0fcb21ac21f8d2254ada9cae1e29f6f806c7c24d5febb6510787bb6524a40a03

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f5807833be0e855eccdef3320d43440N.exe
Size

191KB
MD5

7f5807833be0e855eccdef3320d43440
SHA1

ebc8320a69f14ed66b0cb5ca1adabd2ce224e65f
SHA256

0fcb21ac21f8d2254ada9cae1e29f6f806c7c24d5febb6510787bb6524a40a03
SHA512

1f7cb58500ff2b9226c411199aeeea03b9d7066b752b70defd57ac7e98accf913f30faea883c4f388878e797463a6c7e579133809f38de9ce25174e548c48feb
SSDEEP

3072:wAKEsYqqjfipJWYpWJZfGXFxUYyaJC6sOMD5Qjj9jRMKSlJ8subptbbG+X:DKE+qjfipJWYpWJZfGXFRJJRsOM9+j5L

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2452	tsasys.exe
2840	tsasys.exe
2748	tsasys.exe
1852	tsasys.exe
1540	tsasys.exe
2444	tsasys.exe

Loads dropped DLL 9 IoCs

pid	Process
2528	7f5807833be0e855eccdef3320d43440N.exe
2528	7f5807833be0e855eccdef3320d43440N.exe
2528	7f5807833be0e855eccdef3320d43440N.exe
2528	7f5807833be0e855eccdef3320d43440N.exe
2840	tsasys.exe
2452	tsasys.exe
2452	tsasys.exe
1540	tsasys.exe
1540	tsasys.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	tsasys.exe
File opened (read-only)	\??\w:	tsasys.exe
File opened (read-only)	\??\H:	7f5807833be0e855eccdef3320d43440N.exe
File opened (read-only)	\??\Y:	tsasys.exe
File opened (read-only)	\??\o:	tsasys.exe
File opened (read-only)	\??\x:	tsasys.exe
File opened (read-only)	\??\E:	tsasys.exe
File opened (read-only)	\??\j:	tsasys.exe
File opened (read-only)	\??\X:	tsasys.exe
File opened (read-only)	\??\l:	tsasys.exe
File opened (read-only)	\??\O:	tsasys.exe
File opened (read-only)	\??\U:	tsasys.exe
File opened (read-only)	\??\w:	tsasys.exe
File opened (read-only)	\??\G:	7f5807833be0e855eccdef3320d43440N.exe
File opened (read-only)	\??\S:	tsasys.exe
File opened (read-only)	\??\s:	tsasys.exe
File opened (read-only)	\??\z:	tsasys.exe
File opened (read-only)	\??\O:	tsasys.exe
File opened (read-only)	\??\G:	tsasys.exe
File opened (read-only)	\??\W:	tsasys.exe
File opened (read-only)	\??\I:	tsasys.exe
File opened (read-only)	\??\n:	tsasys.exe
File opened (read-only)	\??\T:	tsasys.exe
File opened (read-only)	\??\Y:	tsasys.exe
File opened (read-only)	\??\r:	tsasys.exe
File opened (read-only)	\??\t:	tsasys.exe
File opened (read-only)	\??\Q:	tsasys.exe
File opened (read-only)	\??\W:	tsasys.exe
File opened (read-only)	\??\L:	tsasys.exe
File opened (read-only)	\??\L:	tsasys.exe
File opened (read-only)	\??\X:	7f5807833be0e855eccdef3320d43440N.exe
File opened (read-only)	\??\I:	tsasys.exe
File opened (read-only)	\??\J:	tsasys.exe
File opened (read-only)	\??\H:	tsasys.exe
File opened (read-only)	\??\g:	tsasys.exe
File opened (read-only)	\??\e:	tsasys.exe
File opened (read-only)	\??\P:	tsasys.exe
File opened (read-only)	\??\u:	tsasys.exe
File opened (read-only)	\??\G:	tsasys.exe
File opened (read-only)	\??\K:	tsasys.exe
File opened (read-only)	\??\U:	tsasys.exe
File opened (read-only)	\??\s:	tsasys.exe
File opened (read-only)	\??\m:	tsasys.exe
File opened (read-only)	\??\r:	tsasys.exe
File opened (read-only)	\??\o:	tsasys.exe
File opened (read-only)	\??\V:	tsasys.exe
File opened (read-only)	\??\T:	tsasys.exe
File opened (read-only)	\??\j:	tsasys.exe
File opened (read-only)	\??\p:	tsasys.exe
File opened (read-only)	\??\x:	tsasys.exe
File opened (read-only)	\??\Z:	tsasys.exe
File opened (read-only)	\??\g:	tsasys.exe
File opened (read-only)	\??\M:	tsasys.exe
File opened (read-only)	\??\I:	tsasys.exe
File opened (read-only)	\??\E:	tsasys.exe
File opened (read-only)	\??\Q:	tsasys.exe
File opened (read-only)	\??\h:	tsasys.exe
File opened (read-only)	\??\t:	tsasys.exe
File opened (read-only)	\??\v:	tsasys.exe
File opened (read-only)	\??\K:	tsasys.exe
File opened (read-only)	\??\E:	tsasys.exe
File opened (read-only)	\??\x:	tsasys.exe
File opened (read-only)	\??\R:	tsasys.exe
File opened (read-only)	\??\b:	tsasys.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	icanhazip.com
10	icanhazip.com

