dcrat | 23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a

Analysis

max time kernel
203s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
01-04-2024 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe
Size

277KB
MD5

0a4050b41baf35977e32749d092364dc
SHA1

e86798879b46d78b80442390e3bf16576597bbd0
SHA256

23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a
SHA512

baf663684dcdce2e39c18ebe22bbfb6c649200ab2a72269b5fba6d263c2eba5bafa12455d5bc569810f538e2f8b9bd05185536509897255da49dfefcdea8c4a9
SSDEEP

3072:MOGWS6M7qGfIDp+pwZXhmnuJqkQt5LxxCNGZyAEr2vnV1cywTBlMTKa:MOYeKEpdrhQhfkXqvnHUBCT

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://sajdfue.com/test1/get.php

Attributes

extension
.vook
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
payload_url
http://sdfjhuz.com/dl/build2.exe

http://sajdfue.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS

rsa_pubkey.plain

Extracted

Family

vidar

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Extracted

Family

lumma

https://resergvearyinitiani.shop/api

Signatures

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe13B3.exe

pid	process
4736	schtasks.exe
5092	schtasks.exe
3364	schtasks.exe
1268	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f6c619d7-d785-4f0d-8ab4-8cfb6c08093b\\13B3.exe\" --AutoStart"	13B3.exe

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4480-69-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/2300-71-0x0000000002170000-0x00000000021A5000-memory.dmp	family_vidar_v7
behavioral2/memory/4480-74-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4480-75-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4480-100-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3352-21-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3324-22-0x00000000022B0000-0x00000000023CB000-memory.dmp	family_djvu
behavioral2/memory/3352-24-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3352-25-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3352-26-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3352-38-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/428-44-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/428-45-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/428-46-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/428-51-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/428-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/428-56-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/428-58-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/428-59-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/428-64-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/428-85-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

C90C.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	C90C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	C90C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	C90C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	C90C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C90C.exe = "0"	C90C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	C90C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	C90C.exe

Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

508 netsh.exe
Deletes itself 1 IoCs

Processes:

pid process

3396

pid	process
508	netsh.exe

pid	process
3396

Executes dropped EXE 22 IoCs

Processes:

13B3.exe13B3.exe13B3.exe13B3.exebuild2.exebuild2.exebuild3.exebuild3.exemstsca.exethcbgidmstsca.exeADB2.exeC90C.exeC90C.execsrss.exemstsca.exemstsca.exeinjector.exewindefender.exewindefender.exemstsca.exemstsca.exe

pid	process
3324	13B3.exe
3352	13B3.exe
1532	13B3.exe
428	13B3.exe
2300	build2.exe
4480	build2.exe
680	build3.exe
4848	build3.exe
2480	mstsca.exe
4284	thcbgid
4224	mstsca.exe
4564	ADB2.exe
4560	C90C.exe
1612	C90C.exe
3452	csrss.exe
1224	mstsca.exe
2280	mstsca.exe
2044	injector.exe
4588	windefender.exe
2532	windefender.exe
4416	mstsca.exe
3220	mstsca.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3516 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3516	icacls.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

C90C.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	C90C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C90C.exe = "0"	C90C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	C90C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	C90C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	C90C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	C90C.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	C90C.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

C90C.execsrss.exe13B3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	C90C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f6c619d7-d785-4f0d-8ab4-8cfb6c08093b\\13B3.exe\" --AutoStart"	13B3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\D: explorer.exe
File opened (read-only) \??\F: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

80 drive.google.com
81 drive.google.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

19 api.2ip.ua
20 api.2ip.ua
37 api.2ip.ua
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

flow	ioc
80	drive.google.com
81	drive.google.com

flow	ioc
19	api.2ip.ua
20	api.2ip.ua
37	api.2ip.ua

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

13B3.exe13B3.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 3324 set thread context of 3352	3324	13B3.exe	13B3.exe
PID 1532 set thread context of 428	1532	13B3.exe	13B3.exe
PID 2300 set thread context of 4480	2300	build2.exe	build2.exe
PID 680 set thread context of 4848	680	build3.exe	build3.exe
PID 2480 set thread context of 4224	2480	mstsca.exe	mstsca.exe
PID 1224 set thread context of 2280	1224	mstsca.exe	mstsca.exe
PID 4416 set thread context of 3220	4416	mstsca.exe	mstsca.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

