783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d

Analysis

max time kernel
149s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
24-06-2021 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unknownfamily.exe
Size

2.8MB
MD5

3299ebb7b213d7ab79f7fef2296b06d2
SHA1

71efb0ca7eac2410291a6405977aa81bb72394f1
SHA256

783e538320d6a9f69ac93e74a1296403cd8824596c535f8fc563fbbc21bf362d
SHA512

5f5f1e3d45a83cac12f7590a628c1a4f8cbcb84deb4e5c86566778164761c738fefab11a003fee4372121b7545fb26ec7ec2fede0c3ba34470523fdc03ecb996

Score

9^/10

adware bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Drops file in Drivers directory 4 IoCs

Processes:

core.exeGbpSv.exegbpcefwr64.tmp

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\wsddpp.sys	core.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	GbpSv.exe
File created	C:\Windows\system32\drivers\is-J71A4.tmp	gbpcefwr64.tmp
File created	C:\Windows\system32\drivers\is-H0QJG.tmp	gbpcefwr64.tmp

Executes dropped EXE 42 IoCs

Processes:

GBPCEF.exeGBPCEF.tmpGbpDist.exeGbpSv.exeGbpSv.exeGbpSv.exevcredist.exevcredist_64.exegbpcefwr64.exegbpcefwr64.tmpget_version.exe_setup64.tmpopenssl.exeopenssl.exeopenssl.exeopenssl.exeopenssl.exewsffcmgr.execertutil.execertutil.execertutil.execertutil.exemw_import.execorefixer.exewsffcmgr.execertutil.execertutil.exewsffcmgr.execertutil.execertutil.execertutil.execertutil.execore.execore.exeimpersonate.execore.execore.exewsffcmgr.execertutil.execertutil.exewsffcmgr.execertutil.exe

pid	process
2832	GBPCEF.exe
1300	GBPCEF.tmp
4052	GbpDist.exe
1824	GbpSv.exe
3384	GbpSv.exe
3472	GbpSv.exe
3892	vcredist.exe
3576	vcredist_64.exe
3268	gbpcefwr64.exe
3748	gbpcefwr64.tmp
3272	get_version.exe
2124	_setup64.tmp
1980	openssl.exe
1272	openssl.exe
664	openssl.exe
2140	openssl.exe
3236	openssl.exe
3432	wsffcmgr.exe
3604	certutil.exe
708	certutil.exe
1224	certutil.exe
3844	certutil.exe
3124	mw_import.exe
3396	corefixer.exe
3580	wsffcmgr.exe
1400	certutil.exe
3904	certutil.exe
1272	wsffcmgr.exe
3952	certutil.exe
2312	certutil.exe
2256	certutil.exe
3980	certutil.exe
2824	core.exe
2252	core.exe
792	impersonate.exe
3272	core.exe
1004	core.exe
620	wsffcmgr.exe
1228	certutil.exe
2300	certutil.exe
3780	wsffcmgr.exe
1616	certutil.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

core.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	core.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	core.exe

Loads dropped DLL 64 IoCs

Processes:

GBPCEF.tmpGbpDist.exeGbpSv.exeGbpSv.exeGbpSv.exerundll32.exerundll32.exewsffcmgr.execertutil.execertutil.execertutil.execertutil.exewsffcmgr.execertutil.exe

pid	process
1300	GBPCEF.tmp
4052	GbpDist.exe
1824	GbpSv.exe
3384	GbpSv.exe
3472	GbpSv.exe
1300	rundll32.exe
2832	rundll32.exe
2832	rundll32.exe
2832	rundll32.exe
3432	wsffcmgr.exe
3432	wsffcmgr.exe
3604	certutil.exe
3604	certutil.exe
3604	certutil.exe
3604	certutil.exe
3604	certutil.exe
3604	certutil.exe
3604	certutil.exe
3604	certutil.exe
3604	certutil.exe
3604	certutil.exe
3604	certutil.exe
3604	certutil.exe
3604	certutil.exe
3604	certutil.exe
3604	certutil.exe
708	certutil.exe
708	certutil.exe
708	certutil.exe
708	certutil.exe
708	certutil.exe
708	certutil.exe
708	certutil.exe
708	certutil.exe
708	certutil.exe
708	certutil.exe
708	certutil.exe
1224	certutil.exe
1224	certutil.exe
1224	certutil.exe
1224	certutil.exe
1224	certutil.exe
1224	certutil.exe
1224	certutil.exe
1224	certutil.exe
1224	certutil.exe
1224	certutil.exe
1224	certutil.exe
3844	certutil.exe
3844	certutil.exe
3844	certutil.exe
3844	certutil.exe
3844	certutil.exe
3844	certutil.exe
3844	certutil.exe
3844	certutil.exe
3844	certutil.exe
3844	certutil.exe
3844	certutil.exe
3580	wsffcmgr.exe
3580	wsffcmgr.exe
1400	certutil.exe
1400	certutil.exe
1400	certutil.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

gbpcefwr64.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	gbpcefwr64.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Diebold - Warsaw = "C:\\Program Files\\Diebold\\Warsaw\\core.exe"	gbpcefwr64.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

unknownfamily.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA unknownfamily.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unknownfamily.exe

Modifies WinLogon 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

GbpSv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginCef\MaxWait = "258"	GbpSv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginCef\DllName = "C:\\Program Files (x86)\\GbPlugin\\gbiehCef.dll"	GbpSv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginCef\Startup = "GbPluginEventStartup"	GbpSv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginCef	GbpSv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	GbpSv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginCef\Asynchronous = "0"	GbpSv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ GbPluginCef\Impersonate = "0"	GbpSv.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

GbpSv.execore.exe

description ioc process

File opened for modification \??\PhysicalDrive0 GbpSv.exe
File opened for modification \??\PhysicalDrive0 core.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	GbpSv.exe
File opened for modification	\??\PhysicalDrive0	core.exe

Drops file in System32 directory 6 IoCs

Processes:

unknownfamily.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	unknownfamily.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	unknownfamily.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	unknownfamily.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	unknownfamily.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	unknownfamily.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	unknownfamily.exe

Drops file in Program Files directory 64 IoCs

Processes:

gbpcefwr64.tmpGbpDist.exemw_import.execmd.exerundll32.exeGbpSv.execmd.exe

description	ioc	process
File created	C:\Program Files\Diebold\Warsaw\unins000.dat	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-GNSDP.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-GOOTO.tmp	gbpcefwr64.tmp
File opened for modification	C:\Program Files (x86)\GbPlugin\gbftin64.sys	GbpDist.exe
File created	C:\Program Files\Diebold\Warsaw\is-TD1V0.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-4H58J.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-UUPJK.tmp	gbpcefwr64.tmp
File created	C:\Program Files (x86)\Diebold\Warsaw\is-FMN7P.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\mw.dbd	mw_import.exe
File created	C:\Program Files\Diebold\Warsaw\is-KF388.tmp	gbpcefwr64.tmp
File opened for modification	C:\Program Files (x86)\GAS Tecnologia\Warsaw\wsbrmu.dll	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\root_ca.cer	cmd.exe
File created	C:\Program Files\Diebold\Warsaw\is-J4JVN.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\opt	rundll32.exe
File opened for modification	C:\Program Files (x86)\GbPlugin\gbpddfac64.sys	GbpDist.exe
File created	C:\Program Files\Diebold\Warsaw\is-UFUV9.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-IK5B1.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-GFQTN.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-H28UJ.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-8SKQN.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-55K6O.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-JDSJD.tmp	gbpcefwr64.tmp
File opened for modification	C:\Program Files\Diebold\Warsaw\unins000.dat	gbpcefwr64.tmp
File opened for modification	C:\Program Files (x86)\GbPlugin\gbpinj.dll	GbpDist.exe
File created	C:\Program Files\Diebold\Warsaw\is-47VGO.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-0ED7G.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-77G6A.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-N748T.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-IIR0E.tmp	gbpcefwr64.tmp
File created	C:\Program Files (x86)\GbPlugin:IncompleteStartProcessProtection.cnt	GbpSv.exe
File created	C:\Program Files\Diebold\Warsaw\is-2QKRG.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-GLIV1.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-0KU5R.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-IKQ4D.tmp	gbpcefwr64.tmp
File opened for modification	C:\Program Files\Diebold\Warsaw\ws.dat	cmd.exe
File opened for modification	C:\Program Files (x86)\GbPlugin\pm.dll	GbpDist.exe
File opened for modification	C:\Program Files (x86)\GbPlugin\gbpddreg32.sys	GbpDist.exe
File opened for modification	C:\Program Files (x86)\Diebold\Warsaw	gbpcefwr64.tmp
File opened for modification	C:\Program Files (x86)\GAS Tecnologia	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-QKCGD.tmp	gbpcefwr64.tmp
File created	C:\Program Files (x86)\Diebold\Warsaw\is-LK7F1.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-NP98A.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-1CAFN.tmp	gbpcefwr64.tmp
File opened for modification	C:\Program Files (x86)\Diebold\Warsaw\wsbrmu.dll	gbpcefwr64.tmp
File opened for modification	C:\Program Files (x86)\GbPlugin\gbprcm64.sys	GbpDist.exe
File opened for modification	C:\Program Files (x86)\GbPlugin\gbpddreg64.sys	GbpDist.exe
File opened for modification	C:\Program Files\Diebold\Warsaw\root_ca.cer	cmd.exe
File created	C:\Program Files\Diebold\Warsaw\ws.dat	cmd.exe
File opened for modification	C:\Program Files (x86)\GbPlugin\gbieh.gmd	GbpDist.exe
File opened for modification	C:\Program Files (x86)\GbPlugin\wsftprp64.sys	GbpDist.exe
File opened for modification	C:\Program Files (x86)\GbPlugin\gbiehcef.dll	GbpDist.exe
File opened for modification	C:\PROGRA~2\GbPlugin\GbpSv.exe	GbpDist.exe
File opened for modification	C:\Program Files (x86)\GbPlugin:IncompleteStartProcessProtection.cnt	GbpSv.exe
File opened for modification	C:\Program Files (x86)\Diebold	gbpcefwr64.tmp
File created	C:\Program Files (x86)\Diebold\Warsaw\is-23H48.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-J4J8F.tmp	gbpcefwr64.tmp
File opened for modification	C:\Program Files (x86)\GbPlugin\gbpsv.exe	GbpDist.exe
File created	C:\Program Files\Diebold\Warsaw\is-0S0H7.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-P1A4I.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-SOFR7.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-ID5AP.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-5O7Q1.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-DTNDS.tmp	gbpcefwr64.tmp
File created	C:\Program Files\Diebold\Warsaw\is-FPDEK.tmp	gbpcefwr64.tmp

Drops file in Windows directory 2 IoCs

Processes:

GbpDist.exegbpcefwr64.tmp

description ioc process

File created C:\Windows\system32:42B15FD7_Cef.gbp GbpDist.exe
File created C:\Windows\Fonts\is-13H21.tmp gbpcefwr64.tmp
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1016 tasklist.exe
3760 tasklist.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

core.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\ core.exe

description	ioc	process
File created	C:\Windows\system32:42B15FD7_Cef.gbp	GbpDist.exe
File created	C:\Windows\Fonts\is-13H21.tmp	gbpcefwr64.tmp

pid	process
1016	tasklist.exe
3760	tasklist.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\	core.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

