay.exe

Filesize
5KB

MD5
e524b37ffa56318516b6f676592292d0

SHA1
fd5ef18afb8b63e68d81fa453fcac3b4ed6cc104

SHA256
63909283b1ce7e35dcc022b3b695570e8f8fb4c8dd1560dfb4918eb0ffe6c2b8

SHA512
a0b7a94f4736ae64908b66a662daa526e50d19d2f1572784b77f8f5a304dd92da29bedeaed9123e35c3a7b8abf9ad295449d9198b478046eea7781681c69cb74

Download Submit
C:\Users\Admin\Pictures\nGv2XBNL9tgTRgmp8mG712ay.exe

Filesize
1KB

MD5
fd12da5fe3c273934ae6b8bd9797a231

SHA1
95f3f812906129fae537d2d2b2c9842555e99975

SHA256
fa0844d436f2ed5a340ca75ff09e6b615241f5ca35770ff0ec4c53289f029648

SHA512
762d9ffafd268244539c159a3830e1d240e59ac5624d7e6c2be36f1ee9f9162f7f8fb802c3262d03957354d826434b7a4161901d7a3bf6f5184ef312c4fe38bf

Download Submit
C:\Users\Admin\Pictures\nGv2XBNL9tgTRgmp8mG712ay.exe

Filesize
44KB

MD5
c0953a5a25d89637a0ec20add95f6a83

SHA1
415e533e16a26a39281011fb138171553e0643ee

SHA256
28ab3208f928d8c911de8d3a67bf04e660e66a98dfba467aeb84e774d6f7f944

SHA512
894bb064b6dcf161ab8515d0697e92dd6666312c7135fba411a2ed45fbea38eb410c982488d8664821bca7ecdf30bd8042a634915744c873dd3865852cb0332d

Download Submit
C:\Users\Admin\Pictures\vgHWKB5DqWwTBYwBhIFCdukk.exe

Filesize
724KB

MD5
e16be07f047d9576e509322b511758b6

SHA1
cd795bec15d521b642892300ed5c40f1d4c88332

SHA256
1edceca16c4933bf46780d2db432487b3863175ea4ea520cb9bf773604cfa727

SHA512
3442c5269434ccb847fa6ffd37a26d0c11187d3c77767e1c56a567ebe7dde44a7c55d67a483ed88e6cc634265a283653fcafa2485af6cd4b45d42c8b39be566a

Download Submit
C:\Users\Admin\Pictures\vgHWKB5DqWwTBYwBhIFCdukk.exe

Filesize
691KB

MD5
fa0f3804035994b7513ef72db09e1c45

SHA1
ee3d068f74337acfc762f822b0128e0857475b69

SHA256
6b73f5918a2cb81401a3aaa4a8513f3c9c011291234853f7d0d47501436fc692

SHA512
aea7cd463024645353f31017195cbd6bb3b66fb38bb1c5fa6c25af7dfe2f6f058b280a6850a9b183c3e1cc1fb09fca7c80b805e3f52b399bbce8a1f0aee5b600

Download Submit
C:\Users\Admin\Pictures\vgHWKB5DqWwTBYwBhIFCdukk.exe

Filesize
155KB

MD5
66f5808404307dea32c81f4f1183858c

SHA1
62e9c5c89467258f1dcb21a7eb9db7b1dd1766ad

SHA256
cffd1c9fcb0afbcc9bb87c5bf437e090cd93a7bcb57a95ecf79cbb3fa9f4a516

SHA512
5d25480e7547af93127bafb03c7126fcc046e6da951b43cf70eac5be0d0c6282e6642b66964be59d72a20f1181b2e67d77be7daff0d885781666587dc91536fc

Download Submit
C:\Windows\rss\csrss.exe

Filesize
80KB

MD5
9604ec6336575ef71a61eef8c4bf1cba

SHA1
c0cceed836d84c3efe5aae941062e5d34f0785a4

SHA256
5ac0f5da94f5f7a2819c6f51accb446acd3d537bdfc36cb7345e25ca5b2e5837

SHA512
a92493a56e0c225fa6aed072e2d1c4dde4c995060d2b9de640764b6c2280d74e2ff4b4abb25c8f14b9aa5ca134571ab82f755d449da3e2d43158b115072dee4a

