quasar | 48cdd34c1d5194805bb63e4d865ff8ce52d2c7a8aa2e0fbb24b8b73c00a28b6b

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

quasar redline miles office04 discovery infostealer pyinstaller spyware trojan upx

Malware Config

Extracted

Family

redline

Botnet

Miles

194.49.94.43:3251

Attributes

auth_value
e9df05a4c476aa612a10a6f3fc79043d

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

137.184.144.245:4782

Mutex

6cfe4a65-c41d-4b02-9ae9-e727a748ae84

Attributes

encryption_key
B702BA239316FCF317B584A351F2EC1696EBE772
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
java updater
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Files\plswork.exe	family_quasar
behavioral1/memory/1664-445-0x0000000000230000-0x00000000002B4000-memory.dmp	family_quasar
behavioral1/memory/1164-450-0x0000000000910000-0x0000000000994000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Files\Miles.exe	family_redline
behavioral1/memory/2680-379-0x0000000001260000-0x000000000128E000-memory.dmp	family_redline

Redline family
redline
Downloads MZ/PE file

Executes dropped EXE 14 IoCs

Processes:

script2.exescript2.exeExplorer.EXEMiles.exeplswork.exeClient.exeupdate.exedgfbchgzvb.exestqqpzraba.exeSearchUserHost.exebindsvc.exeupdate.exedata_recovery.exebackdoor.exe

pid	process
936	script2.exe
2224	script2.exe
1284	Explorer.EXE
2680	Miles.exe
1664	plswork.exe
1164	Client.exe
676	update.exe
1920	dgfbchgzvb.exe
548	stqqpzraba.exe
2056	SearchUserHost.exe
2244	bindsvc.exe
1064	update.exe
4208	data_recovery.exe
872	backdoor.exe

Loads dropped DLL 34 IoCs

Processes:

4363463463464363463463463.exescript2.exescript2.exeExplorer.EXEWerFault.exeupdate.exeSearchIndexer.exeSearchUserHost.exeSearchProtocolHost.exestqqpzraba.exedgfbchgzvb.exe

pid	process
1680	4363463463464363463463463.exe
936	script2.exe
2224	script2.exe
2224	script2.exe
2224	script2.exe
2224	script2.exe
2224	script2.exe
2224	script2.exe
2224	script2.exe
1284	Explorer.EXE
1680	4363463463464363463463463.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
1680	4363463463464363463463463.exe
1680	4363463463464363463463463.exe
676	update.exe
676	update.exe
676	update.exe
676	update.exe
2352	SearchIndexer.exe
2352	SearchIndexer.exe
2352	SearchIndexer.exe
2056	SearchUserHost.exe
1284	Explorer.EXE
2936	SearchProtocolHost.exe
548	stqqpzraba.exe
548	stqqpzraba.exe
1920	dgfbchgzvb.exe
1680	4363463463464363463463463.exe
1680	4363463463464363463463463.exe
1680	4363463463464363463463463.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

Processes:

flow	ioc
292	raw.githubusercontent.com
10	bitbucket.org
11	bitbucket.org
19	raw.githubusercontent.com
20	raw.githubusercontent.com
146	bitbucket.org
291	raw.githubusercontent.com

Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
discovery

Network Service Discovery
T1046

Processes:

cmd.exeARP.EXE

pid process

2612 cmd.exe
1368 ARP.EXE
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

pid	process
2612	cmd.exe
1368	ARP.EXE

Drops file in System32 directory 13 IoCs

Processes:

plswork.exestqqpzraba.exeSearchIndexer.exeSearchProtocolHost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SubDir\Client.exe	plswork.exe
File created	C:\Windows\system32\msfte.dll	stqqpzraba.exe
File created	C:\Windows\System32\bindsvc.exe	stqqpzraba.exe
File created	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe
File opened for modification	C:\Windows\system32\SearchUserHost.exe	SearchIndexer.exe
File created	C:\Windows\system32\SubDir\Client.exe	plswork.exe
File created	C:\Windows\SysWOW64\wideshut.exe	stqqpzraba.exe
File opened for modification	C:\Windows\SysWOW64\wideshut.exe	stqqpzraba.exe
File created	C:\Windows\SysWOW64\wimsvc.exe	stqqpzraba.exe
File created	C:\Windows\SysWOW64\racfg.exe	stqqpzraba.exe
File created	C:\Windows\SysWOW64\bindsvc.exe	stqqpzraba.exe
File created	C:\Windows\system32\oci.dll	stqqpzraba.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SearchProtocolHost.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2076 tasklist.exe
2408 tasklist.exe

pid	process
2076	tasklist.exe
2408	tasklist.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\stqqpzraba.exe	upx
behavioral1/memory/676-478-0x0000000003650000-0x00000000037CA000-memory.dmp	upx
behavioral1/memory/548-480-0x0000000000AC0000-0x0000000000C3A000-memory.dmp	upx
behavioral1/memory/548-750-0x0000000000AC0000-0x0000000000C3A000-memory.dmp	upx
behavioral1/memory/1064-777-0x0000000000A70000-0x0000000000A7A000-memory.dmp	upx