GbpSv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	GbpSv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	GbpSv.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

unknownfamily.exevcredist.execertutil.execorefixer.execore.exeGBPCEF.tmpwsffcmgr.exegbpcefwr64.tmpvcredist_64.exeGbpDist.exewsffcmgr.exewsffcmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	unknownfamily.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	vcredist.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	certutil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	corefixer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	core.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	GBPCEF.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	wsffcmgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	GBPCEF.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	wsffcmgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	core.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	gbpcefwr64.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	unknownfamily.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	GBPCEF.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00570069006e0064006f00770073005c00540045004d0050005c00690073002d004d0045005100360030002e0074006d0070005c0047006200700064006900730074005c004300650066005c0047006200700044006900730074005500740069006c002e0064006c006c00000043003a005c00570069006e0064006f00770073005c00540045004d0050005c00690073002d004d0045005100360030002e0074006d0070005c0047006200700064006900730074005c004300650066005c0047006200700044006900730074002e0065007800650000000000	GBPCEF.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	unknownfamily.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	vcredist_64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	unknownfamily.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\GbPlugin\Cef\gFaYEcJ9U3dI = "gFaYEaIlAXY3WkJn1DvE8lF8q86JpVOOqA=="	GbpDist.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	corefixer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	unknownfamily.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = c3a44d1bd91c9dfc40be7de5c5fe18cbf3eb7fc805bd898c668aeade9e1d2bdf	GBPCEF.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	unknownfamily.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 1405000089af6f6d2b69d701	GBPCEF.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	vcredist.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	wsffcmgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	GbpDist.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931}\iexplore	GbpDist.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	wsffcmgr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	core.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	unknownfamily.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	unknownfamily.exe

Modifies registry class 64 IoCs

Processes:

GbpDist.exeGbpSv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C11555-BC81-40aa-A053-DAADC5630003}	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C11555-BC81-40aa-A053-DAADC5630003}\InprocServer32	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540003}\ = "IGbIehObj"	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540003}\TypeLib\ = "{C41A1C01-EA6C-11D4-B1B8-444553540003}"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7827CCC3-0DEB-4CFB-911C-AA777C882003}\TypeLib	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C350402-AD9A-41E7-A303-C49F6C520003}\ProxyStubClsid32	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GbIeh.GbExplorerPersistObj\CLSID	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}\InprocServer32	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540003}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GbPlugin\\"	GbpSv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GbIeh.GbExplorerPersistObj\CurVer	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}\InprocServer32\ = "C:\\Program Files (x86)\\GbPlugin\\gbiehcef.dll"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5C350402-AD9A-41E7-A303-C49F6C520003}\ProxyStubClsid32	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GbiehCef.GbPluginObj.1\CLSID	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}\ProgID	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540003}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GbIeh.GbExplorerPersistObj.1	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GbiehCef.GbIehObj\CurVer\ = "GbiehCef.GbIehObj.1"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540003}\Programmable	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540003}\TypeLib	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7827CCC3-0DEB-4CFB-911C-AA777C882003}\TypeLib\Version = "1.0"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5C350402-AD9A-41E7-A303-C49F6C520003}	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C350402-AD9A-41E7-A303-C49F6C520003}	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C350402-AD9A-41E7-A303-C49F6C520003}\ = "IGbExplorerPersistObj"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GbIeh.GbExplorerPersistObj.1\CLSID	GbpDist.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\WOW6432Node\CLSID\{98C11555-BC81-40aa-A053-DAADC5630003}\ProgID	GbpSv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GbiehCef.GbIehObj.1\CLSID	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GbiehCef.GbPluginObj.1	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}\VersionIndependentProgID	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540003}\TypeLib\Version = "1.0"	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7827CCC3-0DEB-4CFB-911C-AA777C882003}\TypeLib\ = "{C41A1C01-EA6C-11D4-B1B8-444553540003}"	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\GbExplorerPersistObj\ = "{98C11555-BC81-40aa-A053-DAADC5630003}"	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540003}\1.0\0\win32\ = "C:\\Program Files (x86)\\GbPlugin\\gbiehcef.dll"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540003}\ProxyStubClsid32	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5C350402-AD9A-41E7-A303-C49F6C520003}\ = "IGbExplorerPersistObj"	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GbiehCef.GbIehObj.1\CLSID\ = "{C41A1C0E-EA6C-11D4-B1B8-444553540003}"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C11555-BC81-40aa-A053-DAADC5630003}\VersionIndependentProgID	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540003}\InprocServer32\ThreadingModel = "Apartment"	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540003}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\GbPlugin"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7827CCC3-0DEB-4CFB-911C-AA777C882003}	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7827CCC3-0DEB-4CFB-911C-AA777C882003}\TypeLib	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GbIeh.GbExplorerPersistObj\CLSID\ = "{98C11555-BC81-40aa-A053-DAADC5630003}"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GbiehCef.GbIehObj.1	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GbiehCef.GbIehObj.1\ = "GbIehObj Class"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GbiehCef.GbIehObj\CurVer	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}\ProgID\ = "GbiehCef.GbPluginObj.1"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003}\Implemented Categories	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540003}	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C11555-BC81-40aa-A053-DAADC5630003}\TypeLib\ = "{C41A1C01-EA6C-11D4-B1B8-444553540003}"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540003}\ProxyStubClsid32	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7827CCC3-0DEB-4CFB-911C-AA777C882003}\ = "IGbPluginObj"	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7827CCC3-0DEB-4CFB-911C-AA777C882003}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GbpDist.exe
Key created	\REGISTRY\MACHINE\Software\CLASSES\GbiehCef.GbIehObj	GbpSv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GbIeh.GbExplorerPersistObj.1\CLSID\ = "{98C11555-BC81-40aa-A053-DAADC5630003}"	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C41A1C0D-EA6C-11D4-B1B8-444553540003}\TypeLib\ = "{C41A1C01-EA6C-11D4-B1B8-444553540003}"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540003}\ProgID	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C41A1C01-EA6C-11D4-B1B8-444553540003}\1.0\HELPDIR	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C11555-BC81-40aa-A053-DAADC5630003}\ProgID\ = "GbiehCef.GbExplorerPersistObj.1"	GbpSv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C11555-BC81-40aa-A053-DAADC5630003}\ = "GbExplorerPersistObj Class"	GbpDist.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540003}\InprocServer32	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5C350402-AD9A-41E7-A303-C49F6C520003}\TypeLib\ = "{C41A1C01-EA6C-11D4-B1B8-444553540003}"	GbpDist.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GbiehCef.GbIehObj\ = "{C41A1C0E-EA6C-11D4-B1B8-444553540003}"	GbpSv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{98C11555-BC81-40aa-A053-DAADC5630003}\InprocServer32\ThreadingModel = "Apartment"	GbpDist.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

