amadey | 2dea8cfcd31f4675d5462c385139b59528759bee88aec34ed9d0757d289e7a34

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
30/08/2023, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

497KB
MD5

5bf6b19fd947c3fef6a8cc3555b2f18d
SHA1

865a3ecdac050d055f55e6e396f073cf95265d5d
SHA256

2dea8cfcd31f4675d5462c385139b59528759bee88aec34ed9d0757d289e7a34
SHA512

562a02a849019229e5dc2f067e116d798a8479df9c6843c674c923641b49ae44d166f03cdf26682a39243df1dce16f72a207cc75e731949b02e78056dc239d34
SSDEEP

6144:DDAYle3gPx+9iinDEXpBl6X8aHo7scVqAbIcfBm6GM/L7mGnxHHk5LULL0a:DD7e3gJ+PnIjJMdM/LyEHU

Score

10^/10

amadey glupteba smokeloader xmrig pub5 up3 backdoor dropper evasion loader miner persistence rootkit trojan upx

Malware Config

Extracted

Family

amadey

Version

3.83

45.9.74.80/0bjdn2Z/index.php

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

smokeloader

Version

2022

http://taibi.at/tmp/

http://01stroy.ru/tmp/

http://mal-net.com/tmp/

http://gromograd.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral1/memory/2016-84-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/2016-88-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/2016-95-0x0000000004620000-0x0000000004F0B000-memory.dmp	family_glupteba
behavioral1/memory/2016-98-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/1672-110-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/1672-119-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/892-124-0x0000000004380000-0x0000000004C6B000-memory.dmp	family_glupteba
behavioral1/memory/892-125-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/892-134-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/892-168-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/892-179-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/892-242-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/892-263-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/892-288-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/892-299-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/892-327-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/892-332-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/892-336-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba
behavioral1/memory/892-340-0x0000000000400000-0x000000000281B000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 1912 created 1364	1912	latestX.exe	15
PID 1912 created 1364	1912	latestX.exe	15
PID 1912 created 1364	1912	latestX.exe	15
PID 1912 created 1364	1912	latestX.exe	15
PID 1912 created 1364	1912	latestX.exe	15
PID 1744 created 1364	1744	updater.exe	15
PID 1744 created 1364	1744	updater.exe	15
PID 1744 created 1364	1744	updater.exe	15
PID 1744 created 1364	1744	updater.exe	15
PID 1744 created 1364	1744	updater.exe	15
PID 1744 created 1364	1744	updater.exe	15

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
1424	bcdedit.exe
2408	bcdedit.exe
1312	bcdedit.exe
2328	bcdedit.exe
1940	bcdedit.exe
1468	bcdedit.exe
1224	bcdedit.exe
2004	bcdedit.exe
920	bcdedit.exe
2932	bcdedit.exe
2220	bcdedit.exe
1300	bcdedit.exe
1660	bcdedit.exe
2768	bcdedit.exe

XMRig Miner payload 5 IoCs

miner

resource	yara_rule
behavioral1/memory/1744-323-0x000000013FF40000-0x00000001404E1000-memory.dmp	xmrig
behavioral1/memory/2996-330-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2996-335-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2996-339-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2996-343-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2996	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 17 IoCs

pid	Process
2356	d0ccc283.exe
2092	newplayer.exe
1004	oneetx.exe
2388	toolspub2.exe
2016	31839b57a4f11171d6abc8bbc4451ee4.exe
1912	latestX.exe
1792	toolspub2.exe
1672	31839b57a4f11171d6abc8bbc4451ee4.exe
892	csrss.exe
1940	bcdedit.exe
2560	injector.exe
2256	patch.exe
1744	updater.exe
2116	dsefix.exe
2732	windefender.exe
2612	windefender.exe
2872	oneetx.exe