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1728 sc.exe
3064 sc.exe

pid	process
1728	sc.exe
3064	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Files\script2.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3056 2680 WerFault.exe Miles.exe

pid	pid_target	process	target process
3056	2680	WerFault.exe	Miles.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

update.exestqqpzraba.exedgfbchgzvb.exeupdate.exedata_recovery.exe4363463463464363463463463.exeMiles.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stqqpzraba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dgfbchgzvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data_recovery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miles.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEcmd.exe

pid process

776 PING.EXE
932 cmd.exe
System Network Connections Discovery 1 TTPs 2 IoCs
Attempt to get a listing of network connections.
discovery

System Network Connections Discovery
T1049

Processes:

NETSTAT.EXEcmd.exe

pid process

1968 NETSTAT.EXE
576 cmd.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXEipconfig.exe

pid process

1968 NETSTAT.EXE
2684 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2796 systeminfo.exe

pid	process
776	PING.EXE
932	cmd.exe

pid	process
1968	NETSTAT.EXE
576	cmd.exe

pid	process
1968	NETSTAT.EXE
2684	ipconfig.exe

pid	process
2796	systeminfo.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MCTRes.dll,-200017 = "GobiernoUSA.gov"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-107 = "Lighthouse"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-104 = "Jellyfish"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileGrowthBudgetMs = "45000"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\OobeFldr.dll,-33056 = "Getting Started"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10055 = "FreeCell"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\miguiresource.dll,-201 = "Task Scheduler"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10061 = "Spider Solitaire"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\comres.dll,-3411 = "Manage COM+ applications, COM and DCOM system configuration, and the Distributed Transaction Coordinator."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\msconfig.exe,-126 = "System Configuration"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\pmcsnap.dll,-710 = "Manages local printers and remote print servers."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10307 = "Purble Place is an educational and entertaining game that comprises three distinct games that help teach colors, shapes and pattern recognition."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10308 = "Mahjong Titans is a form of solitaire played with tiles instead of cards. Match pairs of tiles until all have been removed from the board in this classic game."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\filemgmt.dll,-2204 = "Services"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090df4c036c29db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\migwiz\wet.dll,-591 = "Windows Easy Transfer Reports"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-118 = "Sleep Away"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10058 = "Purble Place"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\FXSRESM.dll,-115 = "Send and receive faxes or scan pictures and documents."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wdc.dll,-10030 = "Resource Monitor"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mblctr.exe,-1008 = "Windows Mobility Center"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CacheShortPageCount = "64"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@searchfolder.dll,-32822 = "Everywhere"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%ProgramFiles%\Windows Journal\Journal.exe,-3075 = "Create notes in your own handwriting. You can leave your notes in ink and search your handwriting or convert your notes to typed text."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f01982066c29db01	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecCount = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%windir%\system32\MdSched.exe,-4002 = "Check your computer for memory problems."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\comres.dll,-3410 = "Component Services"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\CommitMaxCheckPointPageCount = "7"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\MdSched.exe,-4001 = "Windows Memory Diagnostic"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\FileInlineGrowthQuantumSeconds = "30"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SampleRes.dll,-142 = "Wildlife"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\mstsc.exe,-4000 = "Remote Desktop Connection"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10060 = "Solitaire"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE\SAL\NvpRecWaitForCounts = "32"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Program Files\Windows Journal\Journal.exe,-3074 = "Windows Journal"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10103 = "Internet Spades"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\dfrgui.exe,-172 = "Defragments your disks so that your computer runs faster and more efficiently."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\gameux.dll,-10102 = "Internet Backgammon"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0be1b066c29db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\sud.dll,-1 = "Default Programs"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\SnippingTool.exe,-15051 = "Snipping Tool"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Filemgmt.dll,-602 = "Starts, stops, and configures Windows services."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\gameux.dll,-10310 = "The aim of the game in Spider Solitaire is to remove cards from play in the fewest moves possible. Line up runs of cards from king through ace, in the same suit, to remove them."	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\wucltux.dll,-1 = "Windows Update"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\Msinfo32.exe,-130 = "Display detailed information about your computer."	SearchProtocolHost.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