Download Submit
C:\Windows\rss\csrss.exe

Filesize
18KB

MD5
06922fd3d5eae0f461ad322d7c71d3bf

SHA1
d70fa2247d4d3a6bb92f7f33e4906250b0c17540

SHA256
f166892f6b8119c36df9abc89e0eb38b90e28ca190f656682a053e4a41ab47ac

SHA512
576ca781e5c336112ced1ad44b97405bfca367099ad1f011d4a698b614e9e2ebae97f3309df7ffd556c299e9f141a5c84d4692dd8823e92a37842f47bd871bee

Download Submit
C:\Windows\rss\csrss.exe

Filesize
31KB

MD5
72d4567eca394be4d9cc1229ec9c04cd

SHA1
ede02649c621c713e30e877e8e161dcb7ce9d2e4

SHA256
31db896786416f6517e12be209b461e6cc4916b074a6b8b86d4435ca38ad9a34

SHA512
7a69314129fd339a7530872eba51a847ae1a7bdbc8b44672cb2b11b64b48286363b71bc9ddb3a847b9a5da2c8f4ee1bba32d07356e0dbe74f36443c1310a8fc9

Download Submit
\Users\Admin\AppData\Local\Temp\7zS784B.tmp\Install.exe

Filesize
34KB

MD5
face9b251de43a1b8a0cf6274e6ba626

SHA1
a53b54a929179b1c8e1948e39e85764af20f91af

SHA256
292487e1c5f3b54a56914522171faa1de6480a86a8390100ccd15c1954d2f400

SHA512
e9d5c98cbffb1217682e4c6f812f871bf712a621a607343ed0b7a7eb37da6049d2cbb827a28c3d93247ce978ae4ca48c68c22bed6ad02355449f485e1986b3a8

Download Submit
\Users\Admin\AppData\Local\Temp\7zS784B.tmp\Install.exe

Filesize
45KB

MD5
eb2bc88e9cf7ad0ef4a77b4e5028697a

SHA1
8d914cbd14220d5edac2f4e6fd2bee922291f99b

SHA256
5644c358298e527a328b90a665d792f2b3b58186c231b8ee6515bde134178529

SHA512
59db6e95d999d9d4b32cc7a1b990a8404c266df69c4d60af8a1744455597087430eb71f2c7cdefec0c165a57ce1601137ae9749c7983e2a2f373eee7258524f8

Download Submit
\Users\Admin\AppData\Local\Temp\7zS784B.tmp\Install.exe

Filesize
17KB

MD5
f8f0ec363c0ccafaf44298e2abe36d71

SHA1
36eeb2c31a7f6b1c40a37fe9d7ef14881fcace61

SHA256
692f35208bfc1ddd6ac4c0469f4d63880a84629972bb666a09d665118f5d2532

SHA512
5330e0e762067b19c9d9ac3827f8f80826a6c302718746abe0c5308e1e38ffef8b0a103e393805d260d3bf6cfcb8e0a22e4124a136540cc489f1f89d9788a54b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS784B.tmp\Install.exe

Filesize
2KB

MD5
d0873a4658686b21e7b1e34250a5ff48

SHA1
503f7a1cc52344cc143f2ada74abbf1f69aa5502

SHA256
a98561e3923b6b0508f3e875d462e7479b22e8d9dffdcf43f4947b535dc65597

SHA512
2b1d54781f65b594685a88d506121e9616b412a9ce0f7b951b122a2f55d79cb821a5b4280bb6c6112ee22955b8bc7193f1358116c54fc386feed0b5b94362c86

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7A10.tmp\Install.exe

Filesize
39KB

MD5
8e9707def93ed7f2768cb5e7026c58c1

SHA1
f72273c83744d70d527341e94d658adebcebee9b

SHA256
356c62165c9107c412441d09483e0b30f1eec4c1a85f6383727528b50bc42884

SHA512
49cdb857363240bb26536a4aecc3ffaf2415150544b7eca57c92f6e54da32668051f5dab441561be66562eec04cae77ba64f792f3b775ce31cdfb7f768e88c03

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7A10.tmp\Install.exe

Filesize
1KB

MD5
78d19d1cb32dea4edee0e28810834e4c

SHA1
ebb5b5f2859807c7e9fb7236b3c197862c49df0d

SHA256
507320f5616d21bda6e52a07269994dd18ff3a113316a8ecf6785264019b27e8

SHA512
46193aa204517cf81fc93e670d56338cbfe068692489fa478dcc25049a4e47e3386e1832193eb96e6c1ea06b4c7ae60ad660b3d01f85f0d28f8b06db96de15d5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7A10.tmp\Install.exe

