asyncrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

30-11-2024 01:23

241130-brr24awjcs 10

30-11-2024 01:22

241130-brh47azpcm 3

15-11-2024 19:13

241115-xxjtkayqgz 10

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-11-2024 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
mmn7nnm8na
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Extracted

Family

stealc

Botnet

default

http://91.202.233.158

Attributes

url_path
/e96ea2db21fa9a1b.php

Extracted

Family

phorphiex

http://185.215.113.66

http://185.215.113.84

Attributes

mutex
Klipux

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Allahsiz

45.95.214.119:8080

Mutex

euU8bJbAjw5V

Attributes

delay
3
install
true
install_file
Runtime Broker.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

su-pc

192.168.100.2:4444

Mutex

47a88def-94f4-406d-86f5-8b0b767128df

Attributes

encryption_key
6B74F0C858B7E90573D4E97997F2A082B9781250
install_name
x.exe
log_directory
Logs
reconnect_delay
3000
startup_key
x
subdirectory
SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detects ZharkBot payload 1 IoCs

ZharkBot is a botnet written C++.

resource	yara_rule
behavioral1/files/0x0012000000016c95-191.dat	zharkcore

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysklnorbcv.exe

Phorphiex family
phorphiex

Phorphiex payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000e000000016645-59.dat	family_phorphiex
behavioral1/files/0x0008000000016ac1-68.dat	family_phorphiex
behavioral1/files/0x000400000001d359-696.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2132-667-0x00000000012D0000-0x00000000015F4000-memory.dmp	family_quasar
behavioral1/files/0x000400000001d2ef-680.dat	family_quasar
behavioral1/memory/2476-684-0x0000000001050000-0x0000000001374000-memory.dmp	family_quasar

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 1524 created 1248	1524	3485612762.exe	21
PID 1524 created 1248	1524	3485612762.exe	21
PID 2304 created 1248	2304	winupsecvmgr.exe	21
PID 2304 created 1248	2304	winupsecvmgr.exe	21
PID 2304 created 1248	2304	winupsecvmgr.exe	21

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysklnorbcv.exe

Xmrig family
xmrig
ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot
Zharkbot family
zharkbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000500000001945b-441.dat	family_asyncrat

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/2304-649-0x000000013F3D0000-0x000000013F967000-memory.dmp	xmrig
behavioral1/memory/2908-686-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2248	powershell.exe
2956	powershell.exe
1368	powershell.exe
2344	powershell.exe
2444	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 33 IoCs

pid	Process
2792	pi.exe
2616	3.exe
3012	Destover.exe
2996	zts.exe
1892	sysppvrdnvs.exe
1244	sysklnorbcv.exe
1040	tdrpload.exe
288	tpeinf.exe
752	Journal.exe
2244	Utility2.exe
1472	needmoney.exe
1228	svchost015.exe
2312	210363889.exe
2624	2131227832.exe
1868	1903619464.exe
1524	3485612762.exe
1292	1931210640.exe
2304	winupsecvmgr.exe
2812	creal.exe
2108	sys.exe
1628	creal.exe
1904	nurik.exe
2760	nurik.exe
1248	Explorer.EXE
2636	Runtime Broker.exe
1736	sjkhjkh.exe
2132	x.exe
912	crypted.exe
2016	npp.exe
2476	x.exe
2480	2584818259.exe
2940	sysnldcvmr.exe
2996	installer.exe

Loads dropped DLL 56 IoCs

pid	Process
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
1076	WerFault.exe
1076	WerFault.exe
1076	WerFault.exe
1076	WerFault.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
1472	needmoney.exe
1228	svchost015.exe
1228	svchost015.exe
1892	sysppvrdnvs.exe
1892	sysppvrdnvs.exe
1892	sysppvrdnvs.exe
1868	1903619464.exe
1892	sysppvrdnvs.exe
1888	taskeng.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2812	creal.exe
1628	creal.exe
2148	4363463463464363463463463.exe
1904	nurik.exe
2760	nurik.exe
2760	nurik.exe
2760	nurik.exe
2760	nurik.exe
2760	nurik.exe
2760	nurik.exe
2760	nurik.exe
980	cmd.exe
2148	4363463463464363463463463.exe
2852	Process not Found
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2148	4363463463464363463463463.exe
2016	npp.exe
2016	npp.exe
1248	Explorer.EXE
2148	4363463463464363463463463.exe
2284	Process not Found
1248	Explorer.EXE