4363463463464363463463463.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

776 PING.EXE
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2280 schtasks.exe
2492 schtasks.exe

pid	process
776	PING.EXE

pid	process
2280	schtasks.exe
2492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

SearchIndexer.exeSearchUserHost.exetasklist.exestqqpzraba.exeupdate.exe

pid	process
2352	SearchIndexer.exe
2352	SearchIndexer.exe
2056	SearchUserHost.exe
2076	tasklist.exe
2076	tasklist.exe
548	stqqpzraba.exe
1064	update.exe
1064	update.exe
1064	update.exe
1064	update.exe
1064	update.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

4363463463464363463463463.exeplswork.exeClient.exeSearchIndexer.exetasklist.exeNETSTAT.EXEupdate.exetasklist.exeExplorer.EXESearchUserHost.exe

description	pid	process
Token: SeDebugPrivilege	1680	4363463463464363463463463.exe
Token: SeDebugPrivilege	1664	plswork.exe
Token: SeDebugPrivilege	1164	Client.exe
Token: SeManageVolumePrivilege	2352	SearchIndexer.exe
Token: 33	2352	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2352	SearchIndexer.exe
Token: SeDebugPrivilege	2076	tasklist.exe
Token: SeDebugPrivilege	1968	NETSTAT.EXE
Token: SeDebugPrivilege	1064	update.exe
Token: SeDebugPrivilege	2408	tasklist.exe
Token: SeShutdownPrivilege	1284	Explorer.EXE
Token: SeDebugPrivilege	2056	SearchUserHost.exe
Token: SeDebugPrivilege	2056	SearchUserHost.exe
Token: SeDebugPrivilege	2056	SearchUserHost.exe
Token: SeDebugPrivilege	2056	SearchUserHost.exe
Token: SeDebugPrivilege	2056	SearchUserHost.exe
Token: SeDebugPrivilege	2056	SearchUserHost.exe
Token: SeDebugPrivilege	2056	SearchUserHost.exe
Token: SeShutdownPrivilege	1284	Explorer.EXE
Token: SeShutdownPrivilege	1284	Explorer.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Client.exeExplorer.EXE