Filesize
39KB

MD5
dd8ae1487b6388b2fce6cf34a78b1c5e

SHA1
9a205c37c14a54009d49efcd5172549594ebcde3

SHA256
5f37ae0f49ca09d4c917ee1ecefcf4a3c3aa26c0f605c3975938dc48384077cc

SHA512
78c422e4fb2455470063b5b5d2a36b381c713b640295ec39b05e9f875ecd1a6bea57378678e187f103c0beaa7c74f1b43f427ff2c7546ba6fb03e84d1d395c2b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS7A10.tmp\Install.exe

Filesize
33KB

MD5
0bc4584175dd4ba1856a749074fcf1f6

SHA1
88c665efa25edd5adcdeddc4ae8b6ddc740b26f6

SHA256
f219f2dc07268dc4fb436c47749c5bda841ee44b2bb932ac1326b91befe62ea6

SHA512
52318157e86ee664f6d4c25d266fecc7ad513c2ad71eec14bd76b6e761597928e68844d3e387580d46fb2efb2d6637f5eba2d40fb501e7d1746c83d371ea5096

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2402042054036182860.dll

Filesize
127KB

MD5
016daf5effd26450110319618aa35c58

SHA1
969a5f340150bb9d254a153bb3029b3faafe56c4

SHA256
942a1efd0f0a908a43ab81f04b1cb6415dacced6824ec3fad25206d97e4f6698

SHA512
b5fc7492cb1b189cca135b3491838ed9e578b983b78466803c82860cd660f2d656e8280233ec9920c8be0137e4b03a95f0253ad9d781eb29607db3c0352471da

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
207KB

MD5
389d03296276fe1656745a8cf1f7e9bb

SHA1
67a1cf0c93b7831b16878e8bb02bc3c20796c2eb

SHA256
b7bf804cf47b3cea67d6b13c8cddb723b65bdd9b01a2cbfcc06d234da25cc712

SHA512
7c1fd5c43e2b72e6826ef4bc45d7e367c06d76d1c5bf73e0949e10455d77458e30f9e95907caecebd782754d42a170b760edd44a8b79673bbb80b8b9968da1c2

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
64KB

MD5
2a1cb59786bb9ef9b0346b1088b4ff87

SHA1
609c3351ac97a0a18c6977f238b8d95b0a1146d4

SHA256
f7e146bfc1eb0b4d7b9c34828784ec949168888fec6ec92b702395766bca3359

SHA512
96c1a487b2a8facb49c2d63caa658d8d4652d79cada5eeb8dc9b956cb989c58d43bce1a09574262827f1f7ce8b1aef1cf6a65834242c42c6892f58c9b3f14d7f

Download Submit
\Users\Admin\AppData\Local\Temp\is-RH867.tmp\vgHWKB5DqWwTBYwBhIFCdukk.tmp

Filesize
384KB

MD5
dc8f7a564b216a7c3be0777443adfe19

SHA1
e6b615a5d2cad893dbd27bd372be8cd9488b2d0a

SHA256
8daf7c378cb61e450431077999980f6f8fcdbb41d3df64c711f5b6d7ab1ed440

SHA512
b135ddee6c831c3c40cc3ba9e0b7f56cc6d1ec6eece21528334b3cb7270611fa2f1c55bcff5f106b8a19dbfe54dc25497840f4202aed5546c9c6a0a3b99b8ccf

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
104KB

MD5
c8b2747102a2ddf9b191c9b4d6180493

SHA1
e0324a16b3bdf057674277201f43927c11cb1460

SHA256
b0655ebc47afa61e34518806a7ac02ee256b214592c9d12db288e19da09c6137

SHA512
6bd1ba374f14abcfb5ff6ccf6a2730527dd200495fbe0643e840a01626e4646f4cb958830e5c4096d9788f6c7e96b991c0f5dbfa1e1af4153ef95cf76b74a2a0