Maps connected drives based on registry 3 TTPs 14 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	tsasys.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	tsasys.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	tsasys.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	7f5807833be0e855eccdef3320d43440N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	tsasys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	7f5807833be0e855eccdef3320d43440N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	tsasys.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	tsasys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	tsasys.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	tsasys.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	tsasys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	tsasys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	tsasys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	tsasys.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\M1RAR87D.txt	tsasys.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5OV0PHSO.txt	tsasys.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	tsasys.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\M1RAR87D.txt	tsasys.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsasys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsasys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f5807833be0e855eccdef3320d43440N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsasys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsasys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsasys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsasys.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000003c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000004f000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = 1045fa495bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000007f000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = 3074fe235bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = 70f36b245bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = 70dafb255bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = d0eb2e275bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = 3024454b5bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = b0ebaa255bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000002a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = 7053cd265bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = 5082f5495bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = 3024454b5bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = 308a24245bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000030000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000003e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = 10d191265bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = 505b12275bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000055000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000061000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000069000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = 5061a6235bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = b0e097255bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = 703828235bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = 50406d235bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000004c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = 505b12275bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = 9059f0375bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000048000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000057000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = 1045fa495bf7da01	tsasys.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	tsasys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionReason = "1"	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000019000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = 10d4e6375bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = d0a1fe375bf7da01	tsasys.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = 30ab5d245bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = 90a320275bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = b0e097255bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000005e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000066000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = 10d191265bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000002c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = d0eb2e275bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000032000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = d0a1fe375bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = f04116245bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = 1063d3255bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000025000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000085000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = b01a41245bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000001e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = d05c42395bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{08B040C7-7F7E-4545-AD3C-7B30D09B3F89}\WpadDecisionTime = 7035e9375bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000046000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000004a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000053000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000010000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-a5-38-a7-d5-fb\WpadDecisionTime = d0a9bc265bf7da01	tsasys.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000047000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	tsasys.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	7f5807833be0e855eccdef3320d43440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content-Type = "application/x-msdownload"	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\ = "Application"	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\Content-Type = "application/x-msdownload"	tsasys.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.exe\shell\runas	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	tsasys.