C90C.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN C90C.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	C90C.exe

Drops file in Windows directory 7 IoCs

Processes:

csrss.exeexplorer.exeSearchUI.exeC90C.exe

description	ioc	process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	explorer.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\4032412167\2900507189.pri	explorer.exe
File opened for modification	C:\Windows\rss	C90C.exe
File created	C:\Windows\rss\csrss.exe	C90C.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4144 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2328 4480 WerFault.exe build2.exe

pid	process
4144	sc.exe

pid	pid_target	process	target process
2328	4480	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 32 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

explorer.exe23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exethcbgid

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thcbgid
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thcbgid
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	thcbgid
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4736 schtasks.exe
5092 schtasks.exe
3364 schtasks.exe
1268 schtasks.exe

pid	process
4736	schtasks.exe
5092	schtasks.exe
3364	schtasks.exe
1268	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchUI.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

SearchUI.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000\Software\Microsoft\Internet Explorer\GPU	SearchUI.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

C90C.exepowershell.exepowershell.exewindefender.exepowershell.exepowershell.exepowershell.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	C90C.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	C90C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	C90C.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	C90C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	C90C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	C90C.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	C90C.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	C90C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	C90C.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	C90C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	C90C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	C90C.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	C90C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	C90C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	C90C.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-492 = "India Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	C90C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	C90C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	C90C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	C90C.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	C90C.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	windefender.exe

Modifies registry class 29 IoCs

Processes:

explorer.exeSearchUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e80704004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000b6ca9219f083da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80704004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c00000000000000000000000060085019f083da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80702004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000009d75ec5ea164da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133529782112836936"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1531961169-1615826105-2188682873-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe

pid	process
4148	23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe
4148	23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396
3396

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exethcbgid

pid process

4148 23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe
4284 thcbgid

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

explorer.exepowershell.exeC90C.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	3396
Token: SeCreatePagefilePrivilege	3396
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe
Token: SeDebugPrivilege	4560	C90C.exe
Token: SeImpersonatePrivilege	4560	C90C.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeShutdownPrivilege	4532	explorer.exe
Token: SeCreatePagefilePrivilege	4532	explorer.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

explorer.exe

pid	process
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe

Suspicious use of SendNotifyMessage 23 IoCs

Processes:

explorer.exe

pid	process
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe
4532	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchUI.exe

pid process

4244 SearchUI.exe

pid	process
4244	SearchUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe13B3.exe13B3.exe13B3.exe13B3.exebuild2.exebuild3.exebuild3.exemstsca.exe