Loads dropped DLL 24 IoCs

pid	Process
2580	file.exe
2580	file.exe
2580	file.exe
2092	newplayer.exe
1004	oneetx.exe
1004	oneetx.exe
1004	oneetx.exe
1004	oneetx.exe
1004	oneetx.exe
2388	toolspub2.exe
1672	31839b57a4f11171d6abc8bbc4451ee4.exe
1672	31839b57a4f11171d6abc8bbc4451ee4.exe
892	csrss.exe
848	Process not Found
2256	patch.exe
2256	patch.exe
2256	patch.exe
2256	patch.exe
2256	patch.exe
2540	taskeng.exe
2256	patch.exe
2256	patch.exe
2256	patch.exe
892	csrss.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016d70-292.dat	upx
behavioral1/memory/2732-293-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0007000000016d70-294.dat	upx
behavioral1/files/0x0007000000016d70-295.dat	upx
behavioral1/memory/2612-296-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2732-297-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2612-305-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2612-333-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2388 set thread context of 1792	2388	toolspub2.exe	48
PID 1744 set thread context of 1628	1744	updater.exe	147
PID 1744 set thread context of 2996	1744	updater.exe	148

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20230830023334.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
920	sc.exe
2704	sc.exe
1932	sc.exe
660	sc.exe
1128	sc.exe
2112	sc.exe
2732	sc.exe
2108	sc.exe
1508	sc.exe
1460	sc.exe
2072	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2756	schtasks.exe
808	schtasks.exe
2700	schtasks.exe
1920	schtasks.exe
1912	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2356	d0ccc283.exe
2356	d0ccc283.exe
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE
1364	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1364	Explorer.EXE