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command	7f5807833be0e855eccdef3320d43440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\ = "\"%1\" %*"	7f5807833be0e855eccdef3320d43440N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sppsrv	tsasys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "sppsrv"	7f5807833be0e855eccdef3320d43440N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\command	7f5807833be0e855eccdef3320d43440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	7f5807833be0e855eccdef3320d43440N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sppsrv\shell\runas\command	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.exe\ = "sppsrv"	tsasys.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\shell\runas\command	tsasys.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.exe	tsasys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\ = "Application"	7f5807833be0e855eccdef3320d43440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\open\command\ = "\"C:\\ProgramData\\OEMExt\\tsasys.exe\" /START \"%1\" %*"	7f5807833be0e855eccdef3320d43440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\ = "Application"	tsasys.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\shell\runas\command	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\shell\runas\command\IsolatedCommand = "\"%1\" %*"	tsasys.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.exe\shell\open\command	tsasys.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sppsrv\DefaultIcon	7f5807833be0e855eccdef3320d43440N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	tsasys.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\DefaultIcon	7f5807833be0e855eccdef3320d43440N.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\shell\open\command	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\ = "Application"	tsasys.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas	7f5807833be0e855eccdef3320d43440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	tsasys.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv	7f5807833be0e855eccdef3320d43440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\open\command\IsolatedCommand = "\"%1\" %*"	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\shell\open\command\IsolatedCommand = "\"%1\" %*"	tsasys.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell	7f5807833be0e855eccdef3320d43440N.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\command	tsasys.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sppsrv\shell\open\command	7f5807833be0e855eccdef3320d43440N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open	7f5807833be0e855eccdef3320d43440N.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\DefaultIcon	tsasys.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\open	7f5807833be0e855eccdef3320d43440N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\open\command	7f5807833be0e855eccdef3320d43440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\open\command\IsolatedCommand = "\"%1\" %*"	7f5807833be0e855eccdef3320d43440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\OEMExt\\tsasys.exe\" 1 /START \"%1\" %*"	tsasys.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.exe\shell	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\DefaultIcon\ = "%1"	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\shell\runas\command\ = "\"%1\" %*"	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	tsasys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\OEMExt\\tsasys.exe\" 1 /START \"%1\" %*"	tsasys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\DefaultIcon\ = "%1"	7f5807833be0e855eccdef3320d43440N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\runas\command	7f5807833be0e855eccdef3320d43440N.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.exe\shell\open\command	tsasys.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.exe\shell\open	tsasys.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sppsrv	7f5807833be0e855eccdef3320d43440N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\shell\runas\command\ = "\"%1\" %*"	tsasys.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe	7f5807833be0e855eccdef3320d43440N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\runas\command\ = "\"%1\" %*"	tsasys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sppsrv\shell\runas\command\IsolatedCommand = "\"%1\" %*"	tsasys.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\shell\open	tsasys.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	7f5807833be0e855eccdef3320d43440N.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv	tsasys.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\sppsrv\shell\runas\command\IsolatedCommand = "\"%1\" %*"	tsasys.exe
Key created	\REGISTRY\MACHINE\Software\Classes\sppsrv\shell\runas\command	7f5807833be0e855eccdef3320d43440N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1852	tsasys.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2528	7f5807833be0e855eccdef3320d43440N.exe
Token: SeIncBasePriorityPrivilege	2528	7f5807833be0e855eccdef3320d43440N.exe
Token: SeIncBasePriorityPrivilege	2840	tsasys.exe
Token: SeIncBasePriorityPrivilege	2452	tsasys.exe
Token: SeIncBasePriorityPrivilege	1540	tsasys.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1852	tsasys.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2452	2528	7f5807833be0e855eccdef3320d43440N.exe	30
PID 2528 wrote to memory of 2452	2528	7f5807833be0e855eccdef3320d43440N.exe	30
PID 2528 wrote to memory of 2452	2528	7f5807833be0e855eccdef3320d43440N.exe	30
PID 2528 wrote to memory of 2452	2528	7f5807833be0e855eccdef3320d43440N.exe	30
PID 2528 wrote to memory of 2840	2528	7f5807833be0e855eccdef3320d43440N.exe	31
PID 2528 wrote to memory of 2840	2528	7f5807833be0e855eccdef3320d43440N.exe	31
PID 2528 wrote to memory of 2840	2528	7f5807833be0e855eccdef3320d43440N.exe	31
PID 2528 wrote to memory of 2840	2528	7f5807833be0e855eccdef3320d43440N.exe	31
PID 2840 wrote to memory of 2748	2840	tsasys.exe	32
PID 2840 wrote to memory of 2748	2840	tsasys.exe	32
PID 2840 wrote to memory of 2748	2840	tsasys.exe	32
PID 2840 wrote to memory of 2748	2840	tsasys.exe	32
PID 2452 wrote to memory of 1852	2452	tsasys.exe	33
PID 2452 wrote to memory of 1852	2452	tsasys.exe	33
PID 2452 wrote to memory of 1852	2452	tsasys.exe	33
PID 2452 wrote to memory of 1852	2452	tsasys.exe	33
PID 1540 wrote to memory of 2444	1540	tsasys.exe	35
PID 1540 wrote to memory of 2444	1540	tsasys.exe	35
PID 1540 wrote to memory of 2444	1540	tsasys.exe	35
PID 1540 wrote to memory of 2444	1540	tsasys.exe	35