pid process

1164 Client.exe
1284 Explorer.EXE
1284 Explorer.EXE
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Client.exe

pid process

1164 Client.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Client.exeSearchProtocolHost.exeSearchUserHost.exe

pid	process
1164	Client.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2936	SearchProtocolHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe
2056	SearchUserHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exescript2.exeMiles.exeplswork.exeClient.exeupdate.exeSearchIndexer.exeSearchUserHost.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1680 wrote to memory of 936	1680	4363463463464363463463463.exe	script2.exe
PID 1680 wrote to memory of 936	1680	4363463463464363463463463.exe	script2.exe
PID 1680 wrote to memory of 936	1680	4363463463464363463463463.exe	script2.exe
PID 1680 wrote to memory of 936	1680	4363463463464363463463463.exe	script2.exe
PID 936 wrote to memory of 2224	936	script2.exe	script2.exe
PID 936 wrote to memory of 2224	936	script2.exe	script2.exe
PID 936 wrote to memory of 2224	936	script2.exe	script2.exe
PID 1680 wrote to memory of 2680	1680	4363463463464363463463463.exe	Miles.exe
PID 1680 wrote to memory of 2680	1680	4363463463464363463463463.exe	Miles.exe
PID 1680 wrote to memory of 2680	1680	4363463463464363463463463.exe	Miles.exe
PID 1680 wrote to memory of 2680	1680	4363463463464363463463463.exe	Miles.exe
PID 2680 wrote to memory of 3056	2680	Miles.exe	WerFault.exe
PID 2680 wrote to memory of 3056	2680	Miles.exe	WerFault.exe
PID 2680 wrote to memory of 3056	2680	Miles.exe	WerFault.exe
PID 2680 wrote to memory of 3056	2680	Miles.exe	WerFault.exe
PID 1680 wrote to memory of 1664	1680	4363463463464363463463463.exe	plswork.exe
PID 1680 wrote to memory of 1664	1680	4363463463464363463463463.exe	plswork.exe
PID 1680 wrote to memory of 1664	1680	4363463463464363463463463.exe	plswork.exe
PID 1680 wrote to memory of 1664	1680	4363463463464363463463463.exe	plswork.exe
PID 1664 wrote to memory of 2280	1664	plswork.exe	schtasks.exe
PID 1664 wrote to memory of 2280	1664	plswork.exe	schtasks.exe
PID 1664 wrote to memory of 2280	1664	plswork.exe	schtasks.exe
PID 1664 wrote to memory of 1164	1664	plswork.exe	Client.exe
PID 1664 wrote to memory of 1164	1664	plswork.exe	Client.exe
PID 1664 wrote to memory of 1164	1664	plswork.exe	Client.exe
PID 1164 wrote to memory of 2492	1164	Client.exe	schtasks.exe
PID 1164 wrote to memory of 2492	1164	Client.exe	schtasks.exe
PID 1164 wrote to memory of 2492	1164	Client.exe	schtasks.exe
PID 1680 wrote to memory of 676	1680	4363463463464363463463463.exe	update.exe
PID 1680 wrote to memory of 676	1680	4363463463464363463463463.exe	update.exe
PID 1680 wrote to memory of 676	1680	4363463463464363463463463.exe	update.exe
PID 1680 wrote to memory of 676	1680	4363463463464363463463463.exe	update.exe
PID 1680 wrote to memory of 676	1680	4363463463464363463463463.exe	update.exe
PID 1680 wrote to memory of 676	1680	4363463463464363463463463.exe	update.exe
PID 1680 wrote to memory of 676	1680	4363463463464363463463463.exe	update.exe
PID 676 wrote to memory of 1920	676	update.exe	dgfbchgzvb.exe
PID 676 wrote to memory of 1920	676	update.exe	dgfbchgzvb.exe
PID 676 wrote to memory of 1920	676	update.exe	dgfbchgzvb.exe
PID 676 wrote to memory of 1920	676	update.exe	dgfbchgzvb.exe
PID 676 wrote to memory of 548	676	update.exe	stqqpzraba.exe
PID 676 wrote to memory of 548	676	update.exe	stqqpzraba.exe
PID 676 wrote to memory of 548	676	update.exe	stqqpzraba.exe
PID 676 wrote to memory of 548	676	update.exe	stqqpzraba.exe
PID 2352 wrote to memory of 2056	2352	SearchIndexer.exe	SearchUserHost.exe
PID 2352 wrote to memory of 2056	2352	SearchIndexer.exe	SearchUserHost.exe
PID 2352 wrote to memory of 2056	2352	SearchIndexer.exe	SearchUserHost.exe
PID 2056 wrote to memory of 1284	2056	SearchUserHost.exe	Explorer.EXE
PID 2352 wrote to memory of 2936	2352	SearchIndexer.exe	SearchProtocolHost.exe
PID 2352 wrote to memory of 2936	2352	SearchIndexer.exe	SearchProtocolHost.exe
PID 2352 wrote to memory of 2936	2352	SearchIndexer.exe	SearchProtocolHost.exe
PID 2352 wrote to memory of 2844	2352	SearchIndexer.exe	SearchFilterHost.exe
PID 2352 wrote to memory of 2844	2352	SearchIndexer.exe	SearchFilterHost.exe
PID 2352 wrote to memory of 2844	2352	SearchIndexer.exe	SearchFilterHost.exe
PID 1284 wrote to memory of 1712	1284	Explorer.EXE	wscript.exe
PID 1284 wrote to memory of 1712	1284	Explorer.EXE	wscript.exe
PID 1284 wrote to memory of 1712	1284	Explorer.EXE	wscript.exe
PID 2056 wrote to memory of 2044	2056	SearchUserHost.exe	cmd.exe
PID 2056 wrote to memory of 2044	2056	SearchUserHost.exe	cmd.exe
PID 2056 wrote to memory of 2044	2056	SearchUserHost.exe	cmd.exe
PID 2044 wrote to memory of 2796	2044	cmd.exe	systeminfo.exe
PID 2044 wrote to memory of 2796	2044	cmd.exe	systeminfo.exe
PID 2044 wrote to memory of 2796	2044	cmd.exe	systeminfo.exe
PID 1284 wrote to memory of 2112	1284	Explorer.EXE	wscript.exe
PID 1284 wrote to memory of 2112	1284	Explorer.EXE	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe
1⤵
PID:256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\Files\script2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\script2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\Files\script2.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\script2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2224
- - C:\Users\Admin\AppData\Local\Temp\Files\Miles.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Miles.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 516
      4⤵
      Loads dropped DLL
      Program crash
      PID:3056
- - C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\plswork.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2280
  - - C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2492
- - C:\Users\Admin\AppData\Local\Temp\Files\update.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:676
  - - C:\Users\Admin\AppData\Local\Temp\dgfbchgzvb.exe
      "C:\Users\Admin\AppData\Local\Temp\dgfbchgzvb.exe" "C:\Users\Admin\AppData\Local\Temp\xrtjrobrcf.exe" "C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1920
    - - C:\Users\Admin\AppData\Local\Temp\Files\update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\stqqpzraba.exe
      C:\Users\Admin\AppData\Local\Temp\stqqpzraba.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:548
    - - C:\Windows\System32\cmd.exe
        