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
468	Process not Found
468	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2356	d0ccc283.exe
1792	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	2016	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeSystemEnvironmentPrivilege	892	csrss.exe
Token: SeShutdownPrivilege	1924	powercfg.exe
Token: SeShutdownPrivilege	1576	powercfg.exe
Token: SeShutdownPrivilege	1108	powercfg.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeShutdownPrivilege	2192	powercfg.exe
Token: SeSecurityPrivilege	1932	sc.exe
Token: SeSecurityPrivilege	1932	sc.exe
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeShutdownPrivilege	1916	powercfg.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeShutdownPrivilege	2856	powercfg.exe
Token: SeShutdownPrivilege	756	powercfg.exe
Token: SeShutdownPrivilege	648	powercfg.exe
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeShutdownPrivilege	1364	Explorer.EXE
Token: SeDebugPrivilege	1744	updater.exe
Token: SeLockMemoryPrivilege	2996	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2092	newplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2356	2580	file.exe	30
PID 2580 wrote to memory of 2356	2580	file.exe	30
PID 2580 wrote to memory of 2356	2580	file.exe	30
PID 2580 wrote to memory of 2356	2580	file.exe	30
PID 2580 wrote to memory of 2092	2580	file.exe	31
PID 2580 wrote to memory of 2092	2580	file.exe	31
PID 2580 wrote to memory of 2092	2580	file.exe	31
PID 2580 wrote to memory of 2092	2580	file.exe	31
PID 2092 wrote to memory of 1004	2092	newplayer.exe	32
PID 2092 wrote to memory of 1004	2092	newplayer.exe	32
PID 2092 wrote to memory of 1004	2092	newplayer.exe	32
PID 2092 wrote to memory of 1004	2092	newplayer.exe	32
PID 1004 wrote to memory of 2756	1004	oneetx.exe	33
PID 1004 wrote to memory of 2756	1004	oneetx.exe	33
PID 1004 wrote to memory of 2756	1004	oneetx.exe	33
PID 1004 wrote to memory of 2756	1004	oneetx.exe	33
PID 1004 wrote to memory of 2912	1004	oneetx.exe	35
PID 1004 wrote to memory of 2912	1004	oneetx.exe	35
PID 1004 wrote to memory of 2912	1004	oneetx.exe	35
PID 1004 wrote to memory of 2912	1004	oneetx.exe	35
PID 2912 wrote to memory of 2764	2912	cmd.exe	37
PID 2912 wrote to memory of 2764	2912	cmd.exe	37
PID 2912 wrote to memory of 2764	2912	cmd.exe	37
PID 2912 wrote to memory of 2764	2912	cmd.exe	37
PID 2912 wrote to memory of 2716	2912	cmd.exe	38
PID 2912 wrote to memory of 2716	2912	cmd.exe	38
PID 2912 wrote to memory of 2716	2912	cmd.exe	38
PID 2912 wrote to memory of 2716	2912	cmd.exe	38
PID 2912 wrote to memory of 2868	2912	cmd.exe	39
PID 2912 wrote to memory of 2868	2912	cmd.exe	39
PID 2912 wrote to memory of 2868	2912	cmd.exe	39
PID 2912 wrote to memory of 2868	2912	cmd.exe	39
PID 2912 wrote to memory of 2860	2912	cmd.exe	40
PID 2912 wrote to memory of 2860	2912	cmd.exe	40
PID 2912 wrote to memory of 2860	2912	cmd.exe	40
PID 2912 wrote to memory of 2860	2912	cmd.exe	40
PID 2912 wrote to memory of 1420	2912	cmd.exe	41
PID 2912 wrote to memory of 1420	2912	cmd.exe	41
PID 2912 wrote to memory of 1420	2912	cmd.exe	41
PID 2912 wrote to memory of 1420	2912	cmd.exe	41
PID 2912 wrote to memory of 3024	2912	cmd.exe	42
PID 2912 wrote to memory of 3024	2912	cmd.exe	42
PID 2912 wrote to memory of 3024	2912	cmd.exe	42
PID 2912 wrote to memory of 3024	2912	cmd.exe	42
PID 1004 wrote to memory of 2388	1004	oneetx.exe	45
PID 1004 wrote to memory of 2388	1004	oneetx.exe	45
PID 1004 wrote to memory of 2388	1004	oneetx.exe	45
PID 1004 wrote to memory of 2388	1004	oneetx.exe	45
PID 1004 wrote to memory of 2016	1004	oneetx.exe	46
PID 1004 wrote to memory of 2016	1004	oneetx.exe	46
PID 1004 wrote to memory of 2016	1004	oneetx.exe	46
PID 1004 wrote to memory of 2016	1004	oneetx.exe	46
PID 1004 wrote to memory of 1912	1004	oneetx.exe	47
PID 1004 wrote to memory of 1912	1004	oneetx.exe	47
PID 1004 wrote to memory of 1912	1004	oneetx.exe	47
PID 1004 wrote to memory of 1912	1004	oneetx.exe	47
PID 2388 wrote to memory of 1792	2388	toolspub2.exe	48
PID 2388 wrote to memory of 1792	2388	toolspub2.exe	48
PID 2388 wrote to memory of 1792	2388	toolspub2.exe	48
PID 2388 wrote to memory of 1792	2388	toolspub2.exe	48
PID 2388 wrote to memory of 1792	2388	toolspub2.exe	48
PID 2388 wrote to memory of 1792	2388	toolspub2.exe	48
PID 2388 wrote to memory of 1792	2388	toolspub2.exe	48
PID 1672 wrote to memory of 368	1672	31839b57a4f11171d6abc8bbc4451ee4.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1364
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Users\Admin\AppData\Local\Temp\d0ccc283.exe
    "C:\Users\Admin\AppData\Local\Temp\d0ccc283.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2356
- - C:\Users\Admin\AppData\Local\Temp\newplayer.exe
    "C:\Users\Admin\AppData\Local\Temp\newplayer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
      "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:2756
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2764
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        6⤵
        
        PID:2716
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        6⤵
        
        PID:2868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2860
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:N"
        6⤵
        
        PID:1420
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:R" /E
        6⤵
        
        PID:3024
    - - C:\Users\Admin\AppData\Local\Temp\1000288001\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000288001\toolspub2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Users\Admin\AppData\Local\Temp\1000288001\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000288001\toolspub2.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: MapViewOfSection
        
        PID:1792
    - - C:\Users\Admin\AppData\Local\Temp\1000289001\31839b57a4f11171d6abc8bbc4451ee4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000289001\31839b57a4f11171d6abc8bbc4451ee4.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
      - C:\Users\Admin\AppData\Local\Temp\1000289001\31839b57a4f11171d6abc8bbc4451ee4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000289001\31839b57a4f11171d6abc8bbc4451ee4.exe"
        6⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:368
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:2996
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Manipulates WinMon driver.
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        8⤵
        Creates scheduled task(s)
        
        PID:808
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        8⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        8⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:2256
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        9⤵
        Modifies boot configuration data using bcdedit
        