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysklnorbcv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysklnorbcv.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	pi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysklnorbcv.exe"	3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	2584818259.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
17	raw.githubusercontent.com

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\SubDir\x.exe	x.exe
File opened for modification	C:\Windows\system32\SubDir\x.exe	x.exe
File opened for modification	C:\Windows\system32\SubDir	x.exe
File opened for modification	C:\Windows\system32\SubDir\x.exe	x.exe
File opened for modification	C:\Windows\system32\SubDir	x.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1472 set thread context of 1228	1472	needmoney.exe	66
PID 2304 set thread context of 2880	2304	winupsecvmgr.exe	99
PID 2304 set thread context of 2908	2304	winupsecvmgr.exe	100
PID 912 set thread context of 2816	912	crypted.exe	114

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\sysppvrdnvs.exe	pi.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	pi.exe
File created	C:\Windows\sysklnorbcv.exe	3.exe
File opened for modification	C:\Windows\sysklnorbcv.exe	3.exe
File created	C:\Windows\sysnldcvmr.exe	2584818259.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	2584818259.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1716	sc.exe
2900	sc.exe
2236	sc.exe
2716	sc.exe
2500	sc.exe
2892	sc.exe
2880	sc.exe
2496	sc.exe
1496	sc.exe
2728	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0009000000018c34-432.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1076	2996	WerFault.exe	35