description	pid	process	target process
PID 3396 wrote to memory of 4116	3396		cmd.exe
PID 3396 wrote to memory of 4116	3396		cmd.exe
PID 4116 wrote to memory of 4984	4116	cmd.exe	reg.exe
PID 4116 wrote to memory of 4984	4116	cmd.exe	reg.exe
PID 3396 wrote to memory of 3324	3396		13B3.exe
PID 3396 wrote to memory of 3324	3396		13B3.exe
PID 3396 wrote to memory of 3324	3396		13B3.exe
PID 3324 wrote to memory of 3352	3324	13B3.exe	13B3.exe
PID 3324 wrote to memory of 3352	3324	13B3.exe	13B3.exe
PID 3324 wrote to memory of 3352	3324	13B3.exe	13B3.exe
PID 3324 wrote to memory of 3352	3324	13B3.exe	13B3.exe
PID 3324 wrote to memory of 3352	3324	13B3.exe	13B3.exe
PID 3324 wrote to memory of 3352	3324	13B3.exe	13B3.exe
PID 3324 wrote to memory of 3352	3324	13B3.exe	13B3.exe
PID 3324 wrote to memory of 3352	3324	13B3.exe	13B3.exe
PID 3324 wrote to memory of 3352	3324	13B3.exe	13B3.exe
PID 3324 wrote to memory of 3352	3324	13B3.exe	13B3.exe
PID 3352 wrote to memory of 3516	3352	13B3.exe	icacls.exe
PID 3352 wrote to memory of 3516	3352	13B3.exe	icacls.exe
PID 3352 wrote to memory of 3516	3352	13B3.exe	icacls.exe
PID 3352 wrote to memory of 1532	3352	13B3.exe	13B3.exe
PID 3352 wrote to memory of 1532	3352	13B3.exe	13B3.exe
PID 3352 wrote to memory of 1532	3352	13B3.exe	13B3.exe
PID 1532 wrote to memory of 428	1532	13B3.exe	13B3.exe
PID 1532 wrote to memory of 428	1532	13B3.exe	13B3.exe
PID 1532 wrote to memory of 428	1532	13B3.exe	13B3.exe
PID 1532 wrote to memory of 428	1532	13B3.exe	13B3.exe
PID 1532 wrote to memory of 428	1532	13B3.exe	13B3.exe
PID 1532 wrote to memory of 428	1532	13B3.exe	13B3.exe
PID 1532 wrote to memory of 428	1532	13B3.exe	13B3.exe
PID 1532 wrote to memory of 428	1532	13B3.exe	13B3.exe
PID 1532 wrote to memory of 428	1532	13B3.exe	13B3.exe
PID 1532 wrote to memory of 428	1532	13B3.exe	13B3.exe
PID 428 wrote to memory of 2300	428	13B3.exe	build2.exe
PID 428 wrote to memory of 2300	428	13B3.exe	build2.exe
PID 428 wrote to memory of 2300	428	13B3.exe	build2.exe
PID 2300 wrote to memory of 4480	2300	build2.exe	build2.exe
PID 2300 wrote to memory of 4480	2300	build2.exe	build2.exe
PID 2300 wrote to memory of 4480	2300	build2.exe	build2.exe
PID 2300 wrote to memory of 4480	2300	build2.exe	build2.exe
PID 2300 wrote to memory of 4480	2300	build2.exe	build2.exe
PID 2300 wrote to memory of 4480	2300	build2.exe	build2.exe
PID 2300 wrote to memory of 4480	2300	build2.exe	build2.exe
PID 2300 wrote to memory of 4480	2300	build2.exe	build2.exe
PID 2300 wrote to memory of 4480	2300	build2.exe	build2.exe
PID 2300 wrote to memory of 4480	2300	build2.exe	build2.exe
PID 428 wrote to memory of 680	428	13B3.exe	build3.exe
PID 428 wrote to memory of 680	428	13B3.exe	build3.exe
PID 428 wrote to memory of 680	428	13B3.exe	build3.exe
PID 680 wrote to memory of 4848	680	build3.exe	build3.exe
PID 680 wrote to memory of 4848	680	build3.exe	build3.exe
PID 680 wrote to memory of 4848	680	build3.exe	build3.exe
PID 680 wrote to memory of 4848	680	build3.exe	build3.exe
PID 680 wrote to memory of 4848	680	build3.exe	build3.exe
PID 680 wrote to memory of 4848	680	build3.exe	build3.exe
PID 680 wrote to memory of 4848	680	build3.exe	build3.exe
PID 680 wrote to memory of 4848	680	build3.exe	build3.exe
PID 680 wrote to memory of 4848	680	build3.exe	build3.exe
PID 4848 wrote to memory of 4736	4848	build3.exe	schtasks.exe
PID 4848 wrote to memory of 4736	4848	build3.exe	schtasks.exe
PID 4848 wrote to memory of 4736	4848	build3.exe	schtasks.exe
PID 2480 wrote to memory of 4224	2480	mstsca.exe	mstsca.exe
PID 2480 wrote to memory of 4224	2480	mstsca.exe	mstsca.exe
PID 2480 wrote to memory of 4224	2480	mstsca.exe	mstsca.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe
"C:\Users\Admin\AppData\Local\Temp\23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EACD.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4116

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\13B3.exe
C:\Users\Admin\AppData\Local\Temp\13B3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\Temp\13B3.exe
C:\Users\Admin\AppData\Local\Temp\13B3.exe
2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f6c619d7-d785-4f0d-8ab4-8cfb6c08093b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3516