        PID:1424
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        9⤵
        Modifies boot configuration data using bcdedit
        
        PID:2408
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        9⤵
        Modifies boot configuration data using bcdedit
        
        PID:1312
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        9⤵
        Modifies boot configuration data using bcdedit
        
        PID:2328
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        9⤵
        Modifies boot configuration data using bcdedit
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        9⤵
        Modifies boot configuration data using bcdedit
        
        PID:1468
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        9⤵
        Modifies boot configuration data using bcdedit
        
        PID:1224
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        9⤵
        Modifies boot configuration data using bcdedit
        
        PID:2004
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        9⤵
        Modifies boot configuration data using bcdedit
        
        PID:920
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        9⤵
        Modifies boot configuration data using bcdedit
        
        PID:2932
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        9⤵
        Modifies boot configuration data using bcdedit
        
        PID:2220
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        9⤵
        Modifies boot configuration data using bcdedit
        
        PID:1300
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        9⤵
        Modifies boot configuration data using bcdedit
        
        PID:1660
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        8⤵
        Modifies boot configuration data using bcdedit
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        8⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        8⤵
        Creates scheduled task(s)
        
        PID:1920
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        8⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        9⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        10⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\1000290001\latestX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000290001\latestX.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2088
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:920
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2112
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2704
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2732
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2700
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2100
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2192
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2712
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1508
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1460
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:660
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1128
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2072
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2028
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1916
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:756
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1912
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1628
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2996

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230830023334.log C:\Windows\Logs\CBS\CbsPersist_20230830023334.cab
1⤵
- Drops file in Windows directory
PID:2936

C:\Windows\system32\taskeng.exe
taskeng.exe {E5744E60-FBBD-41C3-8832-F620D1C4F191} S-1-5-21-1528014236-771305907-3973026625-1000:DMCOTBQQ\Admin:Interactive:[1]
1⤵
PID:2964
- C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
  2⤵
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:2872

C:\Windows\system32\taskeng.exe
taskeng.exe {5819997C-812E-4595-9340-D67497775EE8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2540
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1744

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000288001\toolspub2.exe

Filesize
293KB

MD5
d3d867c6722255ebcbc51a11a3a39347

SHA1
6c4779e317aa06782bd634a3175c2e2884510f6d

SHA256
10d5acaf335351c394065caea772a79d686fab672649cb94315342fe0a9e4df4

SHA512
ecfa6b5d76e90c936d8a89e0f3d9bbaf3c9d63aabb77a920ff94e5d376c494ce9b616c77bf9d9b009d32e5cf7533a342008cc20a5fdc76e1a91cb37eee876ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000288001\toolspub2.exe

Filesize
293KB

MD5
d3d867c6722255ebcbc51a11a3a39347

SHA1
6c4779e317aa06782bd634a3175c2e2884510f6d

SHA256
10d5acaf335351c394065caea772a79d686fab672649cb94315342fe0a9e4df4

SHA512
ecfa6b5d76e90c936d8a89e0f3d9bbaf3c9d63aabb77a920ff94e5d376c494ce9b616c77bf9d9b009d32e5cf7533a342008cc20a5fdc76e1a91cb37eee876ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000288001\toolspub2.exe

Filesize
293KB

MD5
d3d867c6722255ebcbc51a11a3a39347

SHA1
6c4779e317aa06782bd634a3175c2e2884510f6d

SHA256
10d5acaf335351c394065caea772a79d686fab672649cb94315342fe0a9e4df4

SHA512
ecfa6b5d76e90c936d8a89e0f3d9bbaf3c9d63aabb77a920ff94e5d376c494ce9b616c77bf9d9b009d32e5cf7533a342008cc20a5fdc76e1a91cb37eee876ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000288001\toolspub2.exe

Filesize
293KB

MD5
d3d867c6722255ebcbc51a11a3a39347

SHA1
6c4779e317aa06782bd634a3175c2e2884510f6d

SHA256
10d5acaf335351c394065caea772a79d686fab672649cb94315342fe0a9e4df4

SHA512
ecfa6b5d76e90c936d8a89e0f3d9bbaf3c9d63aabb77a920ff94e5d376c494ce9b616c77bf9d9b009d32e5cf7533a342008cc20a5fdc76e1a91cb37eee876ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000289001\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
43571c105447cc17a14daa158ec4389a