        /c sc config msdtc obj= LocalSystem
        5⤵
        
        PID:1068
      - C:\Windows\system32\sc.exe
        
        sc config msdtc obj= LocalSystem
        6⤵
        Launches sc.exe
        
        PID:1728
    - - C:\Windows\system32\cmd.exe
        
        cmd /c "C:\Users\Admin\AppData\Local\Temp\WDItO7U9.bat"
        5⤵
        
        PID:1836
    - - C:\Windows\System32\bindsvc.exe
        
        "C:\Windows\System32\bindsvc.exe"
        5⤵
        Executes dropped EXE
        
        PID:2244
- - C:\Users\Admin\AppData\Local\Temp\Files\data_recovery.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\data_recovery.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4208
- - C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe"
    3⤵
    - Executes dropped EXE
    PID:872
- C:\Windows\System32\wscript.exe
  C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs C:\Users\Admin\AppData\Roaming\Microsoft\Word
  2⤵
  PID:1712
- C:\Windows\System32\wscript.exe
  C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs C:\Users\Admin\AppData\Roaming\Microsoft\Word
  2⤵
  PID:2112

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\system32\SearchUserHost.exe
  C:\Windows\system32\SearchUserHost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\system32\cmd.exe
    /c systeminfo
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2796
- - C:\Windows\system32\cmd.exe
    /c "tasklist /v"
    3⤵
    PID:2568
  - - C:\Windows\system32\tasklist.exe
      tasklist /v
      4⤵
      Enumerates processes with tasklist
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2076
- - C:\Windows\system32\cmd.exe
    /c "netstat -ano"
    3⤵
    - System Network Connections Discovery
    PID:576
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      Suspicious use of AdjustPrivilegeToken
      PID:1968
- - C:\Windows\system32\cmd.exe
    /c "ipconfig /all"
    3⤵
    PID:2668
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2684
- - C:\Windows\system32\cmd.exe
    /c "route print"
    3⤵
    PID:2100
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:2948
- - C:\Windows\system32\cmd.exe
    /c "arp -a"
    3⤵
    - Network Service Discovery
    PID:2612
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:1368
- - C:\Windows\system32\cmd.exe
    /c "tasklist /m msfte.dll"
    3⤵
    PID:2792
  - - C:\Windows\system32\tasklist.exe
      tasklist /m msfte.dll
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2408
- - C:\Windows\system32\cmd.exe
    /c "net share"
    3⤵
    PID:2192
  - - C:\Windows\system32\net.exe
      net share
      4⤵
      PID:3036
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 share
        5⤵
        
        PID:2704
- - C:\Windows\system32\cmd.exe
    /c "ping server"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:932
  - - C:\Windows\system32\PING.EXE
      ping server
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:776
- - C:\Windows\system32\cmd.exe
    /c "sc query hfile.sys"
    3⤵
    PID:2728
  - - C:\Windows\system32\sc.exe
      sc query hfile.sys
      4⤵
      Launches sc.exe
      PID:3064
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2936
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 544 548 556 65536 552
  2⤵
  - Modifies data under HKEY_USERS
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Network Connections Discovery

T1049

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
a966de0604a7629db060cb5c0f8810c4

SHA1
10c6832e2b1f3d1c4b04e61d76daaf79dd2422ce

SHA256
1a39ff3da1df5c90c9b2f9a96318f4db749eff0bfb53d49612e49da4f2678059

SHA512
c7d6ef34acf66b6c54f8b1db25e269cd780f4d40200203efde4488db62f40cf860f4f4dfb7c9a1b8015ee107768bd8ef35754b006757119e3281db7b8591b316

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSStmp.log

Filesize
1024KB

MD5
8234c981980f2f91abc9a47233b7d5ec

SHA1
b42ce89001ac7917ab066b7352c357cfb919bdf3

SHA256
81958dde7eae199f9f2f0cff69561a9ba2bd7b08514acf811665663ea03c7f04

SHA512
7e94d14c451d41f63d4ca19714f6bddedf2458930ac31fea4fb7384f424fba84424f48c76e9edc2db78c0d76d688d71ff419145a5b48b86b8ad6c812e3bcd993

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9651fbfca1f533d28a6332344cf85670