C:\Users\Admin\AppData\Local\Temp\13B3.exe
"C:\Users\Admin\AppData\Local\Temp\13B3.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\Temp\13B3.exe
"C:\Users\Admin\AppData\Local\Temp\13B3.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Local\2e59ef90-cc71-43d0-9e75-ab19c9a398f1\build2.exe
"C:\Users\Admin\AppData\Local\2e59ef90-cc71-43d0-9e75-ab19c9a398f1\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\2e59ef90-cc71-43d0-9e75-ab19c9a398f1\build2.exe
"C:\Users\Admin\AppData\Local\2e59ef90-cc71-43d0-9e75-ab19c9a398f1\build2.exe"
6⤵
- Executes dropped EXE
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1908
7⤵
- Program crash
PID:2328

C:\Users\Admin\AppData\Local\2e59ef90-cc71-43d0-9e75-ab19c9a398f1\build3.exe
"C:\Users\Admin\AppData\Local\2e59ef90-cc71-43d0-9e75-ab19c9a398f1\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Local\2e59ef90-cc71-43d0-9e75-ab19c9a398f1\build3.exe
"C:\Users\Admin\AppData\Local\2e59ef90-cc71-43d0-9e75-ab19c9a398f1\build3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- DcRat
- Creates scheduled task(s)
PID:4736

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:4224

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
3⤵
- DcRat
- Creates scheduled task(s)
PID:5092

C:\Users\Admin\AppData\Roaming\thcbgid
C:\Users\Admin\AppData\Roaming\thcbgid
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4284

C:\Users\Admin\AppData\Local\Temp\ADB2.exe
C:\Users\Admin\AppData\Local\Temp\ADB2.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B072.bat" "
1⤵
PID:3112

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\C90C.exe
C:\Users\Admin\AppData\Local\Temp\C90C.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Users\Admin\AppData\Local\Temp\C90C.exe
"C:\Users\Admin\AppData\Local\Temp\C90C.exe"
2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:1040

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Drops file in System32 directory
PID:3696

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
PID:3452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3852

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:3364

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:3736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3760

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:2044

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:1268

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
PID:4588

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:3136

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
PID:4144

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4532

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4244

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1224

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:2280

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2532

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4416

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
f5d38a6b4d7dd26226946210bd98974e

SHA1
a76e96f9ed6df8e812d14b52ef4bbdb2a484964c

SHA256
131c777ed9d52e3945245f4c17159eb1b636542d04705284173e893b264de187

SHA512
47c8cb5ca742ff4dabaa44062c33c41fc5c549de8836f0b8e17f4bea4494c6ab0f93cfd361b68223fd2c75cd21b11526701c8c800ddc6ba7b389bf9ef3b96c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
013fe9c57b199fbfc03c05c8b32d0ffd

SHA1
552cda0c3c866136f53fe972b503d884ce0378c1

SHA256
42955682ff60bd689cf87057ecaa78a3baa9ded527537a412ed3122ce9de9943

SHA512
ab4b3da5cb95378500b0cf7002655445b8341b7097fd0bbdf9d2e33135452ebacc67356c2c52098255ce16cb66aa2d90a2c3cef4343b5d18e9a68273a9e84244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
94fd52c9f6b27bb73a827bd0be5a83f7

SHA1
8bada8df0afaf0724c43bd6458b86198a9865fe0

SHA256
44313dd7867709b0fefec7b77a7303ba6ab37be42f9b17ac64a1c1bae3994355

SHA512
84a8bac2c340f861cbff715e2502d4f540d8969b75318184c475664328e438394982a7afc3308b0efede39dc52f63f485bf1c6f7caead02188ed10ee43bc87ae

Download Submit
C:\Users\Admin\AppData\Local\2e59ef90-cc71-43d0-9e75-ab19c9a398f1\build2.exe
Filesize
265KB

MD5
97563a191c32200a6f0dff251bdd40f8

SHA1
1d8bd22c19d703349428d0c8c9c8c10a1d068f50

SHA256
2389dff2f3f5459ebb8110c01eeedee11ce0c75c3bb735f6f5f76f8a7bb6e9f6

SHA512
810ada6b966b6bc58dfc980a49ee6a5d4482af338a47a567ca659ccf65d1834506792f39a12b45cd5f6dd138ed4e943ee8d6ef1ac45ee59ab217696ad9ae5ed8