SHA1
a23e7044033e3ebb349c1d194a53df0c0c058a2d

SHA256
3c3765a39069b1f6dbcaafb23721a289df7c3e1b540e2de3c76facb867bba7df

SHA512
a66bf5e5bd751eccbeb0089453e0cd9f2ded8a1224546421fcfd6fcf4b54d755f97b69850036c54b870ea7a8b98d2f3a35d8a2ae37e71eceef6c6d16cb900b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000289001\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
43571c105447cc17a14daa158ec4389a

SHA1
a23e7044033e3ebb349c1d194a53df0c0c058a2d

SHA256
3c3765a39069b1f6dbcaafb23721a289df7c3e1b540e2de3c76facb867bba7df

SHA512
a66bf5e5bd751eccbeb0089453e0cd9f2ded8a1224546421fcfd6fcf4b54d755f97b69850036c54b870ea7a8b98d2f3a35d8a2ae37e71eceef6c6d16cb900b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000289001\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
43571c105447cc17a14daa158ec4389a

SHA1
a23e7044033e3ebb349c1d194a53df0c0c058a2d

SHA256
3c3765a39069b1f6dbcaafb23721a289df7c3e1b540e2de3c76facb867bba7df

SHA512
a66bf5e5bd751eccbeb0089453e0cd9f2ded8a1224546421fcfd6fcf4b54d755f97b69850036c54b870ea7a8b98d2f3a35d8a2ae37e71eceef6c6d16cb900b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000289001\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
43571c105447cc17a14daa158ec4389a

SHA1
a23e7044033e3ebb349c1d194a53df0c0c058a2d

SHA256
3c3765a39069b1f6dbcaafb23721a289df7c3e1b540e2de3c76facb867bba7df

SHA512
a66bf5e5bd751eccbeb0089453e0cd9f2ded8a1224546421fcfd6fcf4b54d755f97b69850036c54b870ea7a8b98d2f3a35d8a2ae37e71eceef6c6d16cb900b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000290001\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000290001\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000290001\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDAB8.tmp

Filesize
61KB

MD5
e56ec378251cd65923ad88c1e14d0b6e

SHA1
7f5d986e0a34dd81487f6439fb0446ffa52a712e

SHA256
32ccf567c07b62b6078cf03d097e21cbf7ef67a4ce312c9c34a47f865b3ad0a0

SHA512
2737a622ca45b532aebc202184b3e35cde8684e5296cb1f008e7831921be2895a43f952c1df88d33011a7b9586aafbd88483f6c134cb5e8e98c236f5abb5f3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA0A.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0ccc283.exe

Filesize
294KB

MD5
385253082416393966614add3b0fb723

SHA1
ab04c1e4b41f3816eacb938dd34ed2854fd3f55c

SHA256
58ecdcd07cfa7135d523563622fb8df53b320d0431fd30ac498c4336c4b93d7b

SHA512
adc508e946ab806acd6d92f67fb11c1400de67e131eb4907440e059f0a6db389fa66fe040af4c1c8493dedb0fdab2c1113a73ebb49687ac1686961dfa03c5ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0ccc283.exe

Filesize
294KB

MD5
385253082416393966614add3b0fb723

SHA1
ab04c1e4b41f3816eacb938dd34ed2854fd3f55c

SHA256
58ecdcd07cfa7135d523563622fb8df53b320d0431fd30ac498c4336c4b93d7b

SHA512
adc508e946ab806acd6d92f67fb11c1400de67e131eb4907440e059f0a6db389fa66fe040af4c1c8493dedb0fdab2c1113a73ebb49687ac1686961dfa03c5ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0ccc283.exe

Filesize
294KB

MD5
385253082416393966614add3b0fb723

SHA1
ab04c1e4b41f3816eacb938dd34ed2854fd3f55c

SHA256
58ecdcd07cfa7135d523563622fb8df53b320d0431fd30ac498c4336c4b93d7b

SHA512
adc508e946ab806acd6d92f67fb11c1400de67e131eb4907440e059f0a6db389fa66fe040af4c1c8493dedb0fdab2c1113a73ebb49687ac1686961dfa03c5ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\newplayer.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\newplayer.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e897237c11397673a57c7dcfa8eb6f19