SHA1
2ad5c69ef03a109d7d9064bc93fcad6346a617eb

SHA256
c38f0300e6a10d7eb9aceaa9ed46cdd7691b31cf0bf2a00792624835c7bbd496

SHA512
f818957d197ad44175c62488d1d4faf178e299ed6b3ba7c857097668f10674409461225e9dadb7ccee0b7e0e545dfc234a4bda189e31572b96ce39bc61163068

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a310499607779de443dcaefd9dfb410a

SHA1
f3d1a781b3ee47f117e980c2926767ddb99c996a

SHA256
5ac5a23f894f638557fcfd9de7251855a50f03a831e6c3a743420fb86548531f

SHA512
6fa6e50461ab220ec71988710e4aaeb912fe9d73fe8280b0f22e9b4363e7ad29bf722f3f4aaee173da49699eddddc90cfb1de7d8011f9092b96a1b26703fcf03

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD78C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\backdoor.exe

Filesize
68KB

MD5
698f5896ec35c84909344dc08b7cae67

SHA1
4c3eb447125f74f2eef63e14a5d97a823fa8d4e9

SHA256
9cc2e2d5feeb360b2ea9a650809468f08e13c0e997ebadf5baa69ae3c27a958e

SHA512
2230abef3f2ac7fff21f2af8a1df79a0ab3f7b1153ce696745ff5cef7f677bfe562dc820eb36be8e4819210ffa565d52e3b940f0cad5427d30a3aa05a4bcde2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JOINDI~1.ZIP

Filesize
13KB

MD5
a99bf4536e2442bf21242d6742da4178

SHA1
5ce0a39762b37518a99b1d127a8b013c8e05b3ab

SHA256
5c2476fc4e975c4f68d78373b2f93f381150eaca389bde895119161c9f86e77b

SHA512
20c1351ac8ae8866f44574804d41890384f530e124e6ec22f81cbaa59f006c4d30277d144df5504176226958694d12b603515ea7b0910ea704616724fff9d938

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD7AE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WDItO7U9.bat

Filesize
196B

MD5
992a20093112df3f3e6010c64455af64

SHA1
7073facca99a30dc192731d0d42211ce52dda948

SHA256
9be9647b951c3ba858c7f11d4e3d2b5cbe38f94b4708f8d84346118106e0baff

SHA512
d706799e7fe5839fcf0cd285ed2d5ef120357ca4131636da12c810c3a98d01923e9dd710e04d3aca6b05d01639dfa9db30e798e09d1ed1d727f2fac5c0e4b4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\python39.dll

Filesize
4.3MB

MD5
11c051f93c922d6b6b4829772f27a5be

SHA1
42fbdf3403a4bc3d46d348ca37a9f835e073d440

SHA256
0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

SHA512
1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgfbchgzvb.exe

Filesize
51KB

MD5
e48b89715bf5e4c55eb5a1fed67865d9

SHA1
89a287da39e14b02cdc284eb287549462346d724

SHA256
c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

SHA512
4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrtjrobrcf.exe

Filesize
7.1MB

MD5
b83f61aa51a36f48610bfcda20dd82fd

SHA1
a069a376489bc55649ba1ef8f0d8799d75288002

SHA256
9bfe94178387ca65b1a5a65701a5b4a2edb109248bf3030cb3f75c6512e21f18

SHA512
8dbe667f5c71fa055f48bcf395487ac94c4b276bc6af081969b7a977e79e0b975c0a294ea23746259ddcb8af58dd29bb61b93ae47d7918da2fad03aac7913227

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb

Filesize
870B

MD5
7add4a4c93101b30ece6b12152a6c240

SHA1
c1beb4bce2b682eec40396e499bd5ca8d1f35295

SHA256
98d6e4f849e06896ad1e11a0a9adeeefa1d20f4f8d652847447d9b2eab5682a8

SHA512
c9755c8285049385b6747e7701a00069d842481222760771c29851007d2298bb7c8f6551aca191977b895cf0f5b61142bad80dea73ab565628f28c748e6fb106

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb

Filesize
4KB

MD5
0aa41d1b32068c315280073ea8f83093

SHA1
451410e0f63b78f4d3f1ed26fd4ab8407ed97f08

SHA256
703d95ef925d0a7860947c8394cd14d88f8037e1a374a824f73b83c9c2aa3d8f

SHA512
c79c4d9a5579fe21b77a07b610399c456eabd399f7a03f467ba79ce115fda4d5e694ef7ea3247ed64d744bc9d01fc839b1491816e484fecd247cabccb1d53504

