deerstealer | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28/10/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe(2).exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

deerstealer phorphiex quasar xmrig office04 discovery evasion execution loader miner persistence spyware stealer trojan upx worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

http://77.91.77.92/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
mmn7nnm8na
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.100.18:4782

Mutex

2cbe985c-9a4f-4f1f-a761-cd05d5feff4b

Attributes

encryption_key
9493303F9F1D303190787B3D987F2DCB2BAF3CFD
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

phorphiex

http://185.215.113.66

185.215.113.66

Attributes

mutex
69767

Signatures

DeerStealer 4 IoCs

Detects DeerStealer malware - JaffaCakes118.

stealer

resource	yara_rule
behavioral1/files/0x001e00000001a480-924.dat	DeerStealer
behavioral1/memory/2660-925-0x000000013F9E0000-0x000000013FCE3000-memory.dmp	DeerStealer
behavioral1/memory/2660-973-0x000000013F9E0000-0x000000013FCE3000-memory.dmp	DeerStealer
behavioral1/memory/2660-978-0x000000013F9E0000-0x000000013FCE3000-memory.dmp	DeerStealer

Deerstealer family
deerstealer

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysppvrdnvs.exe

Phorphiex family
phorphiex

Phorphiex payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000195bb-239.dat	family_phorphiex
behavioral1/files/0x000a0000000195c6-382.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012726-452.dat	family_quasar
behavioral1/memory/2720-462-0x0000000001050000-0x0000000001374000-memory.dmp	family_quasar
behavioral1/memory/916-677-0x0000000000EF0000-0x0000000001214000-memory.dmp	family_quasar

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2484 created 1188	2484	3645438493.exe	20
PID 2484 created 1188	2484	3645438493.exe	20

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/1964-339-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1964-342-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1964-340-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1964-343-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1964-345-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1964-346-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1964-344-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1964-377-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1964-376-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1692	powershell.exe
2136	powershell.exe
2204	powershell.exe
2120	powershell.exe
3068	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	NewApp.exe
File created	C:\Windows\system32\drivers\etc\hosts	Updater.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 33 IoCs

pid	Process
2256	NewApp.exe
1532	china.exe
932	pi.exe
328	sysppvrdnvs.exe
464	Process not Found
1920	Updater.exe
2228	11.exe
1036	sysarddrvs.exe
2720	client.exe
2184	aaa.exe
916	Client.exe
2520	peinf.exe
2660	23c2343.exe
2672	conhost.exe
2976	7z.exe
2216	7z.exe
1056	7z.exe
2156	7z.exe
1680	7z.exe
1728	7z.exe
2244	7z.exe
1704	7z.exe
2376	7z.exe
2196	7z.exe
2484	7z.exe
2164	7z.exe
1536	Installer.exe
2804	2432725289.exe
2932	300217483.exe
1848	280379422.exe
2308	99323808.exe
2484	3645438493.exe
3064	winupsecvmgr.exe

Loads dropped DLL 44 IoCs

pid	Process
2328	4363463463464363463463463.exe(2).exe
2328	4363463463464363463463463.exe(2).exe
2328	4363463463464363463463463.exe(2).exe
1532	china.exe
2328	4363463463464363463463463.exe(2).exe
2328	4363463463464363463463463.exe(2).exe
2328	4363463463464363463463463.exe(2).exe
2328	4363463463464363463463463.exe(2).exe
2328	4363463463464363463463463.exe(2).exe
2328	4363463463464363463463463.exe(2).exe
2328	4363463463464363463463463.exe(2).exe
2328	4363463463464363463463463.exe(2).exe
2328	4363463463464363463463463.exe(2).exe
2328	4363463463464363463463463.exe(2).exe
1756	cmd.exe
2976	7z.exe
1756	cmd.exe
2216	7z.exe
1756	cmd.exe
1056	7z.exe
1756	cmd.exe
2156	7z.exe
1756	cmd.exe
1680	7z.exe
1756	cmd.exe
1728	7z.exe
1756	cmd.exe
2244	7z.exe
1756	cmd.exe
1704	7z.exe
1756	cmd.exe
2376	7z.exe
1756	cmd.exe
2196	7z.exe
1756	cmd.exe
2484	7z.exe
1756	cmd.exe
2164	7z.exe
1036	sysarddrvs.exe
1036	sysarddrvs.exe
1036	sysarddrvs.exe
1036	sysarddrvs.exe
1848	280379422.exe
1480	taskeng.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	pi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysarddrvs.exe"	11.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
28	pastebin.com
29	pastebin.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
92	bitbucket.org
94	bitbucket.org
8	bitbucket.org
10	bitbucket.org

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1780	powercfg.exe
1704	powercfg.exe
1912	powercfg.exe
592	powercfg.exe
2128	powercfg.exe
2160	powercfg.exe
2584	powercfg.exe
2604	powercfg.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	NewApp.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Updater.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 2024	1920	Updater.exe	100
PID 1920 set thread context of 1964	1920	Updater.exe	102