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
124KB

MD5
eedda20195d160fbbfd7819df578f79e

SHA1
14ee88cac5ce70eb2550c925cecc4527e111c593

SHA256
78358724e35c9dfaef8eb782f00a854affe789987bf68a5b2c87aa14e47ad807

SHA512
44407ddab41865daaaed37b9cfd5fff1755ef54cb561e718d830dbdc1a89ca800f29bd64d7d02109a6ce0efbb49052e8fbcf39463a4b6901104593867223892a

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
92KB

MD5
326d1d5466e7a31056d5c9e281242851

SHA1
92df6612cd3c6d79c6a18fc1a52a40ca41874ce7

SHA256
51e509f6f154fa45c508e3ff114934ce640d800efcc6b817dc8dd1083c1906ce

SHA512
1617a257bcc3eefcfa02b4047bdedd12bb20c4de4339d826c4f8996162b9458743b028ff5c6590627143aa107e8aa6294df05481a2d57e673cf376b86a00eb46

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
81KB

MD5
650036d2293bb45606de144cdb41af54

SHA1
eef07ef003a9d5e121b4eaef2d64aa0ff33981dc

SHA256
dfeb3a03f5287574d5d2647d50d7cb7e359c473682b462d568ee46da92de1484

SHA512
9ae52b1504690d99dcaf50a8c4b3f1d69368f0fec556dacacff4ac4e67a5b56b45c1b3f8d744ceee5561a509bbf1b06d536a7882693ae2b871b2e83b5caf7df1

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
17KB

MD5
7201dce06641fe54c7a95ebe6bad17ee

SHA1
2679f7ba28622dd2636f7c984740142a3842fea5

SHA256
8ea788bdf938c30e674763bdd49cdc4793ba838c9d5db0d80d6e48ce69e195e3

SHA512
0cbca54b9349138e667e5565ddd76e949eb7b272da3e481293d437e75835d8f6ee4e66289241bce5a7f22c83d03fff55063bc736367a28d175cfcffc655946a9

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
14KB

MD5
2922f023eb304f6b16909e834bd9d608

SHA1
2fd59690a1b4d0a4e10c62c1629461e4e6a99c59

SHA256
10755662422fe312d6fd2b3fc2c83f8dc866f8494741e7851bca2943b84a6a4a

SHA512
9387c0cc59047dd404335e7f0a538a8ac749fd4d0a4a6f789be0524236a14f3449a0f6599b25d83f05901fa5354decc95c07581a067febe5ce8bd99d4da159d8

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
117KB

MD5
b3cc6ad011e642a7afb5cabb7ddc8e0a

SHA1
72871f8252014a8c751403c57ac7d6df2c4942dc

SHA256
bcf886b4266047c49d582698322756f7e6369932d3731218f5488c88e5cd255e

SHA512
9563e2e9708a92656a9d5898643e2d22cd6f3cdcdae84912e13afb25cc1b1ae4b1ca8c1df963c323eba1685201ed82c603d0d98113ad8ad6af4078192d9500c3

Download Submit
\Users\Admin\Pictures\JRVpvbxjaPuSbI8qGamTCM0d.exe

Filesize
312KB

MD5
315a2399b90a310ebe718e862d2542e8

SHA1
e3310c4e32c5f4a8244a1e464367db831f9261b1

SHA256
514b03a9a1cf2bd72f23ac948c4dad51ebe5fd25616a185ea97a285c9467142b

SHA512
efb61376a839e507bd78023f10f02703b4e896a5ca658e79028190483185bd55735cabff89863698e6282c09c4f5541db828abe64f4a5700b58102173d4ac224

Download Submit
\Users\Admin\Pictures\JRVpvbxjaPuSbI8qGamTCM0d.exe

Filesize
235KB

MD5
dc98c3c62347b177548cb24d224e24a9

SHA1
72c5975ba3e6369ac0c0187818188ccc08f30d46

SHA256
65c13d8e6499499c71cd72f2b83c4c3939cb5d57833c124372e721aa025a01c2

SHA512
c248fb39cf6d3e7d0f5237338ecc75f2b153729d5d99c8f3d80930fa423400c76c97348cb22404e28d2e4a37d4d6f8eaa80a32acf6443627eb52cb7bd259e301

Download Submit
\Users\Admin\Pictures\Opera_installer_2402042054076772860.dll

Filesize
21KB

MD5
516f4fd23df28fc56c3d3e31b54b7270

SHA1
d3b8972fbfbe3ba0556be4d3a781708e65aba5e0

SHA256
bf1c1401eac9ac7a35f29ae30bbca3a3d8fef37f2727b8d1a7b27f7c81e080db

SHA512
9761d82cfbb26dca544b7b8495a5d5015043a690cc3f787f6adb43bd044ddf1197211a65d19a2d8cc5c605d45040224ab556135924e789d9622f244eb3b7ae87