Download Submit
C:\Users\Admin\AppData\Local\2e59ef90-cc71-43d0-9e75-ab19c9a398f1\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
980B

MD5
3fe0dbc85a7038664e68ba0fedc2380a

SHA1
6031d5e29304586f874a3f188dcdac1051c703ad

SHA256
6d7618085e2e184fb971a935717f27adc10771f15253084c650d16a6864f7a49

SHA512
9e815e54b3e2cd7e097699e57f594b4a45ddf1890c363dfbf1efff61f1c7cd87304b42574f2cfd9a3c83834aae5767cf371f7339188e401662e04148359690af

Download Submit
C:\Users\Admin\AppData\Local\Temp\13B3.exe
Filesize
731KB

MD5
07df9eac8a0915350f826af0c0a23dda

SHA1
437070dac74b3821ba7022d093ea5fccca78bba5

SHA256
5be3389fe4f9d8c0106e8270f2a4a71c8d8d07fb95999f63bdd090dff362b5c4

SHA512
239329bcf9fe850aeb4c4beab8d7cc47d1d701b659edcf74168481c55be5f8225748f5d9b4f37c415a3c3fdecf25817c5ca0150bff50f0d2667cd9359b14452e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADB2.exe
Filesize
6.5MB

MD5
9e52aa572f0afc888c098db4c0f687ff

SHA1
ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b

SHA256
4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443

SHA512
d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\C90C.exe
Filesize
4.2MB

MD5
84b7cf2ab343a836f3c68cfe66125038

SHA1
242e6f0afc63727fe2e1f01b414d11375de2009e

SHA256
3681d2d5e8545a4b2048d012bd56686414fcd5f4a5112787026570ca57b9136c

SHA512
1afb24ad8ab896d1314f3e3e349b13f546b97c50c9e284a974f0122b02dfa998fc4be9e3b0a737bcb04a5e5c6cd823b43e0d7f0b09132cf3256cb85daf0e9183

Download Submit
C:\Users\Admin\AppData\Local\Temp\EACD.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gl0scfsj.j5g.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Roaming\thcbgid
Filesize
277KB

MD5
0a4050b41baf35977e32749d092364dc

SHA1
e86798879b46d78b80442390e3bf16576597bbd0

SHA256
23b0b1c7d69d4fd12bdbea87bee294d99af2378dfa79fdaaf3d6e6e4f2d8628a

SHA512
baf663684dcdce2e39c18ebe22bbfb6c649200ab2a72269b5fba6d263c2eba5bafa12455d5bc569810f538e2f8b9bd05185536509897255da49dfefcdea8c4a9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
6a8eadef5d7f2c8218bbe12790afec06

SHA1
32e544ecd88c2b96a93f19204ce5fb13b657a98b

SHA256
c3256ab7cb479ed1fc150f36b2098178bc190a894d3ad70cdd35313c3a9f3b34

SHA512
22b681b44b971dd6e4d4f2af224bb693adad058b7f908f58d554d507e450c8500120c94df49fcc3bcecb224cd1087fadff7226b217cc69873fc2e971641922f7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
3edb3946677f6710181e8796fc4522bb

SHA1
123eb9c19fb75ca8120f750d5925732c81b0fb97

SHA256
95862fc68cd562c48b3165a44dfffdf7ac61f757852f328d3a22bc5aac72c4e4

SHA512
13de8d75c15725a161c72f380bb17ab93318e815afe7ee5384a7a308273bf3746db9cfeb9c275c03d01b784fc1524de73e210e4254b417efdd409cc86751b842

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
46f12a065a74d6a6bfffeaba8c1b1218

SHA1
0209afd509ffa03aaffecc849fc9b491c66dd2a5

SHA256
4f91aba275461a3ff5b52e8250426d15b92b4e5a164114abeb270ad9e2bb8e6a

SHA512
808343c7491f907a80f193469f3d5c7224fc6d0735a811f1d377fcbd8b6a58d00156080208cd927e997351ccd48ce7a5828bffd7628f04c70638ae81aca6f542

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
4deed296b6ed0e5dc9e2adfca48e78b1