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1964-337-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1964-338-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1964-339-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1964-336-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1964-334-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1964-335-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1964-342-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1964-340-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1964-343-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1964-345-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1964-346-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1964-344-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1964-377-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1964-376-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\scenic\china.htm	china.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\scenic\china.jpg	china.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\sysppvrdnvs.exe	pi.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	pi.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\sysarddrvs.exe	11.exe
File opened for modification	C:\Windows\sysarddrvs.exe	11.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2992	sc.exe
2296	sc.exe
2088	sc.exe
2292	sc.exe
1608	sc.exe
2956	sc.exe
2536	sc.exe
1680	sc.exe
2620	sc.exe
1548	sc.exe
2620	sc.exe
2856	sc.exe
2952	sc.exe
3068	sc.exe
2668	sc.exe
1132	sc.exe
916	sc.exe
2284	sc.exe
1996	sc.exe
840	sc.exe
2664	sc.exe
844	sc.exe
3028	sc.exe
2104	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	280379422.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99323808.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe(2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	china.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysarddrvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000065bf81d01d48e9904c300aa95457f7764f00f82c7ac7d702560228e1026040d8000000000e8000000002000020000000106e4ccd1b442e4ddf31aff9d8173d478f27938371124855b4e8422f419fde99900000006be61fee65cfcb56ec72ca321c575ddcbc1d776890400c294c50ce20b832e5fd69db5dfd20d2891550a44ac384621ac889195cb4845f2764c4c82f61776cf445c2c36084344d7aabcd63124d65f1f0a1606af30aa3aed9d913cca8e970c963ab6b8e27ad9bc049e54c6508d656400701f65fe4ca9bdea463be0fc9ff9d107d04529c8c02ee4fae7cfe102ead65e942f54000000026b8be81caa69271c5374a117f6c03c4c750e46099c7705dc0be876bfff33abbab721a2f0ac54b84a7d7dddf37653e3f314953167a0781db07dead58c3d2a1ae	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436304055"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000003f8b027e731c8ac93ca9d948d8a0dc3b9561d21511367bc7077d1c03c4ed5d4e000000000e8000000002000020000000af207f8b88d95a4c6fe34bcab5d56624e95c290662a3cd11eeee6dae5ae9b9492000000002b83d21804d3c1c98311c29dd5ecaf2c4548dca0e10fb5b6e38534174324ed04000000098622f774e13ef058649bf9c746254f88fd46ed62a0597ce3647ef33f4cf476d125412e06b1277feb49939efe3d3fd4992cb69884c4a59e15e436448ff5e5d4c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b04372186c29db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3FF1AED1-955F-11EF-BA45-72BC2935A1B8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 50ca03016c29db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	4363463463464363463463463.exe(2).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe(2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	4363463463464363463463463.exe(2).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe(2).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	4363463463464363463463463.exe(2).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe(2).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe(2).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe(2).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe(2).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe(2).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	4363463463464363463463463.exe(2).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	4363463463464363463463463.exe(2).exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1556	schtasks.exe
1656	schtasks.exe
2828	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1536	Installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	powershell.exe
2256	NewApp.exe
2136	powershell.exe
2256	NewApp.exe
2256	NewApp.exe
2256	NewApp.exe
2256	NewApp.exe
2256	NewApp.exe
2256	NewApp.exe
2256	NewApp.exe
2256	NewApp.exe
2256	NewApp.exe
2256	NewApp.exe
2256	NewApp.exe
2256	NewApp.exe
2256	NewApp.exe
2256	NewApp.exe
1920	Updater.exe
2204	powershell.exe
1920	Updater.exe
1920	Updater.exe
1920	Updater.exe
1920	Updater.exe
1920	Updater.exe
1920	Updater.exe
1920	Updater.exe
1920	Updater.exe
1920	Updater.exe
1920	Updater.exe
1920	Updater.exe
1920	Updater.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
2120	powershell.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe
1964	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
328	sysppvrdnvs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	4363463463464363463463463.exe(2).exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeShutdownPrivilege	2128	powercfg.exe
Token: SeShutdownPrivilege	2604	powercfg.exe
Token: SeShutdownPrivilege	2584	powercfg.exe
Token: SeShutdownPrivilege	2160	powercfg.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeShutdownPrivilege	1780	powercfg.exe
Token: SeShutdownPrivilege	592	powercfg.exe
Token: SeShutdownPrivilege	1912	powercfg.exe
Token: SeShutdownPrivilege	1704	powercfg.exe
Token: SeLockMemoryPrivilege	1964	explorer.exe
Token: SeDebugPrivilege	2720	client.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	916	Client.exe
Token: SeRestorePrivilege	2976	7z.exe
Token: 35	2976	7z.exe
Token: SeSecurityPrivilege	2976	7z.exe
Token: SeSecurityPrivilege	2976	7z.exe
Token: SeRestorePrivilege	2216	7z.exe
Token: 35	2216	7z.exe
Token: SeSecurityPrivilege	2216	7z.exe
Token: SeSecurityPrivilege	2216	7z.exe
Token: SeRestorePrivilege	1056	7z.exe
Token: 35	1056	7z.exe
Token: SeSecurityPrivilege	1056	7z.exe
Token: SeSecurityPrivilege	1056	7z.exe
Token: SeRestorePrivilege	2156	7z.exe
Token: 35	2156	7z.exe
Token: SeSecurityPrivilege	2156	7z.exe
Token: SeSecurityPrivilege	2156	7z.exe
Token: SeRestorePrivilege	1680	7z.exe
Token: 35	1680	7z.exe
Token: SeSecurityPrivilege	1680	7z.exe
Token: SeSecurityPrivilege	1680	7z.exe
Token: SeRestorePrivilege	1728	7z.exe
Token: 35	1728	7z.exe
Token: SeSecurityPrivilege	1728	7z.exe
Token: SeSecurityPrivilege	1728	7z.exe
Token: SeRestorePrivilege	2244	7z.exe
Token: 35	2244	7z.exe
Token: SeSecurityPrivilege	2244	7z.exe
Token: SeSecurityPrivilege	2244	7z.exe
Token: SeRestorePrivilege	1704	7z.exe
Token: 35	1704	7z.exe
Token: SeSecurityPrivilege	1704	7z.exe
Token: SeSecurityPrivilege	1704	7z.exe
Token: SeRestorePrivilege	2376	7z.exe
Token: 35	2376	7z.exe
Token: SeSecurityPrivilege	2376	7z.exe
Token: SeSecurityPrivilege	2376	7z.exe
Token: SeRestorePrivilege	2196	7z.exe
Token: 35	2196	7z.exe
Token: SeSecurityPrivilege	2196	7z.exe
Token: SeSecurityPrivilege	2196	7z.exe