SHA1
637c1cd2bd2dacf4888b57998eca8a1de76e0136

SHA256
057ce577f363cdbc9c8d8b8f51538d24fa84f0b926aa1457eb1c60517f96da88

SHA512
7b2339c3ea752fed0cf550ac41d990ceb5abd3ba97aafee793ccaf2a2f53e508e132a0e892acc41b1ed8f580a944c571efa31c034606877b275e59693eccc6b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HSDBD26CERZFINKS9ATR.temp

Filesize
7KB

MD5
29e4a2c0bb9b9d3f14085cf6810b17df

SHA1
2e444341757c5b0c784889a5e53cb0d43fb0ac41

SHA256
8b3ef72066d8c0f3d00eaa629425b7ae5fce2cdb510993f69a3c0ca30f4a2339

SHA512
58f0607241d6cd123a74d082d7ac20c99bd67d49186e0f3f26ff8b2c5764c2ae75bf3e1055feed75da927c7f910bc3c112e69f387c9c16354c6b09d783416a06

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
43571c105447cc17a14daa158ec4389a

SHA1
a23e7044033e3ebb349c1d194a53df0c0c058a2d

SHA256
3c3765a39069b1f6dbcaafb23721a289df7c3e1b540e2de3c76facb867bba7df

SHA512
a66bf5e5bd751eccbeb0089453e0cd9f2ded8a1224546421fcfd6fcf4b54d755f97b69850036c54b870ea7a8b98d2f3a35d8a2ae37e71eceef6c6d16cb900b2c

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
43571c105447cc17a14daa158ec4389a

SHA1
a23e7044033e3ebb349c1d194a53df0c0c058a2d

SHA256
3c3765a39069b1f6dbcaafb23721a289df7c3e1b540e2de3c76facb867bba7df

SHA512
a66bf5e5bd751eccbeb0089453e0cd9f2ded8a1224546421fcfd6fcf4b54d755f97b69850036c54b870ea7a8b98d2f3a35d8a2ae37e71eceef6c6d16cb900b2c

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
\Users\Admin\AppData\Local\Temp\1000288001\toolspub2.exe

Filesize
293KB

MD5
d3d867c6722255ebcbc51a11a3a39347

SHA1
6c4779e317aa06782bd634a3175c2e2884510f6d

SHA256
10d5acaf335351c394065caea772a79d686fab672649cb94315342fe0a9e4df4

SHA512
ecfa6b5d76e90c936d8a89e0f3d9bbaf3c9d63aabb77a920ff94e5d376c494ce9b616c77bf9d9b009d32e5cf7533a342008cc20a5fdc76e1a91cb37eee876ebd

Download Submit
\Users\Admin\AppData\Local\Temp\1000288001\toolspub2.exe

Filesize
293KB

MD5
d3d867c6722255ebcbc51a11a3a39347

SHA1
6c4779e317aa06782bd634a3175c2e2884510f6d

SHA256
10d5acaf335351c394065caea772a79d686fab672649cb94315342fe0a9e4df4

SHA512
ecfa6b5d76e90c936d8a89e0f3d9bbaf3c9d63aabb77a920ff94e5d376c494ce9b616c77bf9d9b009d32e5cf7533a342008cc20a5fdc76e1a91cb37eee876ebd

Download Submit
\Users\Admin\AppData\Local\Temp\1000288001\toolspub2.exe

Filesize
293KB

MD5
d3d867c6722255ebcbc51a11a3a39347

SHA1
6c4779e317aa06782bd634a3175c2e2884510f6d

SHA256
10d5acaf335351c394065caea772a79d686fab672649cb94315342fe0a9e4df4

SHA512
ecfa6b5d76e90c936d8a89e0f3d9bbaf3c9d63aabb77a920ff94e5d376c494ce9b616c77bf9d9b009d32e5cf7533a342008cc20a5fdc76e1a91cb37eee876ebd

Download Submit
\Users\Admin\AppData\Local\Temp\1000289001\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
43571c105447cc17a14daa158ec4389a