C:\Users\Admin\AppData\Local\Temp\7f5807833be0e855eccdef3320d43440N.exe
"C:\Users\Admin\AppData\Local\Temp\7f5807833be0e855eccdef3320d43440N.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\ProgramData\OEMExt\tsasys.exe
  "C:\ProgramData\OEMExt\tsasys.exe" 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Roaming\OEMExt\tsasys.exe
    "C:\Users\Admin\AppData\Roaming\OEMExt\tsasys.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1852
- C:\ProgramData\OEMExt\tsasys.exe
  "C:\ProgramData\OEMExt\tsasys.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\ProgramData\OEMExt\tsasys.exe
    "C:\ProgramData\OEMExt\tsasys.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - System Location Discovery: System Language Discovery
    PID:2748

C:\ProgramData\OEMExt\tsasys.exe
C:\ProgramData\OEMExt\tsasys.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\ProgramData\OEMExt0\tsasys.exe
  "C:\ProgramData\OEMExt0\tsasys.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OEMExt0\nak.cat

Filesize
9KB

MD5
21fad4eabfaaa39470b5d4b7e3e86f37

SHA1
d513ad77af23df607f0547db74c39041724e7182

SHA256
065401f30ba2849b7f3e224553cebc97411cde40a9e5c924e8b1b75270488898

SHA512
dc16f58fe3e5325c247e529e9ebc07589ff97461dc6178195b9595264758078afdccfd5fd2cff1f5b67b90ccca1e7c9f5a69e85ee5225258f285fd78293d8e88

Download Submit
C:\ProgramData\OEMExt0\pief.mui

Filesize
8KB

MD5
af9b0b173be96fd32f8ac63055085340

SHA1
b94ebaf3794082515a6e9187259f30da6664a884

SHA256
1c3e08d1e549cbf3743a4199345aa5bd1c5bbdb95483e87287f6e390270c48e4

SHA512
2e15b5e2b10d12446795d0ef0892d4a89ba4052de49d139fa939c83e07de9c8ccdfc74182003379f2367d237de10f46149168d105b0b99c32b78f211d48156a7

Download Submit
C:\ProgramData\OEMExt0\raodobunha\ahowsohau.bin

Filesize
4KB

MD5
d5cba725db06d1333a2854bc0267baa3

SHA1
ad688723a9a5a23a2673a0f38a759ef6b33d444c

SHA256
44c8836b9ba1847522a03a06cc6b3d1a75b4c29a9b5a64701d3b0b0cbe30be80

SHA512
a201199edeb219f39344f477dad9039737f0e8f79f7d47ce6f630bb627c6c2caecec3f834364eb709696016bbde57fc3f4c9123e7e6aa76d9fa08023d721cc2d

Download Submit
C:\ProgramData\OEMExt0\raodobunha\apnubia.cat

Filesize
2KB

MD5
2726645e1ba2d0f051f7765ec13ab63d

SHA1
2e56f43793a0090d7f057111dbc87e020ccea279

SHA256
15bdb3aed4cc20b8743f870db7f5948d220826cb888a311fa0503d6feadf12f4

SHA512
a1e837804d3f9fa918dcd6840b79b703a5bebf4faf7f886161a6d5c2b981afe9b27e9ac304dac195def34f4d3ec74930b04c4f70f517a69c4b93b2d0fe87b4f5

Download Submit
C:\ProgramData\OEMExt0\raodobunha\enni.dat

Filesize
9KB

MD5
365c5d73257fb61e09a9f0807fc08f9c

SHA1
aaf0cfc052d9bb33e20866d00fc58146a7e5f196

SHA256
976bfd0e0f0b3c494f795201ced91fd0be0d22fe4e957ee1824e638b044ce041

SHA512
097a9c7f35b6cd18bf0d49139d82a57da847e6952ba48d4035e97a83ae943f02611bc4bcef7aec0f1c019c03323f92bf2bd955d11cd924ed1bbe0ed864a888b1

Download Submit
C:\ProgramData\OEMExt0\raodobunha\etet.drv

Filesize
4KB

MD5
87c7661506a794a48cc40a9d2b245285

SHA1
bb858482ca69576c6ceaa3cea51f01c5a5a89246

SHA256
c414de31b8067c7b2c3ae53dea6e979cbdbfa1b6017e43ee0e1154b9c8cb4c52

SHA512
b67180cb3b67ad1f18b643da2b321c69e9228049e757c4f8ca142f39935bd84a8e1199c7fc3ebbd1d1c119d671d5930a99a7661e9e82a74f0aee9f5114c612c1

Download Submit
C:\ProgramData\OEMExt0\raodobunha\olitxu.sys

Filesize
1KB

MD5
5905b5c0c8d1c9409db7f8c043a2f71c

SHA1
72197b5cd25ec7bfdbf314fdd546b4388c462d07

SHA256
cb3fafeee5f28b8996961f79112b13bb5114b121e8bb390834cba26e9fd21897

SHA512
6630b2af91de144bd40e3f3ea1893505512cb9ecae73cef4fe0da5e34a273eb6f7fa7cbfdddb5e386ec94a1c80a6ecc6251eb9dfa301743e18dd4c3ca0da83fd