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Destover.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1903619464.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	needmoney.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runtime Broker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysklnorbcv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2584818259.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost015.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost015.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1988	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	4363463463464363463463463.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2788	schtasks.exe
1644	schtasks.exe
2832	schtasks.exe
1756	schtasks.exe
756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2248	powershell.exe
2956	powershell.exe
1228	svchost015.exe
1228	svchost015.exe
2312	210363889.exe
1524	3485612762.exe
1524	3485612762.exe
1368	powershell.exe
1524	3485612762.exe
1524	3485612762.exe
2304	winupsecvmgr.exe
2304	winupsecvmgr.exe
2344	powershell.exe
2304	winupsecvmgr.exe
2304	winupsecvmgr.exe
2304	winupsecvmgr.exe
2304	winupsecvmgr.exe
2108	sys.exe
2444	powershell.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
1244	sysklnorbcv.exe
2940	sysnldcvmr.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	4363463463464363463463463.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2312	210363889.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeLockMemoryPrivilege	2908	dwm.exe
Token: SeLockMemoryPrivilege	2908	dwm.exe
Token: SeDebugPrivilege	2108	sys.exe
Token: SeDebugPrivilege	2132	x.exe
Token: SeDebugPrivilege	912	crypted.exe
Token: SeDebugPrivilege	2636	Runtime Broker.exe
Token: SeDebugPrivilege	2476	x.exe
Token: SeDebugPrivilege	2636	Runtime Broker.exe
Token: SeIncreaseQuotaPrivilege	1716	wmic.exe
Token: SeSecurityPrivilege	1716	wmic.exe
Token: SeTakeOwnershipPrivilege	1716	wmic.exe
Token: SeLoadDriverPrivilege	1716	wmic.exe
Token: SeSystemProfilePrivilege	1716	wmic.exe
Token: SeSystemtimePrivilege	1716	wmic.exe
Token: SeProfSingleProcessPrivilege	1716	wmic.exe
Token: SeIncBasePriorityPrivilege	1716	wmic.exe
Token: SeCreatePagefilePrivilege	1716	wmic.exe
Token: SeBackupPrivilege	1716	wmic.exe
Token: SeRestorePrivilege	1716	wmic.exe
Token: SeShutdownPrivilege	1716	wmic.exe
Token: SeDebugPrivilege	1716	wmic.exe
Token: SeSystemEnvironmentPrivilege	1716	wmic.exe
Token: SeRemoteShutdownPrivilege	1716	wmic.exe
Token: SeUndockPrivilege	1716	wmic.exe
Token: SeManageVolumePrivilege	1716	wmic.exe
Token: 33	1716	wmic.exe
Token: 34	1716	wmic.exe
Token: 35	1716	wmic.exe
Token: SeIncreaseQuotaPrivilege	1716	wmic.exe
Token: SeSecurityPrivilege	1716	wmic.exe
Token: SeTakeOwnershipPrivilege	1716	wmic.exe
Token: SeLoadDriverPrivilege	1716	wmic.exe
Token: SeSystemProfilePrivilege	1716	wmic.exe
Token: SeSystemtimePrivilege	1716	wmic.exe
Token: SeProfSingleProcessPrivilege	1716	wmic.exe
Token: SeIncBasePriorityPrivilege	1716	wmic.exe
Token: SeCreatePagefilePrivilege	1716	wmic.exe
Token: SeBackupPrivilege	1716	wmic.exe
Token: SeRestorePrivilege	1716	wmic.exe
Token: SeShutdownPrivilege	1716	wmic.exe
Token: SeDebugPrivilege	1716	wmic.exe
Token: SeSystemEnvironmentPrivilege	1716	wmic.exe
Token: SeRemoteShutdownPrivilege	1716	wmic.exe
Token: SeUndockPrivilege	1716	wmic.exe
Token: SeManageVolumePrivilege	1716	wmic.exe
Token: 33	1716	wmic.exe
Token: 34	1716	wmic.exe
Token: 35	1716	wmic.exe
Token: SeDebugPrivilege	2444	powershell.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe
2908	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2476	x.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2792	2148	4363463463464363463463463.exe	32
PID 2148 wrote to memory of 2792	2148	4363463463464363463463463.exe	32
PID 2148 wrote to memory of 2792	2148	4363463463464363463463463.exe	32
PID 2148 wrote to memory of 2792	2148	4363463463464363463463463.exe	32
PID 2148 wrote to memory of 2616	2148	4363463463464363463463463.exe	33
PID 2148 wrote to memory of 2616	2148	4363463463464363463463463.exe	33