unknownfamily.execore.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	unknownfamily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1D257A26AAC1C0DBD4484573955916347EB8E3B2	core.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1D257A26AAC1C0DBD4484573955916347EB8E3B2\Blob = 140000000100000014000000a0317c039d8e1e5ce32d01ef92d41e5b9feb11dc0300000001000000140000001d257a26aac1c0dbd4484573955916347eb8e3b20f0000000100000020000000af7616010c5bd6f32c8b3ae01736e662c3dec506dbd8e5d00030d5625b5ecc9b2000000001000000ba040000308204b63082029e020900ce03ec5756049665300d06092a864886f70d01010b0500301d311b30190603550403131257617273617720506572736f6e616c204341301e170d3231303632343139303332305a170d3331303632323139303332305a301d311b30190603550403131257617273617720506572736f6e616c20434130820222300d06092a864886f70d01010105000382020f003082020a0282020100d2d2003bb04cb1b6933cdf82026af9d2fdac9838f5b4edb8093dd87d6098194dc8671d2967d530183bcd67830f8f4ba8269a3a4e9f5422efc94150f3958c7c0b18961f51264479f8ab5c32fd7e2f8c839a9a855e76ea8522475483ad20f88b65cb123619fdd1dc77eac6a695c65d56187be2a5c22f142307bdb2dd6fbe83e0446fbacf4c849fe85e1070f4bc2992abd12ca7dd6c9604fb21fca8ea9f1ed7b0a9a25acc3f409e7a47fd5764d4ade633a9c50b85ffd77ef6ef0975fd4ba676f33678da551c95f4d7cc05f834e79f8ead980495e880acaf366568cddd223483e621698ebb2127c5e740c31f4903f7e0743f1cacdbae45100d7a2a52325f4d601e5a6b6df6ed693a531f9773976a966f4c0ddd3eb8b5e637e5a096ff538aa8e85d692051c3f99d11aeed45c75bd765f33f5d145bbc3317c1ec77776df5aec7358da4f5624343f7fac2103909b88bf448598f1a6fe2880e35ea638890a9b73ce39ec2c49fc62940fbb69c0929eacbafbced2ef7fe4324dac860428d62508c1c9f8c715dbcf9238b6f5c82e8e5f162131011b1c9c283f7b1c729e42da47f8f87c0f2efd643aa2269d172b70cde1e6aa9ff196f52e84ff8511dadcbfcd7ccc31592d75252586944552f7df467b2029de500cddd59d87d73d2bdcd9c20a2e3559b4f2e4df3829d1809ee0e9c62d45993b44ef5e558eb88dc733b95dd2bcbd768af6bc0250203010001300d06092a864886f70d01010b05000382020100bdee86e117a39fcdd489c7e44fa182db91e797915a28b57a77366a8d9b6182ed3c92829a5428b353b0a23dce27362eb10944bc9682cbbc361094ab20609f891b8fd368713acd96d7e1177bfc4e76312137805c9472f013b7aa7b4ff66692ebb202db616f45b7f6bcaa8fdc34dda3398d80a93cc9dd830fcf0a487db8497cb416632fcf8a9cdf51ff7a361e4d922b22edccf880470a38feac03b092c9f1679f77fda7e727542e44c3eadf5b3bf08e3d157e0df4400f348a44d39339b5bcc8d1c23cf40d98813cefd691284cba8c2254b37b1534c193a02cc57e3d22397161bceafd77faa1ab50b51fd135a7e4ae795fb8681fd824d617c1ce8edafe6c38b65190fe425888bf44f73cb855f7b72c4498ed41e66ef474b147580c4a326e386c719cb04bb767d976614e699dde94dd4f0b7be3d669992a78126c97249aac15716294262f0572111db4af24a3301591526c156fc12ad971d9e2487dad78a4f92e9c2970abd08a303e27c0941434ec86276f68094e228e601b28a5be163996ac366d6678782c59d1184d0f7b1f6b6416d66454e3ac2a009f1a0a8c3bf10dbfb88c04152c83c27b23b31ea32372091786919f68a6011cd9f000957edfcabd150082a85a907a1413157b9c53e1120f7b0f9d938d2d17345bdeebf4c39153e297575affeeab6b8f349fce117b3e6bad41bcc91dc54e3909e0f56e40c64265701d226da773	core.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1D257A26AAC1C0DBD4484573955916347EB8E3B2\Blob = 190000000100000010000000bc0ba894281cf8aa3e7b2784b765f6940f0000000100000020000000af7616010c5bd6f32c8b3ae01736e662c3dec506dbd8e5d00030d5625b5ecc9b0300000001000000140000001d257a26aac1c0dbd4484573955916347eb8e3b2140000000100000014000000a0317c039d8e1e5ce32d01ef92d41e5b9feb11dc2000000001000000ba040000308204b63082029e020900ce03ec5756049665300d06092a864886f70d01010b0500301d311b30190603550403131257617273617720506572736f6e616c204341301e170d3231303632343139303332305a170d3331303632323139303332305a301d311b30190603550403131257617273617720506572736f6e616c20434130820222300d06092a864886f70d01010105000382020f003082020a0282020100d2d2003bb04cb1b6933cdf82026af9d2fdac9838f5b4edb8093dd87d6098194dc8671d2967d530183bcd67830f8f4ba8269a3a4e9f5422efc94150f3958c7c0b18961f51264479f8ab5c32fd7e2f8c839a9a855e76ea8522475483ad20f88b65cb123619fdd1dc77eac6a695c65d56187be2a5c22f142307bdb2dd6fbe83e0446fbacf4c849fe85e1070f4bc2992abd12ca7dd6c9604fb21fca8ea9f1ed7b0a9a25acc3f409e7a47fd5764d4ade633a9c50b85ffd77ef6ef0975fd4ba676f33678da551c95f4d7cc05f834e79f8ead980495e880acaf366568cddd223483e621698ebb2127c5e740c31f4903f7e0743f1cacdbae45100d7a2a52325f4d601e5a6b6df6ed693a531f9773976a966f4c0ddd3eb8b5e637e5a096ff538aa8e85d692051c3f99d11aeed45c75bd765f33f5d145bbc3317c1ec77776df5aec7358da4f5624343f7fac2103909b88bf448598f1a6fe2880e35ea638890a9b73ce39ec2c49fc62940fbb69c0929eacbafbced2ef7fe4324dac860428d62508c1c9f8c715dbcf9238b6f5c82e8e5f162131011b1c9c283f7b1c729e42da47f8f87c0f2efd643aa2269d172b70cde1e6aa9ff196f52e84ff8511dadcbfcd7ccc31592d75252586944552f7df467b2029de500cddd59d87d73d2bdcd9c20a2e3559b4f2e4df3829d1809ee0e9c62d45993b44ef5e558eb88dc733b95dd2bcbd768af6bc0250203010001300d06092a864886f70d01010b05000382020100bdee86e117a39fcdd489c7e44fa182db91e797915a28b57a77366a8d9b6182ed3c92829a5428b353b0a23dce27362eb10944bc9682cbbc361094ab20609f891b8fd368713acd96d7e1177bfc4e76312137805c9472f013b7aa7b4ff66692ebb202db616f45b7f6bcaa8fdc34dda3398d80a93cc9dd830fcf0a487db8497cb416632fcf8a9cdf51ff7a361e4d922b22edccf880470a38feac03b092c9f1679f77fda7e727542e44c3eadf5b3bf08e3d157e0df4400f348a44d39339b5bcc8d1c23cf40d98813cefd691284cba8c2254b37b1534c193a02cc57e3d22397161bceafd77faa1ab50b51fd135a7e4ae795fb8681fd824d617c1ce8edafe6c38b65190fe425888bf44f73cb855f7b72c4498ed41e66ef474b147580c4a326e386c719cb04bb767d976614e699dde94dd4f0b7be3d669992a78126c97249aac15716294262f0572111db4af24a3301591526c156fc12ad971d9e2487dad78a4f92e9c2970abd08a303e27c0941434ec86276f68094e228e601b28a5be163996ac366d6678782c59d1184d0f7b1f6b6416d66454e3ac2a009f1a0a8c3bf10dbfb88c04152c83c27b23b31ea32372091786919f68a6011cd9f000957edfcabd150082a85a907a1413157b9c53e1120f7b0f9d938d2d17345bdeebf4c39153e297575affeeab6b8f349fce117b3e6bad41bcc91dc54e3909e0f56e40c64265701d226da773	core.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	unknownfamily.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	unknownfamily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	unknownfamily.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1D257A26AAC1C0DBD4484573955916347EB8E3B2\Blob = 0f0000000100000020000000af7616010c5bd6f32c8b3ae01736e662c3dec506dbd8e5d00030d5625b5ecc9b0300000001000000140000001d257a26aac1c0dbd4484573955916347eb8e3b22000000001000000ba040000308204b63082029e020900ce03ec5756049665300d06092a864886f70d01010b0500301d311b30190603550403131257617273617720506572736f6e616c204341301e170d3231303632343139303332305a170d3331303632323139303332305a301d311b30190603550403131257617273617720506572736f6e616c20434130820222300d06092a864886f70d01010105000382020f003082020a0282020100d2d2003bb04cb1b6933cdf82026af9d2fdac9838f5b4edb8093dd87d6098194dc8671d2967d530183bcd67830f8f4ba8269a3a4e9f5422efc94150f3958c7c0b18961f51264479f8ab5c32fd7e2f8c839a9a855e76ea8522475483ad20f88b65cb123619fdd1dc77eac6a695c65d56187be2a5c22f142307bdb2dd6fbe83e0446fbacf4c849fe85e1070f4bc2992abd12ca7dd6c9604fb21fca8ea9f1ed7b0a9a25acc3f409e7a47fd5764d4ade633a9c50b85ffd77ef6ef0975fd4ba676f33678da551c95f4d7cc05f834e79f8ead980495e880acaf366568cddd223483e621698ebb2127c5e740c31f4903f7e0743f1cacdbae45100d7a2a52325f4d601e5a6b6df6ed693a531f9773976a966f4c0ddd3eb8b5e637e5a096ff538aa8e85d692051c3f99d11aeed45c75bd765f33f5d145bbc3317c1ec77776df5aec7358da4f5624343f7fac2103909b88bf448598f1a6fe2880e35ea638890a9b73ce39ec2c49fc62940fbb69c0929eacbafbced2ef7fe4324dac860428d62508c1c9f8c715dbcf9238b6f5c82e8e5f162131011b1c9c283f7b1c729e42da47f8f87c0f2efd643aa2269d172b70cde1e6aa9ff196f52e84ff8511dadcbfcd7ccc31592d75252586944552f7df467b2029de500cddd59d87d73d2bdcd9c20a2e3559b4f2e4df3829d1809ee0e9c62d45993b44ef5e558eb88dc733b95dd2bcbd768af6bc0250203010001300d06092a864886f70d01010b05000382020100bdee86e117a39fcdd489c7e44fa182db91e797915a28b57a77366a8d9b6182ed3c92829a5428b353b0a23dce27362eb10944bc9682cbbc361094ab20609f891b8fd368713acd96d7e1177bfc4e76312137805c9472f013b7aa7b4ff66692ebb202db616f45b7f6bcaa8fdc34dda3398d80a93cc9dd830fcf0a487db8497cb416632fcf8a9cdf51ff7a361e4d922b22edccf880470a38feac03b092c9f1679f77fda7e727542e44c3eadf5b3bf08e3d157e0df4400f348a44d39339b5bcc8d1c23cf40d98813cefd691284cba8c2254b37b1534c193a02cc57e3d22397161bceafd77faa1ab50b51fd135a7e4ae795fb8681fd824d617c1ce8edafe6c38b65190fe425888bf44f73cb855f7b72c4498ed41e66ef474b147580c4a326e386c719cb04bb767d976614e699dde94dd4f0b7be3d669992a78126c97249aac15716294262f0572111db4af24a3301591526c156fc12ad971d9e2487dad78a4f92e9c2970abd08a303e27c0941434ec86276f68094e228e601b28a5be163996ac366d6678782c59d1184d0f7b1f6b6416d66454e3ac2a009f1a0a8c3bf10dbfb88c04152c83c27b23b31ea32372091786919f68a6011cd9f000957edfcabd150082a85a907a1413157b9c53e1120f7b0f9d938d2d17345bdeebf4c39153e297575affeeab6b8f349fce117b3e6bad41bcc91dc54e3909e0f56e40c64265701d226da773	core.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	unknownfamily.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	unknownfamily.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	unknownfamily.exe

NTFS ADS 6 IoCs

Processes:

GbpSv.exeGbpSv.exerundll32.exeGbpDist.exe

description	ioc	process
File created	C:\Program Files (x86)\GbPlugin:IncompleteStartProcessProtection.cnt	GbpSv.exe
File opened for modification	C:\ProgramData\GbPlugin:IncompleteStartGbprcm.cnt	GbpSv.exe
File created	C:\ProgramData\GbPlugin:IncompleteStartGbprcm.cnt	GbpSv.exe
File created	C:\Program Files\Diebold\Warsaw:oyhagmu138iahnc	rundll32.exe
File created	C:\Windows\system32:42B15FD7_Cef.gbp	GbpDist.exe
File opened for modification	C:\Program Files (x86)\GbPlugin:IncompleteStartProcessProtection.cnt	GbpSv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

unknownfamily.exeunknownfamily.exeGBPCEF.tmpGbpSv.exeopenssl.exeopenssl.exeopenssl.exeopenssl.exeopenssl.execorefixer.execore.execore.exe

pid	process
568	unknownfamily.exe
568	unknownfamily.exe
568	unknownfamily.exe
568	unknownfamily.exe
3156	unknownfamily.exe
3156	unknownfamily.exe
568	unknownfamily.exe
568	unknownfamily.exe
3156	unknownfamily.exe
3156	unknownfamily.exe
1300	GBPCEF.tmp
1300	GBPCEF.tmp
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
1980	openssl.exe
1980	openssl.exe
1980	openssl.exe
1980	openssl.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
1272	openssl.exe
1272	openssl.exe
1272	openssl.exe
1272	openssl.exe
664	openssl.exe
664	openssl.exe
664	openssl.exe
664	openssl.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
2140	openssl.exe
2140	openssl.exe
2140	openssl.exe
2140	openssl.exe
3236	openssl.exe
3236	openssl.exe
3236	openssl.exe
3236	openssl.exe
3396	corefixer.exe
3396	corefixer.exe
1004	core.exe
1004	core.exe
2252	core.exe
2252	core.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
3384	GbpSv.exe
2252	core.exe
2252	core.exe

Suspicious behavior: LoadsDriver 11 IoCs

Processes:

GbpSv.execore.exe

pid process

3384 GbpSv.exe
604
604
604
604
604
604
604
604
604
2252 core.exe

pid	process
3384	GbpSv.exe
604
604
604
604
604
604
604
604
604
2252	core.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

GbpSv.exeGbpSv.exeGbpSv.exewsffcmgr.exewsffcmgr.exewsffcmgr.execore.execore.exeimpersonate.exewsffcmgr.exewsffcmgr.exetasklist.exetasklist.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	3384	GbpSv.exe
Token: SeIncreaseQuotaPrivilege	3384	GbpSv.exe
Token: SeSecurityPrivilege	3384	GbpSv.exe
Token: SeLoadDriverPrivilege	3384	GbpSv.exe
Token: SeSystemtimePrivilege	3384	GbpSv.exe
Token: SeShutdownPrivilege	3384	GbpSv.exe
Token: SeSystemEnvironmentPrivilege	3384	GbpSv.exe
Token: SeUndockPrivilege	3384	GbpSv.exe
Token: SeManageVolumePrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	1824	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeTcbPrivilege	3384	GbpSv.exe
Token: SeIncreaseQuotaPrivilege	3384	GbpSv.exe
Token: SeAssignPrimaryTokenPrivilege	3384	GbpSv.exe
Token: SeTakeOwnershipPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3472	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeRestorePrivilege	3432	wsffcmgr.exe
Token: SeRestorePrivilege	3580	wsffcmgr.exe
Token: SeRestorePrivilege	1272	wsffcmgr.exe
Token: SeDebugPrivilege	2824	core.exe
Token: SeTakeOwnershipPrivilege	2824	core.exe
Token: SeDebugPrivilege	2252	core.exe
Token: SeTakeOwnershipPrivilege	2252	core.exe
Token: SeTcbPrivilege	792	impersonate.exe
Token: SeIncreaseQuotaPrivilege	792	impersonate.exe
Token: SeAssignPrimaryTokenPrivilege	792	impersonate.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeLoadDriverPrivilege	2252	core.exe
Token: SeRestorePrivilege	620	wsffcmgr.exe
Token: SeRestorePrivilege	3780	wsffcmgr.exe
Token: SeDebugPrivilege	3760	tasklist.exe
Token: SeDebugPrivilege	1016	tasklist.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe
Token: SeDebugPrivilege	3384	GbpSv.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