Download Submit
C:\ProgramData\OEMExt0\raodobunha\qoalorhuxu.bin

Filesize
3KB

MD5
b84f5c49477cb517c9f06aa4b5d7f328

SHA1
dbb21430014709fd6d1f69681008a578efcc1975

SHA256
6deb4cb05697a08b9173c32699b6cc49e922ab7f9c79074b357539dc27d127f9

SHA512
324fa4fb0575f793816e088493a8d769d070c4dcb3af5516cba58cd41adf013390e18fc71aea17f1f4e90e108b5d8c390ceab0b8bfb691566c624039d560d67d

Download Submit
C:\ProgramData\OEMExt0\raodobunha\quumavaci.dat

Filesize
6KB

MD5
c2675d67b6f9b53e11371dca5c741b85

SHA1
ae0e107d053846dd444e1b60847c188f6c4b2c3c

SHA256
7fea1c1978e4e5030e51aa6fdbd36571ce2ae0a50febf158549c331ace843670

SHA512
ef8a89c02387a0d62baae89bc060c57f3ed578f6424bddc228abae8141bceb381ee92c83ee66de8c7123f94ea50cde5a9ba61252ea4e691b6b74698ca3301b9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3ZOOFTZF.txt

Filesize
219B

MD5
2b7b0c68954a51abf154677431612646

SHA1
f65113551e56a6812116de6ed4f57d82924ac014

SHA256
4a61a23832c4e9b7e6548e808586c489ea74637b82ca3f75a0c0bd5628571503

SHA512
50210e7b771374840cb370f8d5507b4c7fbf780214d9bb0f20ded3c508420280b5048503a0b33f2680f930dcb42cffa6b6b812aab3b2c9242d9e2329d817908b

Download Submit
C:\Users\Admin\AppData\Roaming\OEMExt\wsxs\diedinpaac.dmp

Filesize
1KB

MD5
05123e89151df03c6e9a6768fb3e9317

SHA1
1d7f17e2cc10569ad74744ea95a0c6f3f6a4f49a

SHA256
3e6deec1efac2d5889d1ece3c50fa6a2ddaa9570302e8906be554553c3578650

SHA512
628372e459215e0a31f83706f4a88b8dd7f0b4d16f52c6a3a506c514a251021f0d5e4e4b723a0713952add6ec83c857ad96521ddffcd2fc2f9a821b91c03a5f5

Download Submit
C:\Users\Admin\AppData\Roaming\OEMExt\wsxs\nutaewuv.dat

Filesize
4KB

MD5
fbc1eb7aeb7c24a6b5bb7b1ce374ca21

SHA1
8c7644e71cc8f0da4834c476574290218b009388

SHA256
df81998f771eb486a1cc556afbd7a949403532bb22ed071ec07dea9b12fd10ec

SHA512
3c599902cfc4be5e90bb5aa77f0c8983d453a94d5b1b0a0ce81d6b4f8db33905d03e451264de240aeca6f9f5f096987b6f6e9af180ebb4d3c82de1bfea3e54fb

Download Submit
\ProgramData\OEMExt\tsasys.exe

Filesize
191KB

MD5
24e53baea119972bc1c1d9405d506f1f

SHA1
65f264c222728cbc12ab0df29bef8753026f8432

SHA256
7f8bc51cc548c6f448a9451c873e687512f1a249ae92a92078adac8350c1be60

SHA512
3f1543f6c1e031bffee32138de352df274a2c9758a4cbcfcea9b16bc8c7c445445496c76185662d32c80052571499aded25be051473f5e2103d264eb657ff79e

Download Submit
\Users\Admin\AppData\Roaming\OEMExt\tsasys.exe

Filesize
191KB

MD5
f4af665de024bd4b8aa517fbb5b89b23

SHA1
62988ec7a726cc2bd5491a15b3e18d5fcc2d353f

SHA256
85f8ce38587513a9eb251da97df09ebe4258829214678bf365b77dd5ae0c1a29

SHA512
663b2c5f6025443539497e969999a14019c9491e80a16f62b709ab43f178af5b47bdb33411375e017da3ab6fd8d56adce161e3854f16b24c6dbc3ae93a2f16d2

Download Submit