Token: SeRestorePrivilege	2484	7z.exe
Token: 35	2484	7z.exe
Token: SeSecurityPrivilege	2484	7z.exe
Token: SeSecurityPrivilege	2484	7z.exe
Token: SeRestorePrivilege	2164	7z.exe
Token: 35	2164	7z.exe
Token: SeSecurityPrivilege	2164	7z.exe
Token: SeSecurityPrivilege	2164	7z.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1328	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1328	iexplore.exe
1328	iexplore.exe
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
1740	IEXPLORE.EXE
916	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2256	2328	4363463463464363463463463.exe(2).exe	30
PID 2328 wrote to memory of 2256	2328	4363463463464363463463463.exe(2).exe	30
PID 2328 wrote to memory of 2256	2328	4363463463464363463463463.exe(2).exe	30
PID 2328 wrote to memory of 2256	2328	4363463463464363463463463.exe(2).exe	30
PID 2328 wrote to memory of 1532	2328	4363463463464363463463463.exe(2).exe	31
PID 2328 wrote to memory of 1532	2328	4363463463464363463463463.exe(2).exe	31
PID 2328 wrote to memory of 1532	2328	4363463463464363463463463.exe(2).exe	31
PID 2328 wrote to memory of 1532	2328	4363463463464363463463463.exe(2).exe	31
PID 2328 wrote to memory of 932	2328	4363463463464363463463463.exe(2).exe	32
PID 2328 wrote to memory of 932	2328	4363463463464363463463463.exe(2).exe	32
PID 2328 wrote to memory of 932	2328	4363463463464363463463463.exe(2).exe	32
PID 2328 wrote to memory of 932	2328	4363463463464363463463463.exe(2).exe	32
PID 932 wrote to memory of 328	932	pi.exe	33
PID 932 wrote to memory of 328	932	pi.exe	33
PID 932 wrote to memory of 328	932	pi.exe	33
PID 932 wrote to memory of 328	932	pi.exe	33
PID 328 wrote to memory of 2812	328	sysppvrdnvs.exe	34
PID 328 wrote to memory of 2812	328	sysppvrdnvs.exe	34
PID 328 wrote to memory of 2812	328	sysppvrdnvs.exe	34
PID 328 wrote to memory of 2812	328	sysppvrdnvs.exe	34
PID 328 wrote to memory of 1720	328	sysppvrdnvs.exe	36
PID 328 wrote to memory of 1720	328	sysppvrdnvs.exe	36
PID 328 wrote to memory of 1720	328	sysppvrdnvs.exe	36
PID 328 wrote to memory of 1720	328	sysppvrdnvs.exe	36
PID 2812 wrote to memory of 1692	2812	cmd.exe	38
PID 2812 wrote to memory of 1692	2812	cmd.exe	38
PID 2812 wrote to memory of 1692	2812	cmd.exe	38
PID 2812 wrote to memory of 1692	2812	cmd.exe	38
PID 540 wrote to memory of 2236	540	cmd.exe	52
PID 540 wrote to memory of 2236	540	cmd.exe	52
PID 540 wrote to memory of 2236	540	cmd.exe	52
PID 2208 wrote to memory of 2200	2208	cmd.exe	83
PID 2208 wrote to memory of 2200	2208	cmd.exe	83
PID 2208 wrote to memory of 2200	2208	cmd.exe	83
PID 1532 wrote to memory of 1328	1532	china.exe	88
PID 1532 wrote to memory of 1328	1532	china.exe	88
PID 1532 wrote to memory of 1328	1532	china.exe	88
PID 1532 wrote to memory of 1328	1532	china.exe	88
PID 1920 wrote to memory of 2024	1920	Updater.exe	100
PID 1920 wrote to memory of 2024	1920	Updater.exe	100
PID 1920 wrote to memory of 2024	1920	Updater.exe	100
PID 1920 wrote to memory of 2024	1920	Updater.exe	100
PID 1920 wrote to memory of 2024	1920	Updater.exe	100
PID 1920 wrote to memory of 2024	1920	Updater.exe	100
PID 1920 wrote to memory of 2024	1920	Updater.exe	100
PID 1920 wrote to memory of 2024	1920	Updater.exe	100
PID 1920 wrote to memory of 2024	1920	Updater.exe	100
PID 1920 wrote to memory of 1964	1920	Updater.exe	102
PID 1920 wrote to memory of 1964	1920	Updater.exe	102
PID 1920 wrote to memory of 1964	1920	Updater.exe	102
PID 1920 wrote to memory of 1964	1920	Updater.exe	102
PID 1920 wrote to memory of 1964	1920	Updater.exe	102
PID 1328 wrote to memory of 1740	1328	iexplore.exe	103
PID 1328 wrote to memory of 1740	1328	iexplore.exe	103
PID 1328 wrote to memory of 1740	1328	iexplore.exe	103
PID 1328 wrote to memory of 1740	1328	iexplore.exe	103
PID 2328 wrote to memory of 2228	2328	4363463463464363463463463.exe(2).exe	106
PID 2328 wrote to memory of 2228	2328	4363463463464363463463463.exe(2).exe	106
PID 2328 wrote to memory of 2228	2328	4363463463464363463463463.exe(2).exe	106
PID 2328 wrote to memory of 2228	2328	4363463463464363463463463.exe(2).exe	106
PID 2228 wrote to memory of 1036	2228	11.exe	107
PID 2228 wrote to memory of 1036	2228	11.exe	107
PID 2228 wrote to memory of 1036	2228	11.exe	107
PID 2228 wrote to memory of 1036	2228	11.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2016	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe(2).exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe(2).exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\Files\NewApp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\NewApp.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2256
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2236
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2284
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1996
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:840
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2536
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3068
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2128
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2604
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineK"
      4⤵
      Launches sc.exe
      PID:2668
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineK" binpath= "C:\ProgramData\GoogleUP\Chrome\Updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:2664
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3028
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineK"
      4⤵
      Launches sc.exe
      PID:844
- - C:\Users\Admin\AppData\Local\Temp\Files\china.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\china.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.funletters.net/readme.htm
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1328
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1328 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1740
- - C:\Users\Admin\AppData\Local\Temp\Files\pi.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:932
  - - C:\Windows\sysppvrdnvs.exe
      C:\Windows\sysppvrdnvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: SetClipboardViewer
      Suspicious use of WriteProcessMemory
      PID:328
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1608
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2856
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2952
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2956
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2992
- - C:\Users\Admin\AppData\Local\Temp\Files\11.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\11.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\sysarddrvs.exe
      C:\Windows\sysarddrvs.exe
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      System Location Discovery: System Language Discovery
      PID:1036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2088
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:916
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1548
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2292
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2620
    - - C:\Users\Admin\AppData\Local\Temp\2432725289.exe
        