PID 2148 wrote to memory of 2616	2148	4363463463464363463463463.exe	33
PID 2148 wrote to memory of 2616	2148	4363463463464363463463463.exe	33
PID 2148 wrote to memory of 3012	2148	4363463463464363463463463.exe	34
PID 2148 wrote to memory of 3012	2148	4363463463464363463463463.exe	34
PID 2148 wrote to memory of 3012	2148	4363463463464363463463463.exe	34
PID 2148 wrote to memory of 3012	2148	4363463463464363463463463.exe	34
PID 2148 wrote to memory of 2996	2148	4363463463464363463463463.exe	35
PID 2148 wrote to memory of 2996	2148	4363463463464363463463463.exe	35
PID 2148 wrote to memory of 2996	2148	4363463463464363463463463.exe	35
PID 2148 wrote to memory of 2996	2148	4363463463464363463463463.exe	35
PID 2996 wrote to memory of 1076	2996	zts.exe	36
PID 2996 wrote to memory of 1076	2996	zts.exe	36
PID 2996 wrote to memory of 1076	2996	zts.exe	36
PID 2996 wrote to memory of 1076	2996	zts.exe	36
PID 2792 wrote to memory of 1892	2792	pi.exe	37
PID 2792 wrote to memory of 1892	2792	pi.exe	37
PID 2792 wrote to memory of 1892	2792	pi.exe	37
PID 2792 wrote to memory of 1892	2792	pi.exe	37
PID 2616 wrote to memory of 1244	2616	3.exe	38
PID 2616 wrote to memory of 1244	2616	3.exe	38
PID 2616 wrote to memory of 1244	2616	3.exe	38
PID 2616 wrote to memory of 1244	2616	3.exe	38
PID 2148 wrote to memory of 1040	2148	4363463463464363463463463.exe	39
PID 2148 wrote to memory of 1040	2148	4363463463464363463463463.exe	39
PID 2148 wrote to memory of 1040	2148	4363463463464363463463463.exe	39
PID 2148 wrote to memory of 1040	2148	4363463463464363463463463.exe	39
PID 2148 wrote to memory of 288	2148	4363463463464363463463463.exe	40
PID 2148 wrote to memory of 288	2148	4363463463464363463463463.exe	40
PID 2148 wrote to memory of 288	2148	4363463463464363463463463.exe	40
PID 2148 wrote to memory of 288	2148	4363463463464363463463463.exe	40
PID 2148 wrote to memory of 752	2148	4363463463464363463463463.exe	41
PID 2148 wrote to memory of 752	2148	4363463463464363463463463.exe	41
PID 2148 wrote to memory of 752	2148	4363463463464363463463463.exe	41
PID 2148 wrote to memory of 752	2148	4363463463464363463463463.exe	41
PID 1892 wrote to memory of 676	1892	sysppvrdnvs.exe	42
PID 1892 wrote to memory of 676	1892	sysppvrdnvs.exe	42
PID 1892 wrote to memory of 676	1892	sysppvrdnvs.exe	42
PID 1892 wrote to memory of 676	1892	sysppvrdnvs.exe	42
PID 1892 wrote to memory of 3048	1892	sysppvrdnvs.exe	43
PID 1892 wrote to memory of 3048	1892	sysppvrdnvs.exe	43
PID 1892 wrote to memory of 3048	1892	sysppvrdnvs.exe	43
PID 1892 wrote to memory of 3048	1892	sysppvrdnvs.exe	43
PID 2148 wrote to memory of 2244	2148	4363463463464363463463463.exe	44
PID 2148 wrote to memory of 2244	2148	4363463463464363463463463.exe	44
PID 2148 wrote to memory of 2244	2148	4363463463464363463463463.exe	44
PID 2148 wrote to memory of 2244	2148	4363463463464363463463463.exe	44
PID 3048 wrote to memory of 2496	3048	cmd.exe	47
PID 3048 wrote to memory of 2496	3048	cmd.exe	47
PID 3048 wrote to memory of 2496	3048	cmd.exe	47
PID 3048 wrote to memory of 2496	3048	cmd.exe	47
PID 676 wrote to memory of 2248	676	cmd.exe	48
PID 676 wrote to memory of 2248	676	cmd.exe	48
PID 676 wrote to memory of 2248	676	cmd.exe	48
PID 676 wrote to memory of 2248	676	cmd.exe	48
PID 3048 wrote to memory of 2236	3048	cmd.exe	49
PID 3048 wrote to memory of 2236	3048	cmd.exe	49
PID 3048 wrote to memory of 2236	3048	cmd.exe	49
PID 3048 wrote to memory of 2236	3048	cmd.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\Files\pi.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pi.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\sysppvrdnvs.exe
      C:\Windows\sysppvrdnvs.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1892
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:676
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2496
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2236
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2716
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1496
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\210363889.exe
        