SHA1
a23e7044033e3ebb349c1d194a53df0c0c058a2d

SHA256
3c3765a39069b1f6dbcaafb23721a289df7c3e1b540e2de3c76facb867bba7df

SHA512
a66bf5e5bd751eccbeb0089453e0cd9f2ded8a1224546421fcfd6fcf4b54d755f97b69850036c54b870ea7a8b98d2f3a35d8a2ae37e71eceef6c6d16cb900b2c

Download Submit
\Users\Admin\AppData\Local\Temp\1000289001\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
43571c105447cc17a14daa158ec4389a

SHA1
a23e7044033e3ebb349c1d194a53df0c0c058a2d

SHA256
3c3765a39069b1f6dbcaafb23721a289df7c3e1b540e2de3c76facb867bba7df

SHA512
a66bf5e5bd751eccbeb0089453e0cd9f2ded8a1224546421fcfd6fcf4b54d755f97b69850036c54b870ea7a8b98d2f3a35d8a2ae37e71eceef6c6d16cb900b2c

Download Submit
\Users\Admin\AppData\Local\Temp\1000290001\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\d0ccc283.exe

Filesize
294KB

MD5
385253082416393966614add3b0fb723

SHA1
ab04c1e4b41f3816eacb938dd34ed2854fd3f55c

SHA256
58ecdcd07cfa7135d523563622fb8df53b320d0431fd30ac498c4336c4b93d7b

SHA512
adc508e946ab806acd6d92f67fb11c1400de67e131eb4907440e059f0a6db389fa66fe040af4c1c8493dedb0fdab2c1113a73ebb49687ac1686961dfa03c5ca9

Download Submit
\Users\Admin\AppData\Local\Temp\d0ccc283.exe

Filesize
294KB

MD5
385253082416393966614add3b0fb723

SHA1
ab04c1e4b41f3816eacb938dd34ed2854fd3f55c

SHA256
58ecdcd07cfa7135d523563622fb8df53b320d0431fd30ac498c4336c4b93d7b

SHA512
adc508e946ab806acd6d92f67fb11c1400de67e131eb4907440e059f0a6db389fa66fe040af4c1c8493dedb0fdab2c1113a73ebb49687ac1686961dfa03c5ca9

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\newplayer.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
43571c105447cc17a14daa158ec4389a

SHA1
a23e7044033e3ebb349c1d194a53df0c0c058a2d

SHA256
3c3765a39069b1f6dbcaafb23721a289df7c3e1b540e2de3c76facb867bba7df

SHA512
a66bf5e5bd751eccbeb0089453e0cd9f2ded8a1224546421fcfd6fcf4b54d755f97b69850036c54b870ea7a8b98d2f3a35d8a2ae37e71eceef6c6d16cb900b2c

Download Submit
\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
43571c105447cc17a14daa158ec4389a

SHA1
a23e7044033e3ebb349c1d194a53df0c0c058a2d

SHA256
3c3765a39069b1f6dbcaafb23721a289df7c3e1b540e2de3c76facb867bba7df

SHA512
a66bf5e5bd751eccbeb0089453e0cd9f2ded8a1224546421fcfd6fcf4b54d755f97b69850036c54b870ea7a8b98d2f3a35d8a2ae37e71eceef6c6d16cb900b2c

Download Submit
memory/396-317-0x0000000001230000-0x00000000012B0000-memory.dmp

Filesize
512KB

Download
memory/396-311-0x000007FEF45A0000-0x000007FEF4F3D000-memory.dmp

Filesize
9.6MB

Download
memory/396-313-0x0000000001230000-0x00000000012B0000-memory.dmp

Filesize
512KB

Download
memory/396-318-0x000007FEF45A0000-0x000007FEF4F3D000-memory.dmp

Filesize
9.6MB

Download
memory/396-314-0x0000000001230000-0x00000000012B0000-memory.dmp

Filesize
512KB

Download
memory/396-310-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/396-315-0x0000000001230000-0x00000000012B0000-memory.dmp

Filesize
512KB

Download
memory/396-316-0x000007FEF45A0000-0x000007FEF4F3D000-memory.dmp

Filesize
9.6MB

Download
memory/648-132-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/648-140-0x000007FEF5020000-0x000007FEF59BD000-memory.dmp