        C:\Users\Admin\AppData\Local\Temp\2432725289.exe
        5⤵
        Executes dropped EXE
        
        PID:2804
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:1748
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:2468
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:2248
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:2240
    - - C:\Users\Admin\AppData\Local\Temp\300217483.exe
        
        C:\Users\Admin\AppData\Local\Temp\300217483.exe
        5⤵
        Executes dropped EXE
        
        PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\280379422.exe
        
        C:\Users\Admin\AppData\Local\Temp\280379422.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1848
      - C:\Users\Admin\AppData\Local\Temp\3645438493.exe
        
        C:\Users\Admin\AppData\Local\Temp\3645438493.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        
        PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\99323808.exe
        
        C:\Users\Admin\AppData\Local\Temp\99323808.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2308
- - C:\Users\Admin\AppData\Local\Temp\Files\client.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2720
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1556
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:916
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1656
- - C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe"
    3⤵
    - Executes dropped EXE
    PID:2184
- - C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
    3⤵
    - Executes dropped EXE
    PID:2520
- - C:\Users\Admin\AppData\Local\Temp\Files\23c2343.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\23c2343.exe"
    3⤵
    - Executes dropped EXE
    PID:2660
- - C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2672
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      Loads dropped DLL
      PID:1756
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p29586644319935208542739921766 -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_11.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_10.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_9.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_8.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_7.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_6.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "Installer.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
        
        "Installer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  PID:3068
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2828
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:540

C:\ProgramData\GoogleUP\Chrome\Updater.exe
C:\ProgramData\GoogleUP\Chrome\Updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2200
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2104
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1680
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1132
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2620
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2296
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2024
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964

C:\Windows\system32\taskeng.exe
taskeng.exe {7E1AB071-3586-4D99-AE29-31E2D142C059} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:1480
- C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
  "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
  2⤵
  - Executes dropped EXE
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22804e0228553b3c58a16158f73fa8d8

SHA1
47a03cd221ccfa768f5142b315a1cb2144047136

SHA256
824882bfbc05ef5a55ea2485a67ed0fc6bcdd36c6bbaf67593ebc6e2397a07fd

SHA512
8351559ee5619bd2a376cc3b1408c56be66b271ded2c1c7a02c8d0aafd365d212129386f3022b39e7cb9b2889ac44339ad5f29261abf14190f778f68858dbd67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9933285edd60e19fde83742780888491

SHA1
1b1d361d24c40e0bb348951693adb9f141f4ae70

SHA256
9707b85f008852d5956c3b652984a54ec5ab81cb7736ca823cbc5ca260a03418

SHA512
1fbf1337b58c296ef3a006009a124e4bd34bf6cda601dea949e232223915daaaf139440b896d6e5cb5a5459476146647840fdbb92c83e33fb4166a33426906e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf19463aa78b72a684f1f1d7304b22ce

SHA1
2f4059b3f42ff7a1d9e73e7ac13d27e66cd4a555

SHA256
def8ff0c7d93aa111c82e36f9f0ec6b04f07f5e6f7920176be87d7cda39e345e

SHA512
338df4318e174cf76266146006cfd78787b57f1f11b04697937d9e987905796c711b918d4067a4ca5c4ab850828d79fab796e17c4404e9221636158b863974da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe08bf4c831445a55f987610fc1c77c2