GBPCEF.tmpGbpSv.exeGbpSv.exeGbpSv.exegbpcefwr64.tmp

pid process

1300 GBPCEF.tmp
3384 GbpSv.exe
1824 GbpSv.exe
3472 GbpSv.exe
3748 gbpcefwr64.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

unknownfamily.exeGBPCEF.exeGBPCEF.tmpGbpDist.exeGbpSv.exeGbpSv.exeGbpSv.exegbpcefwr64.exegbpcefwr64.tmprundll32.exe

description	pid	process	target process
PID 3156 wrote to memory of 2832	3156	unknownfamily.exe	GBPCEF.exe
PID 3156 wrote to memory of 2832	3156	unknownfamily.exe	GBPCEF.exe
PID 3156 wrote to memory of 2832	3156	unknownfamily.exe	GBPCEF.exe
PID 2832 wrote to memory of 1300	2832	GBPCEF.exe	GBPCEF.tmp
PID 2832 wrote to memory of 1300	2832	GBPCEF.exe	GBPCEF.tmp
PID 2832 wrote to memory of 1300	2832	GBPCEF.exe	GBPCEF.tmp
PID 1300 wrote to memory of 4052	1300	GBPCEF.tmp	GbpDist.exe
PID 1300 wrote to memory of 4052	1300	GBPCEF.tmp	GbpDist.exe
PID 1300 wrote to memory of 4052	1300	GBPCEF.tmp	GbpDist.exe
PID 4052 wrote to memory of 1824	4052	GbpDist.exe	GbpSv.exe
PID 4052 wrote to memory of 1824	4052	GbpDist.exe	GbpSv.exe
PID 4052 wrote to memory of 1824	4052	GbpDist.exe	GbpSv.exe
PID 1824 wrote to memory of 696	1824	GbpSv.exe	svchost.exe
PID 3384 wrote to memory of 696	3384	GbpSv.exe	svchost.exe
PID 3384 wrote to memory of 3472	3384	GbpSv.exe	GbpSv.exe
PID 3384 wrote to memory of 3472	3384	GbpSv.exe	GbpSv.exe
PID 3384 wrote to memory of 3472	3384	GbpSv.exe	GbpSv.exe
PID 3472 wrote to memory of 696	3472	GbpSv.exe	svchost.exe
PID 1300 wrote to memory of 184	1300	GBPCEF.tmp	cmd.exe
PID 1300 wrote to memory of 184	1300	GBPCEF.tmp	cmd.exe
PID 1300 wrote to memory of 184	1300	GBPCEF.tmp	cmd.exe
PID 3156 wrote to memory of 3892	3156	unknownfamily.exe	vcredist.exe
PID 3156 wrote to memory of 3892	3156	unknownfamily.exe	vcredist.exe
PID 3156 wrote to memory of 3892	3156	unknownfamily.exe	vcredist.exe
PID 3156 wrote to memory of 3576	3156	unknownfamily.exe	vcredist_64.exe
PID 3156 wrote to memory of 3576	3156	unknownfamily.exe	vcredist_64.exe
PID 3156 wrote to memory of 3576	3156	unknownfamily.exe	vcredist_64.exe
PID 3156 wrote to memory of 3268	3156	unknownfamily.exe	gbpcefwr64.exe
PID 3156 wrote to memory of 3268	3156	unknownfamily.exe	gbpcefwr64.exe
PID 3156 wrote to memory of 3268	3156	unknownfamily.exe	gbpcefwr64.exe
PID 3268 wrote to memory of 3748	3268	gbpcefwr64.exe	gbpcefwr64.tmp
PID 3268 wrote to memory of 3748	3268	gbpcefwr64.exe	gbpcefwr64.tmp
PID 3268 wrote to memory of 3748	3268	gbpcefwr64.exe	gbpcefwr64.tmp
PID 3748 wrote to memory of 3272	3748	gbpcefwr64.tmp	get_version.exe
PID 3748 wrote to memory of 3272	3748	gbpcefwr64.tmp	get_version.exe
PID 3748 wrote to memory of 3272	3748	gbpcefwr64.tmp	get_version.exe
PID 3748 wrote to memory of 2124	3748	gbpcefwr64.tmp	_setup64.tmp
PID 3748 wrote to memory of 2124	3748	gbpcefwr64.tmp	_setup64.tmp
PID 3748 wrote to memory of 1300	3748	gbpcefwr64.tmp	rundll32.exe
PID 3748 wrote to memory of 1300	3748	gbpcefwr64.tmp	rundll32.exe
PID 3748 wrote to memory of 1300	3748	gbpcefwr64.tmp	rundll32.exe
PID 1300 wrote to memory of 2832	1300	rundll32.exe	rundll32.exe
PID 1300 wrote to memory of 2832	1300	rundll32.exe	rundll32.exe
PID 3748 wrote to memory of 1980	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 1980	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 1980	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 1272	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 1272	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 1272	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 664	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 664	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 664	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 2140	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 2140	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 2140	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 3236	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 3236	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 3236	3748	gbpcefwr64.tmp	openssl.exe
PID 3748 wrote to memory of 3580	3748	gbpcefwr64.tmp	cmd.exe
PID 3748 wrote to memory of 3580	3748	gbpcefwr64.tmp	cmd.exe
PID 3748 wrote to memory of 1400	3748	gbpcefwr64.tmp	certutil.exe
PID 3748 wrote to memory of 1400	3748	gbpcefwr64.tmp	certutil.exe
PID 3748 wrote to memory of 3432	3748	gbpcefwr64.tmp	wsffcmgr.exe
PID 3748 wrote to memory of 3432	3748	gbpcefwr64.tmp	wsffcmgr.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

GbpSv.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	GbpSv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E37CB5F0-51F5-4395-A808-5FA49E399003} = "1"	GbpSv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{C41A1C0E-EA6C-11D4-B1B8-444553540003} = "1"	GbpSv.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:696

C:\Users\Admin\AppData\Local\Temp\unknownfamily.exe
"C:\Users\Admin\AppData\Local\Temp\unknownfamily.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:568

C:\Users\Admin\AppData\Local\Temp\unknownfamily.exe
"C:\Users\Admin\AppData\Local\Temp\unknownfamily.exe" service_service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156

C:\ProgramData\Temp\GBPCEF.exe
C:\ProgramData\Temp\\GBPCEF.exe /verysilent /norestart
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\TEMP\is-RDHN7.tmp\GBPCEF.tmp
"C:\Windows\TEMP\is-RDHN7.tmp\GBPCEF.tmp" /SL5="$2004A,6813317,58880,C:\ProgramData\Temp\GBPCEF.exe" /verysilent /norestart
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\TEMP\is-MEQ60.tmp\Gbpdist\Cef\GbpDist.exe
"C:\Windows\TEMP\is-MEQ60.tmp\Gbpdist\Cef\GbpDist.exe" -clientname Cef -paramstr VjafQqlLDLXbfV2TUbGiQrJJhoGJ9sX3xyeL+5hv1mi8tWy6353bRVJFQ2t1yE+1UvlhIWq+IQuav/D0ILh7izbZANUYuEsg21Y= -options 6255
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4052

C:\PROGRA~2\GbPlugin\GbpSv.exe
"C:\PROGRA~2\GbPlugin\GbpSv.exe" -install
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C rmdir /s /q + C:\Windows\TEMP\is-MEQ60.tmp\Gbpdist\Cef
4⤵
PID:184

C:\ProgramData\Temp\vcredist.exe
C:\ProgramData\Temp\vcredist.exe /verysilent
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3892

C:\ProgramData\Temp\vcredist_64.exe
C:\ProgramData\Temp\vcredist_64.exe /verysilent
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3576

C:\ProgramData\Temp\gbpcefwr64.exe
C:\ProgramData\Temp\gbpcefwr64.exe /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\TEMP\is-IBL89.tmp\gbpcefwr64.tmp
"C:\Windows\TEMP\is-IBL89.tmp\gbpcefwr64.tmp" /SL5="$8004C,16836934,56832,C:\ProgramData\Temp\gbpcefwr64.exe" /verysilent /sp- /norestart /suppressmsgboxes /restartexitcode=3010 /nocancel
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\TEMP\is-0M1BS.tmp\get_version.exe
"C:\Windows\TEMP\is-0M1BS.tmp\get_version.exe" "C:\Program Files\Diebold\Warsaw\features.dat" "C:\Windows\TEMP\is-0M1BS.tmp\version.txt"
4⤵
- Executes dropped EXE
PID:3272

C:\Windows\TEMP\is-0M1BS.tmp\_isetup\_setup64.tmp
helper 105 0x32C
4⤵
- Executes dropped EXE
PID:2124

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Program Files\Diebold\Warsaw\wslbmid.dll", GetMigrateCache
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Program Files\Diebold\Warsaw\wslbmid.dll", GetMigrateCache
5⤵
- Loads dropped DLL
- Drops file in Program Files directory
- NTFS ADS
PID:2832

C:\Windows\TEMP\is-0M1BS.tmp\openssl.exe
"C:\Windows\TEMP\is-0M1BS.tmp\openssl.exe" genrsa -des3 -passout pass:00331-10000-00001-AA650 -out C:\Windows\TEMP\is-0M1BS.tmp\root_ca.key 4096
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Windows\TEMP\is-0M1BS.tmp\openssl.exe
"C:\Windows\TEMP\is-0M1BS.tmp\openssl.exe" req -new -sha256 -x509 -days 3650 -key C:\Windows\TEMP\is-0M1BS.tmp\root_ca.key -passin pass:00331-10000-00001-AA650 -out C:\Windows\TEMP\is-0M1BS.tmp\root_ca.cer -config C:\Windows\TEMP\is-0M1BS.tmp\openssl.conf -subj "/CN=Warsaw Personal CA"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\Windows\TEMP\is-0M1BS.tmp\openssl.exe
"C:\Windows\TEMP\is-0M1BS.tmp\openssl.exe" genrsa -des3 -passout pass:00331-10000-00001-AA650 -out C:\Windows\TEMP\is-0M1BS.tmp\localhost.key 4096
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:664

C:\Windows\TEMP\is-0M1BS.tmp\openssl.exe
"C:\Windows\TEMP\is-0M1BS.tmp\openssl.exe" req -new -key C:\Windows\TEMP\is-0M1BS.tmp\localhost.key -passin pass:00331-10000-00001-AA650 -out C:\Windows\TEMP\is-0M1BS.tmp\localhost.csr -config C:\Windows\TEMP\is-0M1BS.tmp\openssl.conf -subj "/CN=127.0.0.1"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2140

C:\Windows\TEMP\is-0M1BS.tmp\openssl.exe
"C:\Windows\TEMP\is-0M1BS.tmp\openssl.exe" x509 -sha256 -req -days 3650 -in C:\Windows\TEMP\is-0M1BS.tmp\localhost.csr -CA C:\Windows\TEMP\is-0M1BS.tmp\root_ca.cer -CAkey C:\Windows\TEMP\is-0M1BS.tmp\root_ca.key -passin pass:00331-10000-00001-AA650 -set_serial 1 -out C:\Windows\TEMP\is-0M1BS.tmp\localhost.crt
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3236

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "copy /y "C:\Windows\TEMP\is-0M1BS.tmp\root_ca.cer" "C:\Program Files\Diebold\Warsaw\root_ca.cer""
4⤵
- Drops file in Program Files directory
PID:3580

C:\Windows\system32\certutil.exe
"C:\Windows\system32\certutil.exe" -addstore root "C:\Program Files\Diebold\Warsaw\root_ca.cer"
4⤵
- Modifies data under HKEY_USERS
PID:1400

C:\Program Files\Diebold\Warsaw\wsffcmgr.exe
"C:\Program Files\Diebold\Warsaw\wsffcmgr.exe" --t="C:\Program Files\Diebold\Warsaw\wsfftools" --cn="Warsaw Personal CA" --a="ui"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\TEMP\warsaw_3432\certutil.exe
"C:\Windows\TEMP\warsaw_3432\certutil.exe" -D -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tqq24hzz.default-release" -n "Warsaw Personal CA"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3604

C:\Windows\TEMP\warsaw_3432\certutil.exe
"C:\Windows\TEMP\warsaw_3432\certutil.exe" -D -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/qeintnqb.Admin" -n "Warsaw Personal CA"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708

C:\Windows\TEMP\warsaw_3432\certutil.exe
"C:\Windows\TEMP\warsaw_3432\certutil.exe" -A -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tqq24hzz.default-release" -n "Warsaw Personal CA" -t "TCu,Cu,Tuw" -i "C:\Windows\TEMP\root_ca.cer"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224

C:\Windows\TEMP\warsaw_3432\certutil.exe
"C:\Windows\TEMP\warsaw_3432\certutil.exe" -A -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/qeintnqb.Admin" -n "Warsaw Personal CA" -t "TCu,Cu,Tuw" -i "C:\Windows\TEMP\root_ca.cer"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3844

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "del /F /Q "C:\Program Files\Diebold\Warsaw\root_ca.cer""
4⤵
PID:3576

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "copy /y /b "C:\Windows\TEMP\is-0M1BS.tmp\localhost.crt"+"C:\Windows\TEMP\is-0M1BS.tmp\localhost.key" "C:\Program Files\Diebold\Warsaw\ws.dat""
4⤵
- Drops file in Program Files directory
PID:4064