Filesize
9.6MB

Download
memory/648-139-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/648-138-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/648-137-0x000007FEF5020000-0x000007FEF59BD000-memory.dmp

Filesize
9.6MB

Download
memory/648-136-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/648-135-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/648-133-0x000007FEF5020000-0x000007FEF59BD000-memory.dmp

Filesize
9.6MB

Download
memory/648-131-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/892-288-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/892-124-0x0000000004380000-0x0000000004C6B000-memory.dmp

Filesize
8.9MB

Download
memory/892-168-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/892-340-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/892-336-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/892-332-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/892-179-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/892-327-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/892-299-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/892-242-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/892-263-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/892-125-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/892-134-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/1364-64-0x0000000002B50000-0x0000000002B66000-memory.dmp

Filesize
88KB

Download
memory/1364-99-0x0000000002B80000-0x0000000002B96000-memory.dmp

Filesize
88KB

Download
memory/1536-307-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

Filesize
9.6MB

Download
memory/1536-304-0x0000000001090000-0x0000000001110000-memory.dmp

Filesize
512KB

Download
memory/1536-300-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

Filesize
9.6MB

Download
memory/1536-306-0x0000000001090000-0x0000000001110000-memory.dmp

Filesize
512KB

Download
memory/1536-303-0x0000000001090000-0x0000000001110000-memory.dmp

Filesize
512KB

Download
memory/1536-301-0x000007FEF4F40000-0x000007FEF58DD000-memory.dmp

Filesize
9.6MB

Download
memory/1536-302-0x0000000001090000-0x0000000001110000-memory.dmp

Filesize
512KB

Download
memory/1628-329-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1672-119-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/1672-110-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/1744-323-0x000000013FF40000-0x00000001404E1000-memory.dmp

Filesize
5.6MB

Download
memory/1744-267-0x000000013FF40000-0x00000001404E1000-memory.dmp

Filesize
5.6MB

Download
memory/1792-89-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1792-94-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1792-100-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1792-91-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1912-233-0x000000013F510000-0x000000013FAB1000-memory.dmp

Filesize
5.6MB

Download
memory/1912-165-0x000000013F510000-0x000000013FAB1000-memory.dmp

Filesize
5.6MB

Download
memory/1912-108-0x000000013F510000-0x000000013FAB1000-memory.dmp

Filesize
5.6MB

Download
memory/1912-238-0x000000013F510000-0x000000013FAB1000-memory.dmp

Filesize
5.6MB

Download
memory/2016-95-0x0000000004620000-0x0000000004F0B000-memory.dmp

Filesize
8.9MB

Download
memory/2016-88-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/2016-98-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/2016-83-0x0000000004220000-0x0000000004618000-memory.dmp

Filesize
4.0MB

Download
memory/2016-84-0x0000000000400000-0x000000000281B000-memory.dmp

Filesize
36.1MB

Download
memory/2056-224-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

Filesize
9.6MB

Download
memory/2056-225-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2056-235-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

Filesize
9.6MB

Download
memory/2056-232-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/2056-231-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/2056-230-0x000007FEF4F20000-0x000007FEF58BD000-memory.dmp

Filesize
9.6MB

Download
memory/2056-223-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/2056-226-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/2056-234-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/2092-15-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2256-166-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2256-152-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2356-27-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/2356-65-0x0000000000400000-0x0000000002438000-memory.dmp

Filesize
32.2MB

Download
memory/2356-28-0x0000000000400000-0x0000000002438000-memory.dmp

Filesize
32.2MB

Download
memory/2356-69-0x00000000003C0000-0x00000000003D5000-memory.dmp

Filesize
84KB

Download
memory/2356-26-0x00000000003C0000-0x00000000003D5000-memory.dmp

Filesize
84KB

Download
memory/2356-68-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/2388-85-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/2388-93-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2612-333-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2612-296-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2612-305-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2732-297-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2732-293-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2996-331-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/2996-324-0x0000000000180000-0x00000000001A0000-memory.dmp

Filesize
128KB

Download
memory/2996-330-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2996-335-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2996-325-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/2996-339-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2996-343-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download