SHA1
dfeea0440bf6fc668a2b370a31eef3501cf14d19

SHA256
fab0ebabbf3cbe7ba1c2b0dd848132f802a8b053fabe5e86508b513212493db0

SHA512
b4dd6d8d311ac8c13c4dc3d13384d41753926746d59a0ff4e35bb15e96e904cf24a743c12cdc27c6f36900095b75481c1a3a059014694f4a16ecb54c510b4af8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0f82f0dcfe00b729cfdb0ba14e443bd

SHA1
ce29b7d3d33937270d3137ef2928d124e4069363

SHA256
d50752d31d6d4ffef8f679c8d4ff41e95cfb72fc6dfcabf85f069f6a647942a2

SHA512
fe71461f55a3b20a29c9a002fb29825d14ca7b7e8a0e5a87de28cd0817428e8c2ceea2c22c57819f6c24eb5015fc4c3961cc48d261b58a0abcbe3d57f03e33e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af478ea53d60cbbbc6540bddd57d4937

SHA1
80ab40abac834db851fa6e77cacc6cbf8a66df05

SHA256
7bdd7056e0bcba9752ae8754aec256a626e9da0120ab2dfa8175aafafe1ee1a2

SHA512
5bca42cd051f215ebf0eaf26a0e4c6247873b9e849e36bce2b6316b49acb057652401703d488f9d7cb9014fd189073d688bed8f7e8bf7599b5a3921427725db7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbe08359084a448421be4a9cb1ae1bae

SHA1
41f53e9cdb1eeb8dcff5f900aaa98df1c46b19d6

SHA256
2d4765d965b813368e2d8bf7b856baaa8c2a8e35eba3a35fbbb73e44a024f998

SHA512
18d495afb97a003366f3c20339712352feacd813a1659d31016f62b4107f39a032afbf7f250c98cf8ebba0a0956160fd840f60abef95c36af1ee453be38112e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1e8226e5017617afd5f56001d890fa6

SHA1
578cad0f8bc0ac82cbd4f6e00c541559412bcc74

SHA256
e24cebea870f99751ed7d4600e3df7f505a9308db3f2a6b4bf65a56b7c2cf9f2

SHA512
612eefb63a198bb0f45bbf549d19d2f6af3f1d4c3533fdd9f0cce1e8201dcca050a4a59628e17797c4a5b17c28c4bb3f26654dad83611707fc994394a5a7e1f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c14ca46031ff4baa9f2d2a09fa04dad

SHA1
466c0b7a060b249e86b47b52578c214d74b668a4

SHA256
90da7fd23eb3901f7272845a0b285759ab974b86d824a828c04f49cd2fba4633

SHA512
a1ef02646a6ce58cdf17d326de72237cf9b2aac0553389978d0306bf7ff85fe9beb711b06898392056cef69bb75a638d38f869a0c221cf035a12ecbcb133cb32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
726474facae49966281228c1323075eb

SHA1
38cc1ed1df5c559eb15ad0134f01f1576b9d3544

SHA256
742d8d6be4ff2e617b08ad01e77d95deb5fe369699b8b933f5af1f5d79808c45

SHA512
98a33c8b14fe4acae1ac64563da53de4903dadfd22ee06d866cdbded1620c81ca2fdd6297982c0ec3cb2bc49e5941975459897c8ddc77bdacb35824ad4a1d7a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4b5e30269b57f0282fa2c61c3b66d9f

SHA1
a111d0ba781a5b6de2dd29056b46274d11ae7271

SHA256
48f5665dae58d254f84feb61b40f7b06c4d925cceae4ede935e16dd1e8299ac2

SHA512
e91ccca2518ee7df74521c66c21bdf3663a8fdff3a56d71b174d9478aac79acd994672321c016fd39b31d076d83d47237dd18526c6ec74692450e637cd265daf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9a9ff5fd098f7aa77ddf93eff50f897

SHA1
70f5eb6845235462f8b40c784987a7bd9261774f

SHA256
a94de290745d39729fcd0bec6dfcc091a301901e88d2d1ace409042ef1a5a070

SHA512
6a2b2d51481f669ace10fa09e54ffac292c1611dfe283b5f2e62b40e18b58cb4b1d2d55e43ccbf75f15d2e39ed7228c7483bf1dda2b38bbc83c0a0c34e86a857

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d5753a08eeb6312cf2b0bd6f7e191ec

SHA1
a8140c1672eb80ebe4f22d326954ccd4cd0a2e50

SHA256
8e01d6d87aa387a9449565f23fb9ec907648217ea31e4a2774120ea3c99d61d5

SHA512
acac9698e19ffc7a3628a149810aeeff22653192a6a8296ec60fe6ccfbdbeebeffdd864d6b5c419ab654dedc7772efccff53f2b83e4ed88e425b921b1ecefacb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ffe0a19eb948bb960388c09d9399483

SHA1
5003e3e040e8efb618f707c20ec8501b5e0b89ae

SHA256
1cbb2cc681b669fda89354e4196395062eb76f140ea41fd8900809f43d98ba4d

SHA512
4895551bd88aa0f2d8b00b4376c1123ca5b0a8941f6ab087dd4e00ea2e74ceab18718dd8a6572dca2df26191498dfc033f6981bd18111fef7ea60dd950971f14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85d37198a2ea32cfb6f9fe435c81108b