C:\Windows\TEMP\is-0M1BS.tmp\mw_import.exe
"C:\Windows\TEMP\is-0M1BS.tmp\mw_import.exe" --multi_file "C:\Program Files (x86)\GbPlugin\gbieh.gmd" --dbd_file "C:\Program Files\Diebold\Warsaw\mw.dbd" --max_names 2000 --pattern_names bank.gbl spec.gbl gbieh.gbl gbieh2.gbl
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3124

C:\Windows\TEMP\is-0M1BS.tmp\corefixer.exe
"C:\Windows\TEMP\is-0M1BS.tmp\corefixer.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3396

C:\Program Files\Diebold\Warsaw\wsffcmgr.exe
"C:\Program Files\Diebold\Warsaw\wsffcmgr.exe" --t="C:\Program Files\Diebold\Warsaw\wsfftools" --cn="Warsaw Personal CA" --a="u"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\TEMP\warsaw_3580\certutil.exe
"C:\Windows\TEMP\warsaw_3580\certutil.exe" -D -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tqq24hzz.default-release" -n "Warsaw Personal CA"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1400

C:\Windows\TEMP\warsaw_3580\certutil.exe
"C:\Windows\TEMP\warsaw_3580\certutil.exe" -D -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/qeintnqb.Admin" -n "Warsaw Personal CA"
6⤵
- Executes dropped EXE
PID:3904

C:\Program Files\Diebold\Warsaw\wsffcmgr.exe
"C:\Program Files\Diebold\Warsaw\wsffcmgr.exe" --t="C:\Program Files\Diebold\Warsaw\wsfftools" --c="C:\Windows\TEMP\root_ca.cer" --cn="Warsaw Personal CA" --a="ui"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\TEMP\warsaw_1272\certutil.exe
"C:\Windows\TEMP\warsaw_1272\certutil.exe" -D -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tqq24hzz.default-release" -n "Warsaw Personal CA"
6⤵
- Executes dropped EXE
PID:3952

C:\Windows\TEMP\warsaw_1272\certutil.exe
"C:\Windows\TEMP\warsaw_1272\certutil.exe" -D -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/qeintnqb.Admin" -n "Warsaw Personal CA"
6⤵
- Executes dropped EXE
PID:2312

C:\Windows\TEMP\warsaw_1272\certutil.exe
"C:\Windows\TEMP\warsaw_1272\certutil.exe" -A -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tqq24hzz.default-release" -n "Warsaw Personal CA" -t "TCu,Cu,Tuw" -i "C:\Windows\TEMP\root_ca.cer"
6⤵
- Executes dropped EXE
PID:2256

C:\Windows\TEMP\warsaw_1272\certutil.exe
"C:\Windows\TEMP\warsaw_1272\certutil.exe" -A -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/qeintnqb.Admin" -n "Warsaw Personal CA" -t "TCu,Cu,Tuw" -i "C:\Windows\TEMP\root_ca.cer"
6⤵
- Executes dropped EXE
PID:3980

C:\Program Files\Diebold\Warsaw\core.exe
"C:\Program Files\Diebold\Warsaw\core.exe" --install-service
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\TEMP\is-0M1BS.tmp\impersonate.exe
"C:\Windows\TEMP\is-0M1BS.tmp\impersonate.exe" "C:\Program Files\Diebold\Warsaw\core.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Program Files\Diebold\Warsaw\core.exe
"C:\Program Files\Diebold\Warsaw\core.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1004

C:\Program Files\Diebold\Warsaw\core.exe
"C:\Program Files\Diebold\Warsaw\core.exe"
4⤵
- Executes dropped EXE
PID:3272

C:\Windows\system32\sc.exe
"sc.exe" start "Warsaw Technology"
4⤵
PID:1824

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Windows\TEMP\is-0M1BS.tmp\check_core.bat
4⤵
PID:1536

C:\Windows\system32\cmd.exe
cmd /c tasklist /?
5⤵
PID:4064

C:\Windows\system32\tasklist.exe
tasklist /?
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\system32\tasklist.exe
tasklist /FI "imagename eq core.exe"
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\find.exe
find /C "core.exe"
5⤵
PID:1296

C:\PROGRA~2\GbPlugin\GbpSv.exe
C:\PROGRA~2\GbPlugin\GbpSv.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3384

C:\PROGRA~2\GbPlugin\GbpSv.exe
C:\PROGRA~2\GbPlugin\GbpSv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3472

C:\Program Files\Diebold\Warsaw\core.exe
"C:\Program Files\Diebold\Warsaw\core.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Program Files\Diebold\Warsaw\wsffcmgr.exe
"C:\Program Files\Diebold\Warsaw\wsffcmgr.exe" --t="C:\Program Files\Diebold\Warsaw\wsfftools" --cn="Warsaw Personal CA" --a="c"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\TEMP\warsaw_620\certutil.exe
"C:\Windows\TEMP\warsaw_620\certutil.exe" -O -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tqq24hzz.default-release" -n "Warsaw Personal CA"
3⤵
- Executes dropped EXE
PID:1228

C:\Windows\TEMP\warsaw_620\certutil.exe
"C:\Windows\TEMP\warsaw_620\certutil.exe" -O -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/qeintnqb.Admin" -n "Warsaw Personal CA"
3⤵
- Executes dropped EXE
PID:2300

C:\Program Files\Diebold\Warsaw\wsffcmgr.exe
"C:\Program Files\Diebold\Warsaw\wsffcmgr.exe" --t="C:\Program Files\Diebold\Warsaw\wsfftools" --cn="Warsaw Personal CA" --a="e" --c="C:\Windows\TEMP\tmp.cr"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Windows\TEMP\warsaw_3780\certutil.exe
"C:\Windows\TEMP\warsaw_3780\certutil.exe" -L -d "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/tqq24hzz.default-release" -n "Warsaw Personal CA" -a
3⤵
- Executes dropped EXE
PID:1616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Winlogon Helper DLL

T1004

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Temp\GBPCEF.exe
MD5
d5c809cdf52e0acac895af39160cb242

SHA1
de6c5820ac03f727dbf651fbdc6e29bddbf4a24e

SHA256
90dd130992de7541f3293e435202be48ff32b0e0bd64088fedf903dd8094fb9e

SHA512
4ccab7976276ebb2f292662110d57f31b7d5390752783ac0e0ed292627f268a7768d724e51bc05070b7c45cdebf1bb1a0d7773ecfbb9b60d86c6a34d790de479

Download Submit
C:\ProgramData\Temp\GBPCEF.exe
MD5
d5c809cdf52e0acac895af39160cb242

SHA1
de6c5820ac03f727dbf651fbdc6e29bddbf4a24e

SHA256
90dd130992de7541f3293e435202be48ff32b0e0bd64088fedf903dd8094fb9e

SHA512
4ccab7976276ebb2f292662110d57f31b7d5390752783ac0e0ed292627f268a7768d724e51bc05070b7c45cdebf1bb1a0d7773ecfbb9b60d86c6a34d790de479

Download Submit
C:\Windows\TEMP\is-MEQ60.tmp\Gbpdist\Cef\GbpDist.exe
MD5
b68579a6a5c1ec195b5ee092e8b7c1c7

SHA1
37e70fb9c2f36fd9951454446d4c67c317f3b37b

SHA256
2a6388b4c498abc7c2f83444abd09bdb16750d337f82665f37d281b865018f70

SHA512
186acb454f3756f3638e926e80694619ff3fc22c22bdb759d300ae90f46dd87e0b61d0a8cc7245bad4feb57bdfd1788670523fb3100ae8647071615b9c8ee52a

Download Submit
C:\Windows\TEMP\is-MEQ60.tmp\Gbpdist\Cef\gbieh.mtu
MD5
03bd13b55a52883ba222e1521020bf4a

SHA1
38457b40dd4e77c6760d92394062b186ea1e087e

SHA256
06aa1b2c587410e417fd77ea3297bd2995d184e6008c8a76a8d3363ca578b0da

SHA512
b4018e48f90a99f3ef9822d346a856fc1ed9c55d0f272049a989c2976185ca40e1420e7425b390701c88a7372396b1421b2da7f214427b5a637dba48775c1b9b

Download Submit
C:\Windows\Temp\is-MEQ60.tmp\Gbpdist\Cef\GbpDist.exe
MD5
b68579a6a5c1ec195b5ee092e8b7c1c7

SHA1
37e70fb9c2f36fd9951454446d4c67c317f3b37b

SHA256
2a6388b4c498abc7c2f83444abd09bdb16750d337f82665f37d281b865018f70

SHA512
186acb454f3756f3638e926e80694619ff3fc22c22bdb759d300ae90f46dd87e0b61d0a8cc7245bad4feb57bdfd1788670523fb3100ae8647071615b9c8ee52a

Download Submit
C:\Windows\Temp\is-RDHN7.tmp\GBPCEF.tmp
MD5
935ef792b74d857bd31b1fafd13b7210

SHA1
41094f5d206e9de36e3dfd4c026dcb1c3fa462a6

SHA256
c47065fa0f292243b7930786a58320d3c9a1d882d0f71599bd275389ca5b1c2c

SHA512
7425b36e1752b0d96f91e2f8978a50ed19a4218c18a2e936c856a9f667690ae61f60fb9944b67d9d96e40eddd8314854f99ed27591f80740e4f1217e798b6990

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\dbd\gas.dbd.updc
MD5
0c2331225dc3771cd00f6f70d8891fd1

SHA1
7fd846b063ad1cbe00395514d5542cef985a9694

SHA256
ca9ef57eadc47f928f781a88bff2f30701f288a83d5240effa21f099129cf815

SHA512
18778e87b9b5b8fb7a52c69b125eb23a5ef49871c8e937363230815ef544155875dc08beb62cec25320aea0f5b556106e381af4ab0ebce6a4a37e8c301c991c3

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.1.updc
MD5
8d153ec9ebae5bfc22556e1b1ccd9afb

SHA1
2fe509ef98bc4a9c10f67426fa9a66c4a5768658

SHA256
bcde26e3f8d4c3daf1c46c701075fb88b4d2465427574ec9ec375da36322f2a9

SHA512
2457e4388b5e06ab9f20bf1722ee754979fcee0c1e26e9443ecd67248ffc70de0a9ab2faa57914c5f5744e346f3c55ff8e167b434933bb896083ffc1aa8ef44e

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.10.updc
MD5
c8b9154ab5afedd17af61dc7d76241b8

SHA1
290d51e28a03aaf256bab5d55f5f26ee8a6bc146

SHA256
08cc35b6af48911c8607895f86dc66588c394b35c821a687301ca3e256f69320

SHA512
73b096715780f0f295fa87b7b7e2a0b427081835e7e02b3c04fc9ce4d4d3985824acefcc9bc178a26fc599a98dbe505ed4d9f78fa1695dd8210e606358718e22

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.100.updc
MD5
dd6a267d6ba3768ddfb14985ed790864

SHA1
06328de404c554583a895ff2e878a7aa437bf67a

SHA256
9032c6921d0acc36e8e9f7c539ea8521ce15bb7dabb7353ecddb45c62334d475

SHA512
159b231937a303016230643107f4586f434ff66d906e8a869c6018185f2d0ed2f6f5697f0167586727dea684c4c23e72946295734fc6fb625646c16b40db2900

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.101.updc
MD5
29df783272f3f76cff0cdb2a6289450e

SHA1
92a8dd80555b48490b4c9c20e7d4812500932794

SHA256
0c057c335b1adb910905d3d849974c67f455d35c303f55115f43a30313a37d8f

SHA512
57d1bf742acd5967364fd683935781572eb5b19135cc161e7ddd7cab78aae2e438639c58c0aafeff6f79b6afe00b6d5bd59df26fa0115e3f562384e993de743c

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.102.updc
MD5
2ef88db8a39a5402f259a141cf17e0b9

SHA1
43227d048ff3f60ece97d05b782c77729572d439

SHA256
e0e4daa196685903e86564ce6056c477c75c9d7a7a16b59fc2786319a76a5144

SHA512
a338dbed3365eee171673f27ef9fc8a91aeb977f65dff67a82537c643da5a5e7cddde4b597e2e8a3105a56a01eb093676d1f8e1bde61269226cabebba6668fdf