SHA1
f1d3c2a81ee614c30cc31819aa6ce4fec8629fc0

SHA256
b1f9f4ec848413b03d3b76853976475b46b7f1a7d5380ffaa4d0095e1a8151f3

SHA512
c1237dd4f38a3643d5a4b6edf5735b7eff7be610ba8e13a8c134f57e4e9360597407f29f08cdca0102d62fc051d79c46be80a73aa9e91c08c26dbdb569bbcd4a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
18KB

MD5
af2e8aa8cf84e4a30ad66a0219e9b211

SHA1
575ede9028db80b46eb889fda7669684a43e8d96

SHA256
e20b871e121931cd7a1392d0427e3bbe399018a04fe5dc12faa2eca91a7f74c6

SHA512
4a8109a8815590a905a0961c8ff84aae17ecf173255348bf218571c531795566fcecea403ad4f3fb2ec2633a4c6eebb70396848a568a3952a3b0990dde4d0d38

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
memory/428-45-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/428-51-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/428-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/428-56-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/428-58-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/428-59-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/428-46-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/428-64-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/428-44-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/428-85-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/680-91-0x0000000000930000-0x0000000000A30000-memory.dmp

Filesize
1024KB

Download
memory/680-92-0x0000000000850000-0x0000000000854000-memory.dmp

Filesize
16KB

Download
memory/1532-42-0x0000000000820000-0x00000000008BA000-memory.dmp

Filesize
616KB

Download
memory/2300-70-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/2300-71-0x0000000002170000-0x00000000021A5000-memory.dmp

Filesize
212KB

Download
memory/2480-116-0x0000000000A40000-0x0000000000B40000-memory.dmp

Filesize
1024KB

Download
memory/3324-20-0x0000000002210000-0x00000000022A4000-memory.dmp

Filesize
592KB

Download
memory/3324-22-0x00000000022B0000-0x00000000023CB000-memory.dmp

Filesize
1.1MB

Download
memory/3352-38-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3352-26-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3352-21-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3352-25-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3352-24-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3396-4-0x00000000012C0000-0x00000000012D6000-memory.dmp

Filesize
88KB

Download
memory/3396-375-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/3396-117-0x0000000003040000-0x0000000003056000-memory.dmp

Filesize
88KB

Download
memory/4148-3-0x0000000000400000-0x0000000002D44000-memory.dmp

Filesize
41.3MB

Download
memory/4148-1-0x0000000002EC0000-0x0000000002FC0000-memory.dmp

Filesize
1024KB

Download
memory/4148-2-0x0000000002DB0000-0x0000000002DBB000-memory.dmp

Filesize
44KB

Download
memory/4148-5-0x0000000000400000-0x0000000002D44000-memory.dmp

Filesize
41.3MB

Download
memory/4244-401-0x000001CFC9C20000-0x000001CFC9C40000-memory.dmp

Filesize
128KB

Download
memory/4244-395-0x000001CFC9AA0000-0x000001CFC9AC0000-memory.dmp

Filesize
128KB

Download
memory/4284-118-0x0000000000400000-0x0000000002D44000-memory.dmp

Filesize
41.3MB

Download
memory/4284-109-0x0000000000400000-0x0000000002D44000-memory.dmp

Filesize
41.3MB

Download
memory/4284-108-0x0000000002EC0000-0x0000000002FC0000-memory.dmp

Filesize
1024KB

Download
memory/4480-75-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4480-100-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4480-69-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4480-74-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4532-386-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/4564-146-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/4564-148-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/4564-149-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-150-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-151-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-152-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-153-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-154-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-155-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-156-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-157-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-158-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-159-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-160-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-161-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-162-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-163-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-164-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-166-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-165-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-167-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-169-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-168-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-170-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-171-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-172-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-173-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-174-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-175-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-176-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-177-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-179-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-178-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-180-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-182-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-181-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-183-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-184-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-185-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-186-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-187-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-188-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/4564-147-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/4564-143-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/4564-145-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/4564-144-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/4564-140-0x0000000000C40000-0x0000000001925000-memory.dmp

Filesize
12.9MB

Download
memory/4564-141-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4564-139-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/4564-137-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/4564-135-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/4564-138-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4564-136-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/4564-129-0x0000000000C40000-0x0000000001925000-memory.dmp

Filesize
12.9MB

Download
memory/4848-97-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4848-95-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4848-90-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download