Download Submit
\Users\Admin\Pictures\RcenwU1bsRtZdfRYEZhPBjhg.exe

Filesize
59KB

MD5
daba5bd6fabe8ab0fcb309bffe095a4a

SHA1
abe11d8d3ec6b0875e9a9e3d66f055acaa0d8f2b

SHA256
f44af8bc504ba472e4eff8f82c4b3e9bef8c80e2c0458d87dff39b8b7f79b32e

SHA512
4b8b6238eb1771b37d24566967809f93bcb9ce23b417c03beaba2b7f8db526fefc7280498b7fd42e4811332a0828b7027d31a7a8af5c120a56a6fbc766d34e92

Download Submit
\Users\Admin\Pictures\ckohdYgysRxr33MAwPiccM33.exe

Filesize
90KB

MD5
a004b16f2257b4d5f88fe289b50a7486

SHA1
f83f85b5f8b0a80cd9eed0fe4c36d14eebcee390

SHA256
7e69d4dde4ff52197c490f981e67a86edd507d2cad62585fa06fe7f1b36572c0

SHA512
6ce6f7a3b4f7f85d211d262158fcf97a1bf0f5a07e9ba293601c3af79fd3989d04cdff435f326fa0900bd8324a239379507b641f65472832ebb615b5886a7d1f

Download Submit
\Users\Admin\Pictures\ckohdYgysRxr33MAwPiccM33.exe

Filesize
105KB

MD5
1ba15610a448a6552832d5cd81726c18

SHA1
b1efa0c04b6361445a43120d31aaa57c7a5692f9

SHA256
73d193aa541774b74c015b6a452f4019a8035e658911e2fecd47262ab711018b

SHA512
49d49e4663993bd2f7f054923044d252b6cecf5db7d963a471a160c2cf4443ab4af9ff9e0bdd19cea5bfbc94c15f8ff8094952d25def5804206e3bae051bda55

Download Submit
\Users\Admin\Pictures\jhXDFxVAGPsWvxEhPvxD7AvB.exe

Filesize
48KB

MD5
8f9e91755dca5bfba1ae877e181e4438

SHA1
a7dbacb845347e9ad347afee2bbfafc3051d08c9

SHA256
96f9a665eae5b97b7f98601567468b57d40aa108b97cae87d1df798666da21aa

SHA512
7e4bc436df6978685380c4542dd7d25c1ce76be42249f183f67f590d3fb056bacd24f89bbf4a6190482b3526fb6813619e812ff28ed6aa3fc215f4295d30c3a7

Download Submit
\Users\Admin\Pictures\nGv2XBNL9tgTRgmp8mG712ay.exe

Filesize
41KB

MD5
f26c2e8974bc6d5306c4c7c6c0278e86

SHA1
4ed6de95ca13a668be01799395ce5a5767acf998

SHA256
58747339d66337c385a1e06c850d515778eb9fb7bdd6139c125471d870de3119

SHA512
6617d68af7a79ad35ef8497ca2577d5da2e888faa9bf46c14e0bef713ebbb4c6a136f9f7d755b67321f0f572e96fca39216ff4635cae688163035ac646a2c7e9

Download Submit
\Users\Admin\Pictures\nGv2XBNL9tgTRgmp8mG712ay.exe

Filesize
98KB

MD5
2c6c535bdb3686aa5a84b08024ff2d3b

SHA1
1a8e18190dc0420eea5a4b3dd825a45d978274f9

SHA256
cd2f90cda1bf0fac6c34298866676dfda78cb7443f4731e51ce3ea7968e4b24f

SHA512
2e35a89f8429fe4a883869bd3053bdbf73c231710aea2dc4117b0c1e203e3566e5085216ae512df1568aba10591265f0f9e7521c08aa1b822aa1b6f3dad01170