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.103.updc
MD5
ed398d6a8be05b0fc8d41ff8b2fbfae9

SHA1
5a2f43b32517231d626dc8865991c43588855180

SHA256
1f316c1e54d96a7d8b4d4728a886a7053768f478d6719c42b1d65c51d1384495

SHA512
a176afd71ffd938ee141d40b2175fd292c79c8b0f4745e4e21e9e9e2659f77c857cd93c0c038c939e72772ec21390949c28f6ac0abb7a09cb3fa3419783d4bfc

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.104.updc
MD5
f5a47c75e17c28a8f7a3078e2560eee5

SHA1
f5b63564673cdcfa480efcc5b44efcd5477e592a

SHA256
61a1a80270030c91b32ccde1ec20a0c0b9d27c2ecba1d4522d615be59affd213

SHA512
3ddebe7ca50755e8d5a1e61a861ae77351a30bfacdf8d06d7c3c3fc4ac8ff3dffd3509429af584758871230928700454e0956ae9b24e237c85a9ed1df81cbc97

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.105.updc
MD5
de6fe826b3a0cee38399fd048f2ee620

SHA1
4456e7610cfa468795ceef1e30b5af344470e77d

SHA256
7797418b3a70f2b9b9fa6190bfaf3ada8683a26274d44d0fc3a2353110017c6e

SHA512
a3a8c3c009e77ddf86cb1b09b40e4d10691c2e19edd9c07ecae84da2a1a252ec75ed76ab5cb113b6940a58ef072f90ed4bd782c3c3a6cc874d00fa68645693ea

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.106.updc
MD5
9434e9de6df2eea9f8201958f2c0fb00

SHA1
4aa9e2ab40e74c88df652db26117b64f8ea2808e

SHA256
6d1b9d64c9c4309d0488314103d4801b67ff1666e322f09d0586b1715870e674

SHA512
6c21646c33910b1a1dbd3b1a7dbc480a574a3b2535256d3dc68ca19519b173e27fb6942ba7f97679afb681ce360f304da42012e53e37354cb54280f43b9427d4

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.107.updc
MD5
9921c9a80eaf82a8de4759a918114922

SHA1
15f74914edf0500d94dbad1cad59dd1eb6dcbf1c

SHA256
dc6fcfc05da5a89c8f5b8ee991ac3d3ddea658b8e786492230f939304ab9c593

SHA512
3581edba1d6bd8eb3120f6e5852b09bb7a34c662c2a53e839696fa5b62365945b3e2319d7483d45a9d551949722c76d9a70dfe741c802506f9121c2f3b9ff19f

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.108.updc
MD5
d1fe4ee74fe1737de26bb88f079044ac

SHA1
42cafa8e34bc119bf5fd65f5e050c36cb0ce4477

SHA256
e203969c02a81f21937da0793780633211cfe4451d19b7958ec8e4ffb2cc1406

SHA512
ae823b19420d901c5ae47fdc5f7d173d6c2772728d61c14e9e6335622cccd8fe614c3b263b52ed2256b44ba9784c2c18e07a35f086ba5538f823ab827a5b93cb

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.109.updc
MD5
15bac539063864b7e50baaf241c68811

SHA1
74fdcdce212b8acd39bad921d4d13f4d93f54b50

SHA256
22f2cb599eac95a6a98668a6bc2ac66e8e0a8e4f6c17904c8226249a72ada4d0

SHA512
d4593d3c4026d3f2af60dfd46d89b6b0312204065e820e8b15685b3695d23a5c0fcf183bd323e2e24474be6489d9fe825a184f3d4a81ec660a382081f8712c5d

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.11.updc
MD5
823ab8442ad60feb0e407f141c6111a1

SHA1
749f0d87dc663246bccf243f93d3beed4717cac5

SHA256
849d91ed00f2455c768eca60ea4bd980e0831bf695ec9029e1bf55fe35d9558a

SHA512
58bd3ef4a40ab507e68cad15bf41cbb18856ca2f27eab0e4143162a1715cad8ad7f46cd07c266db989f0edf37d33d78cf166ea7d91497fc36a6d2f1ba886151a

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.110.updc
MD5
139d98483de0f0119c75992b6dc2759a

SHA1
bffc796d55a06fe53ed83cba3ebd4593ac3d2b6f

SHA256
92b9813250d02a89a42e7704917f1416838c37c16f9e4500c84a0fe16d6d86fe

SHA512
d8da1240bcb47d8d2a70493f1f4d95757feaf6adc05989feeac7d8555bf592b3b5c9f22d514e0cb0d2907ebee10e8d1e539ae46f697a3906419b71dc848a8d2e

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.111.updc
MD5
beffe46b643dda95d9a8578b68c0a81a

SHA1
d08831539c2e01f85addb9e08e1b34ac2b2fb386

SHA256
2e729a731a66fc60f7c01443103debfdbd0c0c50f7c4d7e7091987a9b01e285e

SHA512
5e65279dc7528957ed0be20914c0664c8d2205ecbb64bcfb59dc9b30fb12a345710d237f9a2dca5dd697a701f99915be1f7f677d49ff6a339b33033bf396111c

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.112.updc
MD5
f57f3bf35fa1257922d723916e0fbcf1

SHA1
9a478d8b997748d6b7be5e1aafba54c32379cfc6

SHA256
e8bc50ee702cbb46f7e800b70573612cadc962693fc72361c2a55a717a2f6697

SHA512
351c5b82ea6b7833a5ed1941283afe9d53ddb06f931fc6d72de529da3964dd23cff7610bd937d831930505d519bf77dd0f0a2e68ad1f7805789aa4747ad9577c

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.113.updc
MD5
98ba8036b2b460671d186e407356cbe4

SHA1
7cd5fe91b637495cc943a1849819b77b460fae6b

SHA256
79700b3fd5efc9178929735782e029101f7eb908338fb7b1d0a3b560e4bfde5d

SHA512
d948de34915a72ae043211d17e2f28d4d2cd66174d8dff6f92eb1bef321f228f275349efc732eb01dbcd05021f053ae45096fb42034be4926d61ad6233e67710

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.114.updc
MD5
eb3d76f0ae08cbe95d4aa0f835927d6c

SHA1
cf626cdbde5293b5db33576de9aa8967ec3a609d

SHA256
3b171d66e675c1b9c097094371cf3cdd2990415746f85722f0558dcb8269dd81

SHA512
880e7e32e19e74040b871a7e87d561ae5edabd88c37a2ac087ccf0ad2e62913f9be8e48026e4467102f0478749914b026a6cde3f92e68f0db942bb7746770d98

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.115.updc
MD5
b57ae6754b59e1752e50eb5a698413c2

SHA1
bd4c808fb7f5869798d849a4152e2b312f871cf4

SHA256
2db36a79a5454fa5a17a0c27fb2ec4d8a9e3795611aec616e7d2498aac3e1446

SHA512
4939a4649833cf913157dd6e28278885eee3725619fb2e90fc760d47668127235537e74ca9c87d9f736f3e0e6ca454f6b6440d00271fd8156f4a0d62d1c201d3

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.116.updc
MD5
b409dd847edfe6c7d25db01399f925c3

SHA1
95446c76411bbd4eb156b9098bab8c4a3d5cbb32

SHA256
2b36f7e354d785331c20161cac245c54cc9628535e0cff6c10867b1316155f05

SHA512
16cbf5324b0a88c142b32005025de0ac1b3bda32007df4e3ffd61a6308df9581670a624dec30d5412446adb955850f11582e19ae3d46ee1c44c1303bf2b62622

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.117.updc
MD5
9407ecf52657b14d0a6e787a65cf7378

SHA1
1dc683aa307b16fa125bebb4a08c76da72748180

SHA256
9b0825a9fafc06fc354bee1a7a7920b1c3822b8ddcb9b25a77b57cadfe7bf587

SHA512
4c90d592e314a2d5aedcead84c4f5e77e455e41117700a93b808be7fdbaa4e442d036016dc3446c4f34bc0c090599fe068e3eb2f347a40b3e93e4b71aa07a68f

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.118.updc
MD5
2859bcdb48a386b327e9fc34323075ba

SHA1
6be62f4a98d96a0b73b7cd1904fd5ed2eed2c277

SHA256
eeb03883a81dfc838ab14013d5df0b36c5c3763479387e255b582978cc5479ad

SHA512
8dd3efc5c58bfdd4d0927b2f59135cf510d336d234b3db2c671ffdeb9a45f8f3fc790798a862cb7ffb691afe3a4dfd0e25b4c413552d3e226bd08647b025e137

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.119.updc
MD5
f3a19649a67fceb30d04ff7982b39eb7

SHA1
afefa5e7ac3d7eb8a70e8b5ce3be867cb3d59eaf

SHA256
fb0308f4c1385fc4d35d536bf1b92ae3269e3e762eb26c8ef7eb4d1094d7f6d1

SHA512
868529746550b95e46749b147085e11b14ebbdf63b5cae99a5423ef1f61f3f018449c3feca061496c63311c7b9a9c13f04b664d276bef98bbafef2789ec74909

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.12.updc
MD5
f1efef0b20227b8caeb66549461c2ba0

SHA1
ee4cdc7639c03c1320b4ab86f69b98c772c85beb

SHA256
d042a97f5966c16aa9293c3dd42a3e6dc4d96fb23357afa76a380b44fe354904

SHA512
68c3c7f43ea6707d2620e7df6b5d24b1286df10e27562e2f399f9509b903472a1db2b26c4e121c2130b0df4107172793bf062afaf80f863646b0804d66809f46

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.120.updc
MD5
1c6589f248db8c8b2eadddaac45bc8e7

SHA1
34d0dba507f1d7da97fcaa1bd46c2cee193de3b6

SHA256
75cdc00f01ac333d751fdacec6f433ee3991dd28a9a6b73ed3b63937c6eb7fd1

SHA512
d1a6516d46adc110c5d82a429d68a1ab53b1c32d7ce819ca07882f513090aa35b99b3f7468f31f82c1cb9745b81aee2af523615ad6d8c84f035e911abb4563ef

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.121.updc
MD5
b3f934d94ec16d1b6680870084ba62ed

SHA1
9956a8271e844c1bbc48edaed7d4e0ad8762412b

SHA256
ac09cf8573a34cc51cc740cb96a6e0b7e9891ac302406e0aa41c601bc38bfe62

SHA512
ed0162f3a1b7ee748afc8ffcf80fb96838dcedacc4203c9807afd5b0f3dba24708a70e5c06a735a31f75315757803a658285919a7b9198b01585c94fd48557b9

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.122.updc
MD5
01632fd942eff7388f3793bf9248f141

SHA1
6c8eb42d7fe42d68cd91184ab08e5124ad1efbf8

SHA256
27cac4b6cef38834ff46b772cecb82a0a6dc74ab16960ed01800673ec8e63a9a

SHA512
1b0d61b1a1f1e34a4cb56d8358a53f862150869fad71372d6e75aa8385e4675d0eafb5ac4bbc0b52f640da70d5ad72717d9e255e894cae7d16a3a89f429caef8

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.123.updc
MD5
090651062fd43925222af9976fdcb74f

SHA1
e8471a14b43e8cd44c72e6ff490fa4b76b7b591e

SHA256
458a7ed62bbb248e3225ef6b78acf2f577cab1e2e027d8d3241e256536dd4422

SHA512
b5b2b7bdd973a3deca2312ca2ec1559990eac9b554fba7454957f6ce8824198dfc08f4b9890f32f38b1c6e28254e759ab49206f9bf07b540fa9c88b248f3560e

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.124.updc
MD5
710aaacec350fe09f4c2e8b8e2dd2914

SHA1
b19a84a0318c2623985042dd9ac52f69e21cd182

SHA256
a2e9e55f3c42da00ba796bdf5ffaa725125631c7f42f0e3bdbd155c775ec3f88

SHA512
6edf0ef2f70e010d68defbc97b67a3fcb603491b6e037950a3727a321b8ed3813ea56a5dc7147bf05a1e97a01d69ae1d74d537fb764c2eafb44dab9021790031