SHA1
29781eb6179cedb5bcdb4909a781aedcfa96ad99

SHA256
1b09b19ce0f092e72dd7d47f1d9ad805e455d20570010ea3b6f7b48959f3e698

SHA512
8e70268d7605f4b13aa95c8ce58744ee5e601713c2f162cba5d59f108cf5fce8cf6ce9ceedc3d3b225b36efd0db0817a49b71a4d9408d2e4aaf48fdef0de74f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a94c5dbb8211c7660d752dbfc45ac1d

SHA1
d5058585c0c667aea47490d6341b6b80a6641c9d

SHA256
9dbafe9ee94c7e6ed53189210910ce7e65537df0d3bd5d045d0327ebcab0ee19

SHA512
8196409f9eaef7ee395ad9679943000056c7c7c479455de2fb683f43ff3f45b471ce528ad4b853fbe9103e2011de4bc7f65a4b62899dcc2bff4669601f2601a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4026d3e0ad44e1bc0782354dfd1a8aa

SHA1
fa2190e313f77598117328ee704925d79a0565c3

SHA256
7d0df28e3d969f4d42e111a11dcae29001b51a94a65d385ef9c35c24c4e6b361

SHA512
168a3e07186c7c0d2b98f3b417581fcd0f9ff7bdb858a0bdecb8e2cd2ecb7edd4d320e8d39c3f6c21bdaa2989df7678a728520cc1cda7463951006389c87650f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45ac900233493b9703d72500c887fbbe

SHA1
b4af2ea13f0c0c903d7cca5be275c21e2d554588

SHA256
d25ea5a7a21192164a5ee2da8bb0bd1944a964626a0b6318c79e944171191cc0

SHA512
23cd749c455b35bffe31a9dcd6c65d025cc81ea45db8e4f1b904686199bb56325ee590d98e36969e5da1b9e978e89a5af7dae7bf6e4a58c75f1a82379237f178

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b221d996361f1a26416dc8f03238a65

SHA1
a1fe0097e69860c0863f082aedeb17a1890a0184

SHA256
d0a873a98fd3d31ef032620a11f1a9e5aa6d1221fd383a7432e94171b8f0f355

SHA512
5ec6b2a1d2c9421ca33ec702b818ac25fc56f0ecb8c71d587dd3d8fc6afb28c8536b8ebef0d489947534e24d8980e76cbdc7e6a84ad2cb385aa168ed7feaeb0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f951158fa2343468606f43760aa590c6

SHA1
3ced00c8a827ebc8f5c524016b929080f803bbdb

SHA256
c9a9430283f15f00b91629c19c2b53423ef2acaea90246aae74b1f2eec9444b2

SHA512
52ce190d061a5f22a4522c4b0bb29793881016cfc441849bab57caba8a6e7ed606e49c4d0a0db41bf9142f42372934e6cad2ce0e1cc18e11fe7102f886628d81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d5c598926f69703a7851a38798e0408

SHA1
dd13733573787bf71542bee56b2ede55fbd9badf

SHA256
bf64ab0b3aa0a96ea1d6b0eb5de05b9cef49528ccc204e4a087ac3eab472c06e

SHA512
920bcf52e1ffe8d18f7d2e1badafb5e84d50e62c6505da39522710fc9762d898c31eb3c10c0333343c04a582a28e3ad76ed18f91c9b3654e5633fe4b5c07ba9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9469afa4120ed414f6809ea320a2d100

SHA1
61750bc0872509641e02da55526841a974462634

SHA256
dfd65fe247236d6fabcd1da19ff8edcc82f154c87a0c0b8e95cbbc052d22b797

SHA512
c5100c01e978b99391f21322b203d1cbcb752b2eb7a4dbb0135a39a2cfcdd98f35b43ce1ff45abaa38fd0b6142977f557bba62b31360f19921cf59bd429e5786

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66ff3ff3e86eb677d9c93f793f9d8d1b

SHA1
93cd482fe09f37d87a9decfb019a9329e05f9e92

SHA256
388c53f9b631d89d637801c10ce6423293e2acdb765ab70f2b053793eba45511

SHA512
77f3ccba1c13d33a524e6e42217758b1ee30de09354da52dbbd6fb6bbfdaca5c17093eceba372599cf45d0fb4472791edd4acc8f36805cc93ba44943934bc0dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0019b0848fe374e5183427c1e35880eb

SHA1
c0de76e9bfcbaca6a83f2e8a5564af4d6a0dfe94

SHA256
131953fa74de680798360ee333ac01ce4da62145f485f7db50ee8905509739f8

SHA512
8a38cedeab7daafb2783e888b87cbeb11fa4f30fe80380f31c743d5601fbe1e48aca71c34312426478197be98c5bc8ecb27f69b09120ad3ad4486134ec0d2198

Download Submit
C:\Users\Admin\AppData\Local\Temp\584511976.exe

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFEBB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\23c2343.exe

Filesize
2.6MB

MD5
bf9acb6e48b25a64d9061b86260ca0b6

SHA1
933ee238ef2b9cd33fab812964b63da02283ae40

SHA256
02a8c111fd1bb77b7483dc58225b2a2836b58cdaf9fc903f2f2c88a57066cbc0

SHA512
ac17e6d73922121c1f7c037d1fc30e1367072fdf7d95af344e713274825a03fc90107e024e06fccda21675ee82a2bccad0ae117e55e2b9294d1a0c5056a2031d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\aaa.exe