Download Submit
\Users\Admin\Pictures\nGv2XBNL9tgTRgmp8mG712ay.exe

Filesize
38KB

MD5
a512f656a0777cb74e288b9fe0dd9b04

SHA1
b94b28d11f373344e33b173f3f056854fc29f174

SHA256
94139d6253d8fdd0f39e45d9cfd14156072869e67613b2b45479d3e7c94ce836

SHA512
7254fdf0c87588c00bd8847dc2508798f349fcb22265453dab444b2dbbbedcc9f60a7c053cc04c749b176f58b5a68d5ff646ddce54db2aa7a4637a5c01504195

Download Submit
\Users\Admin\Pictures\nGv2XBNL9tgTRgmp8mG712ay.exe

Filesize
23KB

MD5
bac6620e4988fe171a67c18b6d098dc3

SHA1
90485b07021b9a2f5ac382b5bc9e159155f9f870

SHA256
6d435bec2f49600ff26872833b9856392d85e9d656bddc7cc5473217e60effb8

SHA512
af97488e003aade289fba6528ce9ccfecf7da7d005aa6f020bf18aaa7d6412440d20b65d27eaa4bb0151b715af2117835e4527e9559eab7a17540dad1d3720a9

Download Submit
\Users\Admin\Pictures\vgHWKB5DqWwTBYwBhIFCdukk.exe

Filesize
456KB

MD5
797eb6a2f20280e594a925dd20c9e618

SHA1
69337b93e7d12137004c518f79d17f03aed22a78

SHA256
6a69a738be0f9d87722c166fb2918ecf9de97ce171a716fcc3d8c64e0ec33ee5

SHA512
3c7549f28d7980f9293a6e0bea22cca6615bbf78ba9d4a96cf5774e40b0b2421b5f2a0b1cd94e28cea36c112fa53390e8f35fde40f1f29811c95a4f35121e2e0

Download Submit
\Windows\rss\csrss.exe

Filesize
57KB

MD5
e1e7ada199551be196871ea69ba8f672

SHA1
e62fab65d7156d7c5eb880b3c6c6973795d1d9a1

SHA256
aa2dc063226c9961be0fa716874ecadbd014b5dc3ca3e1dcc405e497ee04de50

SHA512
3b2c56017b96a68afe3b804c4ab03f12c90f63e15841e22de0303f33e08af6912d866e622525070ebf11c12ad569aa7e05b9e26cda70da65c58240e0c7ec374d

Download Submit
\Windows\rss\csrss.exe

Filesize
96KB

MD5
688707a0d51598d0127bfde9cfbbf221

SHA1
b7f9ba2c4e8648a8616107aa39a424612525b114

SHA256
50b8b1ca5589075664c51bb55d3e7ea48aa58aef5ebd35ebb78042da2aa3cb97

SHA512
c7c699274853ebd639017813d38a819e23a8618b22efdfa9863e0a50ba4bd18cc3e9fdae6986d199654a59bd3af17bd39e3faa72489c28f0720e53fc51cfded1

Download Submit
memory/588-676-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/588-694-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/776-0-0x0000000001030000-0x00000000010EC000-memory.dmp

Filesize
752KB

Download
memory/776-10-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/776-4-0x0000000000B30000-0x0000000000B4A000-memory.dmp

Filesize
104KB

Download
memory/776-3-0x0000000000A10000-0x0000000000AB4000-memory.dmp

Filesize
656KB

Download
memory/776-2-0x0000000004DE0000-0x0000000004E20000-memory.dmp

Filesize
256KB

Download
memory/776-1-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/852-584-0x0000000010000000-0x000000001055A000-memory.dmp

Filesize
5.4MB

Download
memory/1140-445-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1140-428-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1316-635-0x0000000010000000-0x000000001055A000-memory.dmp

Filesize
5.4MB

Download
memory/1380-647-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/1380-644-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1380-646-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/1380-648-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/1380-649-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/1380-650-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/1380-651-0x0000000002A90000-0x0000000002B10000-memory.dmp

Filesize
512KB

Download
memory/1380-652-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/1380-645-0x000007FEF48B0000-0x000007FEF524D000-memory.dmp

Filesize
9.6MB

Download
memory/1448-657-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1884-370-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1884-379-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2160-573-0x0000000003580000-0x00000000036AC000-memory.dmp