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.125.updc
MD5
98916bc878dfe441b16d9610a1167aa0

SHA1
0b0726ec4d9ba625048e8c36533ce4d40ad0498f

SHA256
e0875a77159a9103f4a1c688c5f3835d4bea8f61c876a38bd7d4c1ff276cf74b

SHA512
55794d9af9b6113e83fcd667c77c2d5c8f360caaa279739bb6d30206c0c6a2e5f42a9e71c6c56d986f3613bcf78a605b5ca19596f3148b915ab549e63d36cee5

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.126.updc
MD5
5e9a65f74ffc5b0571a3bb9909218feb

SHA1
11bca63dcc64ed9ba109e9fd45476b32eef9b11a

SHA256
c8604e41d741fa42ea90400fe3129db73d91473481a3c415bea4c9713944e9ec

SHA512
48e136b09f670f7631409fd864460179e3bfb083e16371efd0fd8f0fdfd8c847a602d3091357d46e152a26272a3eecb09ac29997ca4a6a26bcc1e11219a55898

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.127.updc
MD5
fab44894362bbd5067a0e891b88ca363

SHA1
4a1da954df125719a91deb6e461bce43ef5292ac

SHA256
d0684bcfb31cea11c7319e3a52edfb78dcad79ed6ace01c91aca4f5702681537

SHA512
2f76d235eb2e1f1598f360d190589d1d33b566c68b10d0678191d101afbb6eed605c45c0d90d2b129fdd1925721785b15abd34a6a27709fd2713161b5d9caa07

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.128.updc
MD5
fceb82242a446fe6308119a1b44bfaab

SHA1
0a027a03f2782ccb2afd3fadc751d670a7eabe8b

SHA256
067d4d0343895c7d90005612e0b01a7c40235df54f6b1444453924619e34ec64

SHA512
4ffd14cd8851eccd733fce5e44c22658fdf5e740d7f82e24f6fa0b5b7d960c5f6a5133a455a3f5b5fe9445939985d8487e5b52245749b2bc4215de6af815f98c

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.129.updc
MD5
185c2025a2192e037b431925c1428ee1

SHA1
9de605eb73410bfbf5f3c970ff9f6907e6f49ac1

SHA256
9a8be9e65e191a5cc48cdd3209b514ca732cedf52e8e30fbe0b6babdd796e669

SHA512
e76207770ca648b9be48275d30e9f053030f18b2b81a6b87e73b877978c8d87d717502e5d29dede9b843e30416e2b62722dce478fc767124010c47c089c6c7a0

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.13.updc
MD5
9cf85c43daa6c428dae911883be0d5f0

SHA1
b1ff7ffc5e98f17660fe1705d837131ecc27fc40

SHA256
4158750737c74eae85b3a84174dd8b47ce8a1bec4f9cc246fecad215696714e3

SHA512
97d2c3628af478f4ae34664f4869622364603e31e2d232925ec79ac71397adcba9d67e9aeeb052ba069402cfb2887c4bff76efe30819ebee188996ca64e4cb9f

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.130.updc
MD5
08018e4e8e6897d67fe8abf49b2bb628

SHA1
714d54d7a8e4cab76c2c1c16be47cd1152e26e4b

SHA256
afcbba0d90d397121b741988eab5a2285bdaac03cd966e914d5c27a746da1673

SHA512
0ba045d21f1c2ca69dad8312d83583d7336d82552f8e807a5f4e5027ab5f31879f386b2aa86f27a5776beb9c3c20ce2b5f20a43fea4a80e7ae06999ae0eab4d9

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.131.updc
MD5
9c3789e69dc7ed03f1a07441b2ab5c82

SHA1
496857e39186458bbe5fa03cc5ce0f6f3987ccfa

SHA256
22534c441a4c3d696d7293f3b261976b837ca3333edfea90d10a3d076f1204a9

SHA512
467a79e0f67e12dee7b7144d9f83be3382cd063a53278d88f1d247c7ebfda6d9d787247ad607782a23ed8ed8fa4584d6ed64539ecb1ae5dd1c037c7e908e812d

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.132.updc
MD5
08549f19628200fe40e0994a7a02dec8

SHA1
024ba1bb2f64db33cc6631931e3da13c020cbb85

SHA256
f4206a604b91c6353fa049655e7a122ce88aeae751924663d26bd2a544ae1e8a

SHA512
5dee0e3538096e48222f40d049f02580aeab189a45664f1708a41e5ac54072d7e76e61b49ac4182a75db0c14a86624c4a4f45ab91b2a8fda8ef898251331f3b0

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.133.updc
MD5
f9f88d9702495231ec234f43b85140c0

SHA1
23ef7550444774d212da4f05a848f2532f90cdb0

SHA256
31d28393b6a7e3118b13818359543e9b9e383ab7bcea67bfb98c6dacc804a656

SHA512
da02fa724612c52d35a1f8e504ddd54dba46c10e2ea368f179095c8f442d79906c44ac202ad4d6c22b67821a0b1b591cde3596a51b3a58d1ac40b7a00d0797e0

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.134.updc
MD5
7bd0b0118dcf9c9933ba44f0ec3e39d3

SHA1
34814fe67a12441e2c95d872db929702c2af8ab0

SHA256
cc0124a914cdc00f33b43caf1ccdfe3c9effc55c361e7884e645fde6f1405273

SHA512
d22c04876c56b1f0d80d22505ca1b7c8590407ad2aa8b4d0f5cbf5e29d65c89d39852f0d8712667cb1c61a16ecdc601971de8f29e47056f8ba682818f1d2d7d5

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.135.updc
MD5
5a403c0bb5398c3616397a98b3494235

SHA1
34b456ae69a0e5a907c8480115557a78d5d0fe3f

SHA256
071905dbaec95cd84b4fedfb4b2ac38ec56498beebfa5d7dbf7b41723ed84773

SHA512
a3ab1874ad46c8f073d226c5d1d6c0ffea63dc2afdd3392f520300dc5db821acc5d0bc01babedff019d585ffbe23f9ab05b906065a35169d43f49bec65a87b44

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.136.updc
MD5
d61e02e62f7e8d6d257e996a4eec5b35

SHA1
b2ab0ee6c4de8d948879e362514e7002703d6e04

SHA256
53bd23663c77633fd4055126e0000bc3de0f828310d49683b7f997d4b719bdfb

SHA512
8c65b48f85e6771fbdb2cbbec2461caefbd0786fd85f8f82f3916090d8325663c95c233d120f424a0cb7138e14e07271a856b91eddd70ff8446ea71bb3838be9

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.137.updc
MD5
a1380f8acb928bbae564aac182d7cc70

SHA1
d77000436968c0372847ad9634f42606b452edd3

SHA256
88004b94735de31a1366ac4626d35fb7a5163005278dab2b788938922ba04999

SHA512
5ced2c4bc3b1e8e61e8d20f782ecffd013cae025c04eb1c59c61b0a5f263c4e73989ab2c000f72ef736eca89af88a799b4355591360222d437124153f0dfb764

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.138.updc
MD5
2aba6fc36e22d515fdab392fb933c128

SHA1
1573aa61961aee78daaec8ef8155753cb16001dc

SHA256
5fb3dd578f633f5ddec421e479ca1496fb5bdfd27dc0661991ce9da03c185b87

SHA512
f5b11df7a59b1d55286495d421bc467a0980650a10c433af0b12f9b6e836a55a62a9289d21b8df5c51d15f16cbed631df433622461d492edd5c05c6c06fd458d

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.139.updc
MD5
4f86e38fc07abfc04c980618a7b95815

SHA1
25f27540a606c9df50bb0c9b3f3490b06393e228

SHA256
70bd3de490a091ad74da209bcb9fc0061d32ab529de55b7b99abd189a47108ae

SHA512
8e4cf965cebda44f316213ac1ccc8dc9bc7cbc47a2261582ad807e5ddad5f486a112abb5463ea07a6eaaad03df99f93812c0f9b01e7de23681fddc1fffd77241

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.14.updc
MD5
548c7eae934aef637b0eb84973fe2d45

SHA1
0ad427a1055c4ca78f918ffd04e744af2ba71825

SHA256
4dc79e5bfcde388fbe6cfc682490c68c7824b71332caf5293047d5581d0ec67f

SHA512
c71c83ccd4720fb06edeb3462900561993f9e9d147117c2a9d8f3e8b37349ac17f801dc8963f459808b9141638b32d06cf9a7b3badc4f35be95670365883d782

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.140.updc
MD5
5ecc108b5ddc59d041d67b858a48b293

SHA1
31ea8885adac15a02f5e7acce38db3e5ad950e34

SHA256
7ea197bc3c2758879d6bfcb8ede5b21bfb11c645c35340fc724a94165c848749

SHA512
f6cf33dd7a1ea8e89e4759f5a0b6da3d2c7ff33ba55805d2b2cc932ad184582c7eb43af042b9b6cbf6fdf86870173fa19180883c8b7c90b1cd5ba8e12c44c1f4

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.141.updc
MD5
59a1793fa56491c3c7e6a96fb6ca35eb

SHA1
12e3f2bedc467f39c5f8b36cbfaee0ef9b96dfa7

SHA256
b2dddca3b5dfa8e29934af11ab875d1b37d9c84125bb7f487766b7d6b640348e

SHA512
61052898c8621b2ab1e4bf587d2dcd4e89995be3535e53609f27676e61dabd8fe4ec3dcba03f74c018c814421d688d266afb8c9dec686de4516df44b5d84cf7b

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.142.updc
MD5
4c9da3b511fdb2e8a7c9663bbad08690

SHA1
e8b17ba3fd4162ba2e2121f4d2c5b9768df5ea80

SHA256
0e2ff578c2059590a821a52e0b1f77d0888f4db1be6ca7dbc1972c9c560f289b

SHA512
9db83bd3f5439a9b787cda755a8f6ee27c962924dd78b1382a16b7ca841abb9ff1106779a4eea56fddf49cd3582ccc86e8a2899fe6814b05dda9ee3a0fee4122

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.143.updc
MD5
0bd94ea1354dc95832b44a7050806bcb

SHA1
31ad81a1e147cbf78346597322fa5ab0a2ab8714

SHA256
38438c203934da15b1b35cba573e407863731c4d727e809fc5322c9c7a407fc6

SHA512
bac1aad529b97dae57582e5549df0dc82c249a1cefddc8f3633aeba660b55e9cf47c44ab07397cf01f8e7c1ff5594347a5ff53a99f2180ecb2852fcec6f9e655

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.144.updc
MD5
d68fb0b24eac2a8baa212ea08a434971

SHA1
f076bd6fc3195f5853bbfbb014b1523c45442b05

SHA256
f2a524378cf63926dd4f18d51ab3837bcdfe7c110583fdba9692ec702b49693f

SHA512
4e7d153d0dac9f8bee0582bc71d77a89c29a3f6def5614dd115cd48eed918158fc7765bc3227e587f7e6a6250c87d8d78509dfca63b5c1b86a99bf3c0fd798a5

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.145.updc
MD5
0f7d6720434bcf8caa3694103355697c

SHA1
e0f502572dc50db40c14f251fbe51d420122aca9

SHA256
a4525cd6072348fe1b7041ce829c8e827b979f8d688dcf7ffede6654d3e76060

SHA512
258437fa6b3b0c16d6f04f990f38ba7362ac010c405b206a1894934c731bcdcc0119ec4a38b3ae7fece97cd5871a26b20800b30906beecfe456ad8b9c6c81280

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.146.updc
MD5
0455fa67cf6f55e0a757d8970ccb3e08

SHA1
cca7199ec1ca10ddc66d93dfba1145170e796be7

SHA256
fd285e19fe28820940ddf67fe0f7e292df52806bf4d8a0a720039e4f5b19f751

SHA512
dc5eb7678537cd0e00100356849291c951c8ae277c00cea01927cb7e02639d961aaccae61f05f6d690c80573bf1026a962644d2bf556707b0e28a6b41220a6a5

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.147.updc
MD5
e679f44f766ec62fa6d3df67587ac7b6