Filesize
19KB

MD5
1318fbc69b729539376cb6c9ac3cee4c

SHA1
753090b4ffaa151317517e8925712dd02908fe9e

SHA256
e972fb08a4dcde8d09372f78fe67ba283618288432cdb7d33015fc80613cb408

SHA512
7a72a77890aa74ea272473018a683f1b6961e5e765eb90e5be0bb397f04e58b09ab47cfb6095c2fea91f4e0d39bd65e21fee54a0eade36378878b7880bcb9d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFF0C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gs843E.tmp

Filesize
24KB

MD5
e667dc95fc4777dfe2922456ccab51e8

SHA1
63677076ce04a2c46125b2b851a6754aa71de833

SHA256
2f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f

SHA512
c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

Filesize
500KB

MD5
0067a8449fad7927f7ccd78ad32ddc6c

SHA1
53bf7574bf168c644d40e2404f2346528fb16f18

SHA256
cfaeeed5348c9ac2d172d31fd2cdffb253d6bcbe44fc325d490bc368f5229989

SHA512
6d6d9734833de212e92c242e08eeee4bb6d8ceac2ee6f2ac0bafa30573e0efbc8a1ef0de071b71950d9ab3a524580bc9eec9eb420e6afa8a2711ef248372af14

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_11.zip

Filesize
2.1MB

MD5
7632984f9b26dbb8923da2348366665b

SHA1
c99703ad6db21039ba169a60c106a08b2bcdb139

SHA256
69b1c0618d5418ce0e37171191f4ae23986b56779116ed29c3417089654fa897

SHA512
543750b4fd6bc31884296d8cf0bf8daf56a90ed4223bd7b7650dc2b668da4965718f1511459a2900ab8d975923256918415076a2f7e0ff2faa454522097b1e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

Filesize
500KB

MD5
3b90f281c49bdf17da4adf690e2a475d

SHA1
86821013a23e5048882bf58711d0549695aca67d

SHA256
864947ad239b5e7b903c862fadf82e296ee048d73b70f4fca516770271f2a741

SHA512
6f92db4b36df182bfb576863a1df1a8c3af4929135226abe5b6b3c59fe6f43e39e4563ccdd22f35d28277b8c826590079a1deb68be39f7609e7fdefaa4209b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.1MB

MD5
ae5771940899f79e634b6e4475040467

SHA1
225434a4900232053fbeff5a60a08e53cfc1436a

SHA256
b9740cf94f4a77bb2d61ec79ff342e7c739bb35b2b61f32e9b5f2d09218c24fc

SHA512
2b50da042539e81ea4b1b5dbde62f3aee6473df550401df2bc08505fc77a178994ab6608960251873b48089ae171e6365ae52408a493e71389b98d4796898134

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
476B

MD5
a6d611790d8afe6e81448cdf6ddb9ea4

SHA1
4e402e68fc7130433a7004cbce3834a8743bcf4c

SHA256
0c7be4c51cd64a8b6d2235ee0eeab8c98c565ed9b74b50c0eba02750c3b24b2f

SHA512
2faa6de4f3e2872fe2575f775c282e17fafb5ad4c31eb1de118081f80f28b33e0c1acfec0779b5911314ba50a5a5c1ec11491a393c272f3eab943636a6bf4938

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9Z41GSF3HG3N5R5M8L1C.temp

Filesize
7KB

MD5
41caa5757e5174357e4bbdb4b9185f40

SHA1
5fe4f0860cfc43429a2d67102fd6b49c083d7c8e

SHA256
6876d11d9caadd337147096f91854b7ffcd8bd5b62c2c0c106a17f39128509e4

SHA512
4f3a3dd39d1b3d37c8e714a8a28621d22d617dd9854cda7bf2dbd63fc9c3719ed79c1c81439464128be092ee4eb35c9bcf9ad3d7b0da1eb0f01d9bb0fbcae2bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YV84QSYNCHOINYBJU4D2.temp

Filesize
7KB

MD5
a7ac1461e37ff1032e45ecd879e9be08

SHA1
a0c96f0a5354822ff99b6acdf46c376a784f286b

SHA256
6f8586e1baff09d89962e838513f1cfb2ee3273155c17dad84ed6a4ba6a37285

SHA512
6775b9e53a7d0c82c37109a0c8d9228d738544ec1388b115f71b16a6a5af575fa028756374827b738ca146476c3b5ed967bfd88ed0c118d6b2e0a34f57a7e9f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fae6fbfc5faad2d6d0bb9c06e2c2b73a

SHA1
78d0588385780ded0bda3a9792a318d4c79a07a7

SHA256
5fef39f9cd8dfd9e56955a28d9018ef2eb5d0f0fa626c80dea4f2b98b2455624

SHA512
ef04d91320a083979ede7e872cf7ec9a03dc6c07aba8be7e119f6cb210a8a96fa6aca88ae40f43d13bfa8ec04a8d1299307d8ed99d675ac0477e42ef7a6a73a8

Download Submit
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\11.exe

Filesize
79KB

MD5
e2e3268f813a0c5128ff8347cbaa58c8

SHA1
4952cbfbdec300c048808d79ee431972b8a7ba84

SHA256
d8b83f78ed905a7948e2e1e371f0f905bcaaabbb314c692fee408a454f8338a3

SHA512
cb5aeda8378a9a5470f33f2b70c22e77d2df97b162ba953eb16da085b3c434be31a5997eac11501db0cb612cdb30fa9045719fcd10c7227c56cc782558e0c3bc