Filesize
1.2MB

Download
memory/2160-572-0x00000000032B0000-0x00000000033BA000-memory.dmp

Filesize
1.0MB

Download
memory/2160-450-0x00000000FFDF0000-0x00000000FFEA7000-memory.dmp

Filesize
732KB

Download
memory/2160-589-0x0000000003580000-0x00000000036AC000-memory.dmp

Filesize
1.2MB

Download
memory/2208-390-0x00000000024E0000-0x00000000028D8000-memory.dmp

Filesize
4.0MB

Download
memory/2208-325-0x00000000024E0000-0x00000000028D8000-memory.dmp

Filesize
4.0MB

Download
memory/2208-326-0x00000000024E0000-0x00000000028D8000-memory.dmp

Filesize
4.0MB

Download
memory/2208-327-0x00000000028E0000-0x00000000031CB000-memory.dmp

Filesize
8.9MB

Download
memory/2208-328-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2208-388-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2388-359-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/2388-396-0x00000000088A0000-0x0000000008D88000-memory.dmp

Filesize
4.9MB

Download
memory/2388-11-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/2388-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-12-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/2388-344-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/2388-529-0x00000000088A0000-0x0000000008D88000-memory.dmp

Filesize
4.9MB

Download
memory/2388-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2388-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2556-603-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2556-602-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2556-598-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download
memory/2556-599-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2556-601-0x0000000002C30000-0x0000000002CB0000-memory.dmp

Filesize
512KB

Download
memory/2556-596-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2556-597-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2556-604-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download
memory/2556-600-0x000007FEF4A10000-0x000007FEF53AD000-memory.dmp

Filesize
9.6MB

Download
memory/2568-374-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2568-342-0x00000000027A0000-0x0000000002B98000-memory.dmp

Filesize
4.0MB

Download
memory/2568-380-0x00000000027A0000-0x0000000002B98000-memory.dmp

Filesize
4.0MB

Download
memory/2568-343-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2568-341-0x00000000027A0000-0x0000000002B98000-memory.dmp

Filesize
4.0MB

Download
memory/2568-345-0x0000000002BA0000-0x000000000348B000-memory.dmp

Filesize
8.9MB

Download
memory/2620-932-0x00000000013E0000-0x000000000193A000-memory.dmp

Filesize
5.4MB

Download
memory/2632-421-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/2632-392-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2632-420-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2632-389-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/2632-387-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/2676-402-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2676-413-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2676-391-0x0000000002750000-0x0000000002B48000-memory.dmp

Filesize
4.0MB

Download
memory/2676-416-0x0000000002750000-0x0000000002B48000-memory.dmp

Filesize
4.0MB

Download
memory/2676-382-0x0000000002750000-0x0000000002B48000-memory.dmp

Filesize
4.0MB

Download
memory/2680-362-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2680-419-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2680-354-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2856-653-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2856-975-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2856-543-0x0000000002730000-0x0000000002B28000-memory.dmp

Filesize
4.0MB

Download
memory/2856-542-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2856-418-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2856-571-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2856-605-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2856-415-0x0000000002730000-0x0000000002B28000-memory.dmp

Filesize
4.0MB

Download
memory/2856-612-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2856-743-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2856-659-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2856-417-0x0000000002B30000-0x000000000341B000-memory.dmp

Filesize
8.9MB

Download
memory/2856-677-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2856-693-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2856-414-0x0000000002730000-0x0000000002B28000-memory.dmp

Filesize
4.0MB

Download
memory/2856-695-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2856-595-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2856-611-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2860-401-0x0000000000A80000-0x0000000000F68000-memory.dmp

Filesize
4.9MB

Download
memory/2860-544-0x0000000000A80000-0x0000000000F68000-memory.dmp

Filesize
4.9MB

Download
memory/2940-930-0x0000000003C40000-0x0000000003D1A000-memory.dmp

Filesize
872KB

Download
memory/2940-744-0x0000000000940000-0x00000000009A4000-memory.dmp

Filesize
400KB

Download
memory/2940-709-0x0000000002010000-0x0000000002095000-memory.dmp

Filesize
532KB

Download
memory/2940-698-0x0000000010000000-0x000000001055A000-memory.dmp

Filesize
5.4MB

Download
memory/2940-920-0x00000000028D0000-0x0000000002955000-memory.dmp

Filesize
532KB

Download
memory/2988-20-0x00000000702B0000-0x000000007085B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-16-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/2988-19-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/2988-18-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/2988-17-0x00000000702B0000-0x000000007085B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-15-0x00000000702B0000-0x000000007085B000-memory.dmp

Filesize
5.7MB

Download