        C:\Users\Admin\AppData\Local\Temp\210363889.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:1936
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:3036
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:2892
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\2131227832.exe
        
        C:\Users\Admin\AppData\Local\Temp\2131227832.exe
        5⤵
        Executes dropped EXE
        
        PID:2624
    - - C:\Users\Admin\AppData\Local\Temp\1903619464.exe
        
        C:\Users\Admin\AppData\Local\Temp\1903619464.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1868
      - C:\Users\Admin\AppData\Local\Temp\3485612762.exe
        
        C:\Users\Admin\AppData\Local\Temp\3485612762.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
    - - C:\Users\Admin\AppData\Local\Temp\1931210640.exe
        
        C:\Users\Admin\AppData\Local\Temp\1931210640.exe
        5⤵
        Executes dropped EXE
        
        PID:1292
- - C:\Users\Admin\AppData\Local\Temp\Files\3.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\3.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\sysklnorbcv.exe
      C:\Windows\sysklnorbcv.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: SetClipboardViewer
      PID:1244
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1716
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2728
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2892
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2880
      - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        6⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2900
- - C:\Users\Admin\AppData\Local\Temp\Files\Destover.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Destover.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3012
- - C:\Users\Admin\AppData\Local\Temp\Files\zts.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\zts.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 168
      4⤵
      Loads dropped DLL
      Program crash
      PID:1076
- - C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
    3⤵
    - Executes dropped EXE
    PID:1040
- - C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
    3⤵
    - Executes dropped EXE
    PID:288
- - C:\Users\Admin\AppData\Local\Temp\Files\Journal.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Journal.exe"
    3⤵
    - Executes dropped EXE
    PID:752
- - C:\Users\Admin\AppData\Local\Temp\Files\Utility2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Utility2.exe"
    3⤵
    - Executes dropped EXE
    PID:2244
- - C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1228
- - C:\Users\Admin\AppData\Local\Temp\Files\creal.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\creal.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\Files\creal.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\creal.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1628
- - C:\Users\Admin\AppData\Local\Temp\Files\sys.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\sys.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      PID:1336
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Runtime Broker" /tr '"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDC6.tmp.bat""
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:980
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1988
    - - C:\Users\Admin\AppData\Roaming\Runtime Broker.exe
        
        "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
- - C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1904
  - - C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\nurik.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2760
- - C:\Users\Admin\AppData\Local\Temp\Files\sjkhjkh.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\sjkhjkh.exe"
    3⤵
    - Executes dropped EXE
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\Files\x.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\x.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "x" /sc ONLOGON /tr "C:\Windows\system32\SubDir\x.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:756
  - - C:\Windows\system32\SubDir\x.exe
      "C:\Windows\system32\SubDir\x.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2476
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "x" /sc ONLOGON /tr "C:\Windows\system32\SubDir\x.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2788
- - C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2816
- - C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\2584818259.exe
      C:\Users\Admin\AppData\Local\Temp\2584818259.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:2480
    - - C:\Windows\sysnldcvmr.exe
        
        C:\Windows\sysnldcvmr.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        
        PID:2940
- - C:\Users\Admin\AppData\Local\Temp\Files\installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\installer.exe"
    3⤵
    - Executes dropped EXE
    PID:2996
  - - C:\Windows\system32\reg.exe
      "reg" "query" "SYSTEM\CurrentControlSet\Services\Disk\Enum"
      4⤵
      PID:2900
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" "computersystem" "get" "manufacturer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" "-Command" "$cmd = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAiQzpcVXNlcnNcQWRtaW5cemh6Z3pxdmJvZXR2a3pvYyI=')); Invoke-Expression $cmd"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1368
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1644
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2832
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:2880
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2908

C:\Windows\system32\taskeng.exe
taskeng.exe {98CDA88C-46B6-43F7-8562-7B24382E6ECD} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:1888
- C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
  "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56fbc08e3ddf75eb9d7259c4be17af9c

SHA1
ab6066ce897d12bcda37b7cf9185be4be113ff88

SHA256
3a163505e34c4544b70ef30e6bb5d16f1dd06438e4209eadbae30568b490dba6

SHA512
b344b3358f7a3635417d9e2350f0c643f795ce57eb659532768869beff9036a71dfdfa7b9728d9d65383e773285f1140b6bc2431a41fa40bcbe3622f481f93f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\1[1]

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\210363889.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2131227832.exe

Filesize
49KB

MD5
6946486673f91392724e944be9ca9249

SHA1
e74009983ced1fa683cda30b52ae889bc2ca6395

SHA256
885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd

SHA512
e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2584818259.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD0F7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Destover.exe

Filesize
89KB

MD5
e904bf93403c0fb08b9683a9e858c73e

SHA1
8397c1e1f0b9d53a114850f6b3ae8c1f2b2d1590

SHA256
4c2efe2f1253b94f16a1cab032f36c7883e4f6c8d9fc17d0ee553b5afb16330c

SHA512
d83f63737f7fcac9179ca262aa5c32bba7e140897736b63474afcf4f972ffb4c317c5e1d6f7ebe6a0f2d77db8f41204031314d7749c7185ec3e3b5286d77c1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe

Filesize
4.1MB

MD5
7fa5c660d124162c405984d14042506f

SHA1
69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f

SHA256
fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2

SHA512
d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sys.exe

Filesize
47KB

MD5
b755853833e683e601e838ed7ca54867

SHA1
9ff8bf2710cfd25fa0fd07ea10e10f76910989a9

SHA256
308e5523c1588d1ba9b89d48c32a0171a674f34c8e50407cc307b56d92bb9a52

SHA512
6fe4139253b06499c735d1131fe368f93a064b573d8b7befd23836b707adda6adcdde991a49886d83dec7d08c3f6fba66ef083c5270c253162c59db88250b193

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\zts.exe

Filesize
325KB

MD5
4dbb6133449b3ce0570b126c8b8dbe31

SHA1
9ad0d461440eab9d99f23c3564b12d178ead5f32

SHA256
24a3061eaa4ced106c15b1aea8bd14a5cd17750c6241b2ed4ab6548843e44e90

SHA512
e451aeba42d46a7f250c78ff829ced9169b955ed64a9d066be7e3ac5d6c0750a1dc8ded7a565731d39d224251ae20fff09fa44052083b4fb551b1b6167e8cc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD11A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDC6.tmp.bat

Filesize
157B

MD5
95ec9aec4727232000dcc5d842d96368

SHA1
56d09e3c6c97e30b526e58536dd5e88af4aa6770

SHA256
357f36bf59384fa2dcb913c02bf7a65e33e60f4a9b7a44096784e532b6fd334c

SHA512
4e003ddb3485d847036645440590baf77dbaccd78e0b8f41eff2f1f3ad432994730da3e979051166526c26ba6eaf800acae66f07d5c24901bb1eeba132abc72a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I5RXF928APPLFBMOB2QB.temp

Filesize
7KB

MD5
7fd5ec11a24c0c76485d19650b3043be

SHA1
27fa304c7cd7919adb5b3513cbb035eb8233db9a

SHA256
c1aff82139185ef87e9874711dd94cf33270eebbf881f954f7482ec85477363e

SHA512
8ea6c013c2c12e220721d8eef25f424521a05122903189fc628a0f0961f4bc5aa78273aaecf82610c671960d933ef0107c828c11bb83d96294595db80e50fc54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2bdd6782a7aa60b3ba737002dbebf567

SHA1
ba2c9e2a5385422839233bda6a67cd8011f8d3aa

SHA256
9318ec4193c0d93fe197998b1ca7c4480cd79359e731481e1529d3fe9f52f0aa

SHA512
ccef8fd5be8537def92b68d13062cbd22e7924f2072237dc7726f77f2d560d8537ddc100f78f36c990ecd62628e9690b496c3162d7a93607c579626f38057f85

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
3KB

MD5
9984c582d3b8aee760e19d9e4e52762d

SHA1
2a779a6ea094f578e7ca8b35e4cd81e89abb4f64

SHA256
18758a8db2b76124f6bcbbb28ccbb070b9a9902e063daea756149301b9cdb296

SHA512
1963e5c4ae01692927a9a11bdee99be7abdda4ba1cb3c1d62c61104feb04595b505835ff44521fe039f1e2dcd2536d4433c33f3b17ea3675d807d37d513d4f1f

Download Submit
C:\Windows\System32\SubDir\x.exe

Filesize
3.1MB

MD5
ce560e01aa6d0a1848eacb577880f112

SHA1
ac6013ab7dec397c0f14368492047e5f54091f2c

SHA256
061f0c6e8d2aa06e218364b7d0f44e689d0c6b900a06844bf272efc516dabfdb

SHA512
988a405ec7c257c43e21ac721509478113c48ae5cdbfe25d7f0227a6ff473412ba662343365d4ca899fc621b6710437128505f29cb6939f45248ff255c4565ec

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\1903619464.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
\Users\Admin\AppData\Local\Temp\1931210640.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
\Users\Admin\AppData\Local\Temp\3485612762.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
\Users\Admin\AppData\Local\Temp\Files\3.exe

Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Journal.exe

Filesize
321KB

MD5
3db33784eb4a2c5ff0d97237bd25d4ce

SHA1
e1ee87f9353ff1438e860ef695b5e022a83ac298

SHA256
e0fad6ad403b01fb99b906403d2abb21ffd1adf78e88477568291bb0cf392deb

SHA512
7394150c055ec7c42f7f28a7f0fceedd6a32da68502ff7d2c5ecf32f48f3899c4416cc0ca1223d5d173033fb047c34e9ba31c91c12a26bf0d4758d338f179937

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Utility2.exe

Filesize
321KB

MD5
4bd25a55bcb6aec078ab1d909cfabe64

SHA1
ba68ca4d2601d9c34bf3e897b434e1abc042e254

SHA256
f0c2e045cbe2076d3c85f4637c9f404407239a109c4d493165a6b55067729d60

SHA512
fac63d88926fb64e90f4863e7bbac681b9b25965384b3f2624c33639eead4930a0cd3503b8a24e6aecb815a392729b75459fa59f197048cfb1d89ce41c4c9006

Download Submit
\Users\Admin\AppData\Local\Temp\Files\creal.exe

Filesize
16.4MB

MD5
da1695dba8bd25d00e05e7769d6d7e8e

SHA1
884c5b84185bfcc06b2f82474642e23af842cf26

SHA256
7166d6cc2435061f32cf982dba8f6ec27fc23a46c9705aa52fb2ba08eb7011aa

SHA512
8d0538def7bf8b993f812bdbedf3aa445637ff66746b1a041b491fbdd0e707356c2331aa56625a5c40d0ce6079cc0e9a30c9a2de65b002027e37f2ced24c72af

Download Submit
\Users\Admin\AppData\Local\Temp\Files\pi.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
memory/752-248-0x00000000002C0000-0x000000000030B000-memory.dmp

Filesize
300KB

Download
memory/752-268-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/912-673-0x0000000001340000-0x00000000013BA000-memory.dmp

Filesize
488KB

Download
memory/912-674-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1228-299-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1228-302-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1228-338-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1228-292-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1228-294-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1228-298-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1228-366-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1228-286-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1228-288-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1228-290-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1368-422-0x0000000002200000-0x0000000002208000-memory.dmp

Filesize
32KB

Download
memory/1368-421-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/1472-300-0x0000000000400000-0x000000000081B000-memory.dmp

Filesize
4.1MB

Download
memory/1524-425-0x000000013F400000-0x000000013F997000-memory.dmp

Filesize
5.6MB

Download
memory/2108-442-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

Filesize
72KB

Download
memory/2132-667-0x00000000012D0000-0x00000000015F4000-memory.dmp

Filesize
3.1MB

Download
memory/2148-2-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-258-0x0000000074630000-0x0000000074D1E000-memory.dmp

Filesize
6.9MB

Download
memory/2148-1-0x00000000000D0000-0x00000000000D8000-memory.dmp

Filesize
32KB

Download
memory/2148-0-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/2148-249-0x000000007463E000-0x000000007463F000-memory.dmp

Filesize
4KB

Download
memory/2244-269-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2244-257-0x0000000000560000-0x00000000005AB000-memory.dmp

Filesize
300KB

Download
memory/2304-649-0x000000013F3D0000-0x000000013F967000-memory.dmp

Filesize
5.6MB

Download
memory/2312-376-0x000000013F5B0000-0x000000013F5B6000-memory.dmp

Filesize
24KB

Download
memory/2344-538-0x0000000001E40000-0x0000000001E48000-memory.dmp

Filesize
32KB

Download
memory/2344-536-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2444-952-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2444-953-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2476-684-0x0000000001050000-0x0000000001374000-memory.dmp

Filesize
3.1MB

Download
memory/2636-659-0x00000000012D0000-0x00000000012E2000-memory.dmp

Filesize
72KB

Download
memory/2816-804-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2880-685-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2908-648-0x0000000000150000-0x0000000000170000-memory.dmp

Filesize
128KB

Download
memory/2908-686-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/3012-270-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3012-267-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3012-344-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download