Download Submit
\Users\Admin\AppData\Local\Temp\Files\NewApp.exe

Filesize
5.8MB

MD5
190e68a764f232fa236a23317f80892b

SHA1
a37b9e226334bc69abaacb539fb7ba9722831a76

SHA256
a074f13421954fe7e4a87b68d23179df440cc15b0aa3019752fdbece9379d9e7

SHA512
34c5d7d35a639a2c6ea183ad808a10bc0adaebf806975f6949da119c1d90c50f065b3d238a0bd6b7159394fe39a0322590fe229cae73f7c9cc393e721449c0a2

Download Submit
\Users\Admin\AppData\Local\Temp\Files\china.exe

Filesize
75KB

MD5
a95e09168ff4b517c1ffa385206543b5

SHA1
2af4ec72be606aaae269ef32f8f7b3cb0bfda14b

SHA256
d417c5248d33ba5e02b468a08551c5eab4601ec318855ce0d9a0c7fb4103fa4f

SHA512
79563c3818ff77400a2f0d80a37682409fc92450eebaf950271a130c3e33de6911be279bd24c1d85a02f8dae22abbec766d2b8e1b0731d75fa61f2bceb27ad2e

Download Submit
\Users\Admin\AppData\Local\Temp\Files\client.exe

Filesize
3.1MB

MD5
29de30606fa3cd9024d87066016d0351

SHA1
32af15b435a5f26655947612fe30da89b5a29370

SHA256
56a35f9bcb582449d44a4bed4fa36dcb140f04961f0f1fec1d96385569f72cac

SHA512
6fbe73cddab8a943d1ce060da1a3d26832616aefad76fe3b1dbd71991e4412a591133aee34df6a467a15acce8c587ea1420ca2f0dc4c8c77d54b8712a00a9355

Download Submit
\Users\Admin\AppData\Local\Temp\Files\conhost.exe

Filesize
3.0MB

MD5
ce901a874c9d157e48f83b1be3d32aa6

SHA1
9bc12d5db437c0673437e9feaadd0027887d1c13

SHA256
35401b151f704f6bbbf4f8b36d886e4dc391809822181b396c02d243c0aca7f0

SHA512
ea6511b4e318eb31e4dd8862cd7967906bd1705f2b1d6422b28424f0c810f9647702315b9bdcea1fd32421e5d72b61027e9991da6b779d6de02b61e410eeb747

Download Submit
\Users\Admin\AppData\Local\Temp\Files\peinf.exe

Filesize
20KB

MD5
c2159769dc80fa8b846eca574022b938

SHA1
222a44b40124650e57a2002cd640f98ea8cb129d

SHA256
d9cb527841e98bb1a50de5cf1c5433a05f14572a3af3be4c10d3a4708d2419e0

SHA512
7a8b4f0b5c020277b4446e4ff2223de413bd6be4c7dad3179f988cb5d3849435a85acfbda7d41d3ef15d22554cd722a8b657d978426b79dc1495a81ab270e870

Download Submit
\Users\Admin\AppData\Local\Temp\Files\pi.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
\Users\Admin\AppData\Local\Temp\GS81BD.tmp

Filesize
44KB

MD5
7d46ea623eba5073b7e3a2834fe58cc9

SHA1
29ad585cdf812c92a7f07ab2e124a0d2721fe727

SHA256
4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

SHA512
a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
memory/916-677-0x0000000000EF0000-0x0000000001214000-memory.dmp

Filesize
3.1MB

Download
memory/1532-290-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1532-291-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1532-322-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1720-289-0x00000000778F0000-0x00000000779EA000-memory.dmp

Filesize
1000KB

Download
memory/1720-288-0x00000000779F0000-0x0000000077B0F000-memory.dmp

Filesize
1.1MB

Download
memory/1920-313-0x000000013F930000-0x0000000140536000-memory.dmp

Filesize
12.0MB

Download
memory/1964-377-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1964-335-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1964-376-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1964-337-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1964-344-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1964-346-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1964-345-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1964-343-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1964-338-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1964-340-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1964-342-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1964-341-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1964-339-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1964-334-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1964-336-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2024-329-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2024-326-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2024-332-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2024-328-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2024-327-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2024-325-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2136-305-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/2136-304-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

Filesize
2.9MB

Download
memory/2204-316-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/2204-315-0x0000000019C80000-0x0000000019F62000-memory.dmp

Filesize
2.9MB

Download
memory/2256-223-0x000000013F6A0000-0x00000001402A6000-memory.dmp

Filesize
12.0MB

Download
memory/2328-1-0x0000000001180000-0x0000000001188000-memory.dmp

Filesize
32KB

Download
memory/2328-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/2328-216-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2328-199-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/2328-2-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2484-1493-0x000000013F8D0000-0x000000013FE67000-memory.dmp

Filesize
5.6MB

Download
memory/2660-978-0x000000013F9E0000-0x000000013FCE3000-memory.dmp

Filesize
3.0MB

Download
memory/2660-973-0x000000013F9E0000-0x000000013FCE3000-memory.dmp

Filesize
3.0MB

Download
memory/2660-938-0x000000013F9E0000-0x000000013FCE3000-memory.dmp

Filesize
3.0MB

Download
memory/2660-925-0x000000013F9E0000-0x000000013FCE3000-memory.dmp

Filesize
3.0MB

Download
memory/2720-462-0x0000000001050000-0x0000000001374000-memory.dmp

Filesize
3.1MB

Download
memory/2804-1030-0x000000013FA30000-0x000000013FA36000-memory.dmp

Filesize
24KB

Download
memory/3068-1491-0x0000000002050000-0x0000000002058000-memory.dmp

Filesize
32KB

Download
memory/3068-1490-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download