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\trnmg.sdb

Filesize
1KB

MD5
6084cf6d673cf675b6298e6b3b16433a

SHA1
d27add32e3f5ccc9e478dc210af997097430cef6

SHA256
27165dd7dfa651b2b8af7c5499aedfd37a6d62611bb0746f7e049c3029b2d187

SHA512
d5ad3fa3a42fb944d1bc1c34d1857a15f8cb17ca76a9e5086157ead54d149b371cca8e955dae41f7682e0d0fb9a173e261910759a2d09ca00a58beea39fbfe24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\EnterSwitch.docx

Filesize
17KB

MD5
d249613b3ab8d8050efe8e4c6b1d7e28

SHA1
7124c831b78fc9cc5184cf1ada471cd64a271342

SHA256
098438ec94329da311f3b883b766c45e25d0bbff4a19e2e405c94985091e4f40

SHA512
ec0e6eabbaf76ef2f9690ea033c627528bdae820c1be2149c1c0d34a10d31e6f1ab6ee71c8c0b1c1d80a8a3c2e877092bde45616cf6c8b86c8ae31b90918c2a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\EnterSwitch.txt

Filesize
6KB

MD5
3333958d7ebfc3507ddb812aac34e2e9

SHA1
aebd3421d17e70111a5fd27f96fb650ea886b334

SHA256
37d1e8d61b4bc11002e42375c18691d3b054423daeebe5f5c456c171faf672dc

SHA512
a2effadbd9dfe255d45161991f6afa8cc7c8f23458c4af3815ab9472466b029bf1f9cd0c8e458ef5787b36bfdc566cb02ce3538b0ebcbcf60d3e747b6377229d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\JoinDisable.txt

Filesize
1KB

MD5
f728a50436133c34dcf86c5a17fc5520

SHA1
604f6edc4bfe85c8fd4a4bfb621920afbe2b185b

SHA256
da487688fda862e49c7aaeb8da8e1e28ff7343d9849fa690dba3c9aff848cdbe

SHA512
21b30bd7a8922833c683c110d230e92f1692b7dd71896471fecb9d49dd262854bd085695c7bc0ed3985efb00130857c59748af12a115ba149c046000015a0b1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Word\winword.vbs

Filesize
1KB

MD5
3439318cedcf37c1bf5fe6d49ddbb2cb

SHA1
e075965bb3b38abdd80668fb6101a0d10b30f080

SHA256
6484a02c2db6c9afb5659ede4047cad10b7102c2bbc4c94bf8482f88d8fd83a8

SHA512
3dffcf24b052a7fffd50ab6c76d081b1c47ba64c20f21650e4bdcf19106518e8b342691711230ba9eea5489994b8ccec8ad11f54b1509b1cd518616254176b61

Download Submit
C:\Windows\System32\SearchUserHost.exe

Filesize
244KB

MD5
42ec9065d9bf266ade924b066c783a56

SHA1
a8dcf7d63a8bb5abef8787775957a5bb6c0f3f77

SHA256
4ac002e90a52cb0998da78f2995294ee77b89fb2be709b0e3c8e1627212bccdc

SHA512
e49af43aef3f02397098821b81e034ee1f07f8c2f49a9a1768d1522bbc009103a2c88f436f488333f57c7d56b34acbee84588040f56382cc75eaddbb9db19980

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Miles.exe

Filesize
168KB

MD5
1a736481ee80955422945de5dd8589dd

SHA1
dca7760022f8d223e44995f69bd0523a2ca0691e

SHA256
6e60f56a54f6a1c48e727cd8e08c119e37f8b24470a1d27da5b352060006e62b

SHA512
5b92ae8359780eb712a6191ea8c2bd420afc51cac5dcf4128a26e29f42d32c7a70023bafb12d24ae23b20828e60e0924bbdb05555b50e4db313146f9971b1990

Download Submit
\Users\Admin\AppData\Local\Temp\Files\plswork.exe

Filesize
502KB

MD5
71685fb1a3701f1e27e48ba3e3ce9530

SHA1
f460a9ecc7e35b4691532bc6c647dbe3973a51ca

SHA256
6600b4938a679ecd93d6149fb3f8fe74c8b347106de55a4853a76ae7a204950e

SHA512
3a7505c3faacf6f3e113570545767757d2db5aa342023a4eea27e49e4d632a0064a957c6b07f950e727dd71b8262b768626521cf1d1fbb195fd36d7db7bf5c5a

Download Submit
\Users\Admin\AppData\Local\Temp\Files\script2.exe

Filesize
9.8MB

MD5
a302d6dc5b77cb66fc8f4f91164c9c02

SHA1
052449b1f5843c10755e36675c2cf74aece15629

SHA256
5221e8121172d9926be049824080b257148fd952494065aa51aa8f376e2506dd

SHA512
d5183369f645a9aa547a486901a025b9230622a5b75596ffe47ea42a5e20ccb080e3cf067666454c9c4ff7034b796e9e3cf89f6e7375f001d3499db004786740