SHA1
7a1376f413ff346a670ac8c1d753622cccbbb927

SHA256
0471634e03837202cb2fa0a10854a3ad6795ee4e7cddcd168087dd3796e51a1a

SHA512
585e11a1c376ccd0267cac9c4122e6e70f1f84036a68dcecdb3886371eed67fa3399a49da32a8f90c7f0a79ecfa7d21ea201fc14db8e0dd14f6193c67d6552f2

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gmd\bank.gbl.updc
MD5
0ed59fc81c6d0bf849bd739d1d01485b

SHA1
b5265d40d09e9de8f20e01082bbe6568a18cddd5

SHA256
bb75b1d3a35cfbe2b820f1ccb1079108c0c66232ddb6ee62997943001dbf9923

SHA512
e2945f38f36d678eddcfbf66aa457733dc907361fc25f701270d3a65dd7ea1cbcb5545ab142ee4863a53d9032ee15839860f4b65ac26d06e50a33f11795f0ac1

Download Submit
\??\c:\windows\temp\is-meq60.tmp\gbpdist\cef\gpc\cef.gpc.updc
MD5
9a4cda7377666ba8bce6d7a60c05f727

SHA1
c8ef9999b08734a270255524773819ccb424da0c

SHA256
96cdce302de33647447f74f6cc50aa96b8c3ad72f52fc0cd61bad376fb8943a8

SHA512
1f37b501589bc7887936e7114158fc4a2c143b0977ebedf42539b9832b696ef809afe23ca4e9458cc6e68b8cb15c3cb9abbe753632ed0ca6355407dd3ecb2511

Download Submit
\Windows\Temp\is-MEQ60.tmp\gbpdistutil.dll
MD5
0587eb3fc5c202fe37ff5b963ccd23f3

SHA1
73d1dd319d47b9d6cce7269eb3bfa331fd909357

SHA256
1fb099d2c1f675b2a3514c3cedcbb75c8b00ef76bc485dab18825e1c8b5ff6ba

SHA512
cf674f5ec6538056325cb14c5916a707e46caf9411d689cfa15d2feede677a8ff97d169f46a96c38a0133aead0a7fbd0f03f8b8d383c77eafae18ee4b400e0df

Download Submit
memory/184-241-0x0000000000000000-mapping.dmp

Download
memory/620-315-0x0000000000000000-mapping.dmp

Download
memory/620-316-0x00007FF784AD0000-0x00007FF784B59000-memory.dmp

Filesize
548KB

Download
memory/664-260-0x0000000000000000-mapping.dmp

Download
memory/708-268-0x0000000000000000-mapping.dmp

Download
memory/792-288-0x0000000000000000-mapping.dmp

Download
memory/1004-312-0x00007FFCAF4B0000-0x00007FFCAF50C000-memory.dmp

Filesize
368KB

Download
memory/1004-311-0x00007FFCAFB20000-0x00007FFCAFB68000-memory.dmp

Filesize
288KB

Download
memory/1004-307-0x00007FFCBE740000-0x00007FFCBE76F000-memory.dmp

Filesize
188KB

Download
memory/1004-301-0x00007FF731350000-0x00007FF731457000-memory.dmp

Filesize
1.0MB

Download
memory/1004-298-0x0000000000000000-mapping.dmp

Download
memory/1004-303-0x00007FFCB00A0000-0x00007FFCB0171000-memory.dmp

Filesize
836KB

Download
memory/1004-306-0x00007FFCAFB70000-0x00007FFCAFFDD000-memory.dmp

Filesize
4.4MB

Download
memory/1004-313-0x00007FFCAF3F0000-0x00007FFCAF4AA000-memory.dmp

Filesize
744KB

Download
memory/1004-310-0x00007FFCBA870000-0x00007FFCBA8BE000-memory.dmp

Filesize
312KB

Download
memory/1016-325-0x0000000000000000-mapping.dmp

Download
memory/1224-269-0x0000000000000000-mapping.dmp

Download
memory/1228-317-0x0000000000000000-mapping.dmp

Download
memory/1272-279-0x0000000000000000-mapping.dmp

Download
memory/1272-259-0x0000000000000000-mapping.dmp

Download
memory/1272-280-0x00007FF784AD0000-0x00007FF784B59000-memory.dmp

Filesize
548KB

Download
memory/1296-326-0x0000000000000000-mapping.dmp

Download
memory/1300-121-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1300-123-0x0000000010000000-0x0000000010038000-memory.dmp

Filesize
224KB

Download
memory/1300-118-0x0000000000000000-mapping.dmp

Download
memory/1300-255-0x0000000000000000-mapping.dmp

Download
memory/1400-277-0x0000000000000000-mapping.dmp

Download
memory/1400-264-0x0000000000000000-mapping.dmp

Download
memory/1536-321-0x0000000000000000-mapping.dmp

Download
memory/1616-323-0x0000000000000000-mapping.dmp

Download
memory/1824-202-0x0000000072230000-0x0000000072741000-memory.dmp

Filesize
5.1MB

Download
memory/1824-292-0x0000000000000000-mapping.dmp

Download
memory/1824-189-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1824-217-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/1824-218-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/1824-220-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1824-221-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1824-188-0x0000000000000000-mapping.dmp

Download
memory/1824-200-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1980-258-0x0000000000000000-mapping.dmp

Download
memory/2124-253-0x0000000000000000-mapping.dmp

Download
memory/2140-261-0x0000000000000000-mapping.dmp

Download
memory/2252-308-0x00007FFCAEE60000-0x00007FFCAF116000-memory.dmp

Filesize
2.7MB

Download
memory/2252-302-0x00007FFCB0180000-0x00007FFCB01F1000-memory.dmp

Filesize
452KB

Download
memory/2252-295-0x00007FFCB0BD0000-0x00007FFCB0C32000-memory.dmp

Filesize
392KB

Download
memory/2252-294-0x00007FFCB0200000-0x00007FFCB032E000-memory.dmp

Filesize
1.2MB

Download
memory/2252-299-0x00007FFCB0570000-0x00007FFCB05C1000-memory.dmp

Filesize
324KB

Download
memory/2252-309-0x00007FFCAF9E0000-0x00007FFCAFA57000-memory.dmp

Filesize
476KB

Download
memory/2252-291-0x00007FFCB0930000-0x00007FFCB0AAD000-memory.dmp

Filesize
1.5MB

Download
memory/2252-287-0x00007FF731350000-0x00007FF731457000-memory.dmp

Filesize
1.0MB

Download
memory/2252-296-0x00007FFCBD910000-0x00007FFCBD958000-memory.dmp

Filesize
288KB

Download
memory/2252-314-0x00007FFCAED00000-0x00007FFCAEE60000-memory.dmp

Filesize
1.4MB

Download
memory/2252-305-0x00007FFCAF510000-0x00007FFCAF5EE000-memory.dmp

Filesize
888KB

Download
memory/2252-289-0x00007FFCBD330000-0x00007FFCBD419000-memory.dmp

Filesize
932KB

Download
memory/2252-300-0x00007FFCB0510000-0x00007FFCB0570000-memory.dmp

Filesize
384KB

Download
memory/2252-297-0x00007FFCB08A0000-0x00007FFCB092B000-memory.dmp

Filesize
556KB

Download
memory/2252-304-0x00007FFCAFFE0000-0x00007FFCB009C000-memory.dmp

Filesize
752KB

Download
memory/2256-283-0x0000000000000000-mapping.dmp

Download
memory/2300-318-0x0000000000000000-mapping.dmp

Download
memory/2312-282-0x0000000000000000-mapping.dmp

Download
memory/2824-286-0x00007FF731350000-0x00007FF731457000-memory.dmp

Filesize
1.0MB

Download
memory/2824-285-0x0000000000000000-mapping.dmp

Download
memory/2832-257-0x00007FFCBDA30000-0x00007FFCBDAA7000-memory.dmp

Filesize
476KB

Download
memory/2832-115-0x0000000000000000-mapping.dmp

Download
memory/2832-117-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2832-256-0x0000000000000000-mapping.dmp

Download
memory/3124-273-0x0000000000000000-mapping.dmp

Download
memory/3236-262-0x0000000000000000-mapping.dmp

Download
memory/3268-247-0x0000000000000000-mapping.dmp

Download
memory/3268-248-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3272-290-0x0000000000000000-mapping.dmp

Download
memory/3272-250-0x0000000000000000-mapping.dmp

Download
memory/3272-251-0x00000000013A0000-0x0000000001474000-memory.dmp

Filesize
848KB

Download
memory/3272-293-0x00007FF731350000-0x00007FF731457000-memory.dmp

Filesize
1.0MB

Download
memory/3384-223-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/3384-206-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/3384-190-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3384-215-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/3384-224-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/3384-244-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3384-203-0x0000000072230000-0x0000000072741000-memory.dmp

Filesize
5.1MB

Download
memory/3384-226-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/3384-213-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/3384-211-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/3384-214-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/3384-212-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/3384-225-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3384-207-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/3384-227-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3384-208-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/3384-222-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/3384-209-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/3396-274-0x0000000000000000-mapping.dmp

Download
memory/3432-266-0x00007FF784AD0000-0x00007FF784B59000-memory.dmp

Filesize
548KB

Download
memory/3432-265-0x0000000000000000-mapping.dmp

Download
memory/3472-205-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3472-231-0x00000000005E0000-0x000000000068E000-memory.dmp

Filesize
696KB

Download
memory/3472-236-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/3472-210-0x0000000072230000-0x0000000072741000-memory.dmp

Filesize
5.1MB

Download
memory/3472-235-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3472-234-0x00000000021F0000-0x00000000021F1000-memory.dmp

Filesize
4KB

Download
memory/3472-238-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/3472-233-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3472-232-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/3472-237-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/3472-230-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/3472-229-0x00000000005E0000-0x000000000068E000-memory.dmp

Filesize
696KB

Download
memory/3472-228-0x00000000005E0000-0x000000000068E000-memory.dmp

Filesize
696KB

Download
memory/3472-239-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/3472-204-0x0000000000000000-mapping.dmp

Download
memory/3472-240-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/3576-271-0x0000000000000000-mapping.dmp

Download
memory/3576-245-0x0000000000000000-mapping.dmp

Download
memory/3576-246-0x0000000000DD0000-0x0000000000FE7000-memory.dmp

Filesize
2.1MB

Download
memory/3580-275-0x0000000000000000-mapping.dmp

Download
memory/3580-263-0x0000000000000000-mapping.dmp

Download
memory/3580-276-0x00007FF784AD0000-0x00007FF784B59000-memory.dmp

Filesize
548KB

Download
memory/3604-267-0x0000000000000000-mapping.dmp

Download
memory/3748-254-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3748-249-0x0000000000000000-mapping.dmp

Download
memory/3760-324-0x0000000000000000-mapping.dmp

Download
memory/3780-320-0x00007FF784AD0000-0x00007FF784B59000-memory.dmp

Filesize
548KB

Download
memory/3780-319-0x0000000000000000-mapping.dmp

Download
memory/3844-270-0x0000000000000000-mapping.dmp

Download
memory/3892-242-0x0000000000000000-mapping.dmp

Download
memory/3892-243-0x0000000000ED0000-0x00000000010E7000-memory.dmp

Filesize
2.1MB

Download
memory/3904-278-0x0000000000000000-mapping.dmp

Download
memory/3952-281-0x0000000000000000-mapping.dmp

Download
memory/3980-284-0x0000000000000000-mapping.dmp

Download
memory/4052-197-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/4052-127-0x0000000000400000-0x000000000056D000-memory.dmp

Filesize
1.4MB

Download
memory/4052-194-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/4052-193-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4052-192-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/4052-191-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/4052-196-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4052-195-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4052-199-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/4052-187-0x00000000716D0000-0x0000000071BE1000-memory.dmp

Filesize
5.1MB

Download
memory/4052-124-0x0000000000000000-mapping.dmp

Download
memory/4052-198-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/4052-186-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/4064-272-0x0000000000000000-mapping.dmp

Download
memory/4064-322-0x0000000000000000-mapping.dmp

Download