Download Submit
\Users\Admin\AppData\Local\Temp\Files\update.exe

Filesize
7.8MB

MD5
2f7548098416cbe47d675b1d61b6c334

SHA1
f5a20d7e5b04aaf27fac94c27ebae6bf30d03b07

SHA256
c6b56d104ad74e587a58acc64b68b603d1786d07c3054d82ca29d6820f215f16

SHA512
9098091b972788da8527762a9794509a9413928ff0411c8f67e3e168efb1028ac13d25e5aa61f75ec5513581b6322de8a7217aa5094d8ae9d5aaf387309aa8a8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9362\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9362\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9362\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI9362\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\stqqpzraba.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
\Windows\System32\bindsvc.exe

Filesize
291KB

MD5
7c5b397fb54d5aa06bd2a6fb99c62fee

SHA1
a9e0bf7bbabf6ab9e294156985537ae972ebd743

SHA256
d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

SHA512
daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

Download Submit
\Windows\System32\msfte.dll

Filesize
217KB

MD5
d7ddfd90c55ad42200b2a7e51110ad87

SHA1
0c9429f0b51a73423de4cb0ecf10fd3b3bacd84d

SHA256
4fdc7aacb3981434e797106944f27a507201d11cdf194b3fab79747ce98f2446

SHA512
8ba6cd56ce6aeae9481154e93b75d8712e854a19c60f6279abf721c2550a09d9f22cb410a5cc3062d59f17cde35e728d250129abe60f29321a16df7d2fb9c179

Download Submit
memory/548-750-0x0000000000AC0000-0x0000000000C3A000-memory.dmp

Filesize
1.5MB

Download
memory/548-480-0x0000000000AC0000-0x0000000000C3A000-memory.dmp

Filesize
1.5MB

Download
memory/676-478-0x0000000003650000-0x00000000037CA000-memory.dmp

Filesize
1.5MB

Download
memory/676-779-0x0000000003650000-0x00000000037CA000-memory.dmp

Filesize
1.5MB

Download
memory/1064-773-0x00000000000D0000-0x00000000007E6000-memory.dmp

Filesize
7.1MB

Download
memory/1064-893-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/1064-882-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/1064-777-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/1064-778-0x0000000000A70000-0x0000000000A7A000-memory.dmp

Filesize
40KB

Download
memory/1164-450-0x0000000000910000-0x0000000000994000-memory.dmp

Filesize
528KB

Download
memory/1284-496-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1664-445-0x0000000000230000-0x00000000002B4000-memory.dmp

Filesize
528KB

Download
memory/1680-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/1680-1-0x0000000001200000-0x0000000001208000-memory.dmp

Filesize
32KB

Download
memory/1680-2-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/1680-114-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

Filesize
4KB

Download
memory/1680-216-0x0000000074DE0000-0x00000000754CE000-memory.dmp

Filesize
6.9MB

Download
memory/2352-726-0x0000000003330000-0x0000000003338000-memory.dmp

Filesize
32KB

Download
memory/2352-849-0x0000000005740000-0x0000000005748000-memory.dmp

Filesize
32KB

Download
memory/2352-547-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/2352-516-0x0000000001EF0000-0x0000000001F00000-memory.dmp

Filesize
64KB

Download
memory/2352-805-0x0000000003F10000-0x0000000003F18000-memory.dmp

Filesize
32KB

Download
memory/2352-831-0x0000000005720000-0x0000000005728000-memory.dmp

Filesize
32KB

Download
memory/2352-832-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/2352-500-0x0000000001DF0000-0x0000000001E00000-memory.dmp

Filesize
64KB

Download
memory/2352-846-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/2352-553-0x0000000001070000-0x0000000001078000-memory.dmp

Filesize
32KB

Download
memory/2352-564-0x0000000001420000-0x0000000001428000-memory.dmp

Filesize
32KB

Download
memory/2352-555-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/2352-938-0x0000000004AE0000-0x0000000004AE8000-memory.dmp

Filesize
32KB

Download
memory/2352-939-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/2352-546-0x0000000001410000-0x0000000001418000-memory.dmp

Filesize
32KB

Download
memory/2352-966-0x0000000004AF0000-0x0000000004AF8000-memory.dmp

Filesize
32KB

Download
memory/2352-1244-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/2680-379-0x0000000001260000-0x000000000128E000-memory.dmp

Filesize
184KB

Download