dcrat | b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18/09/2023, 18:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe
Size

261KB
MD5

cae37882ec22810e535b113d13d784d1
SHA1

176b2c8188b71fa3c342358c20ba40b62fafb044
SHA256

b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781
SHA512

4d410f0bdc7e370b2bcb3357887e9c5caf36f9e65430ceb05eb8b414b9c9f0db3c608b7fda6b51263e32d20200ce89e7f941538cf82054a5898269d2a1f98569
SSDEEP

6144:ufvJm09zORs+z/TMify9DAOZqQWUKGR/8/:uHw09CK5NiEF/8/

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

0305

185.215.113.25:10195

Attributes

auth_value
c86205ff1cc37b2da12f0190adfda52c

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

LegendaryInstalls_20230918

62.72.23.19:80

Attributes

auth_value
7e2e28855818d91285389c56372566f4

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

DcRat 3 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI		AppLaunch.exe
		2656	schtasks.exe
		1324	schtasks.exe

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/2460-482-0x00000000026C0000-0x00000000027F1000-memory.dmp	family_fabookie
behavioral1/memory/2460-751-0x00000000026C0000-0x00000000027F1000-memory.dmp	family_fabookie

Detected google phishing page
phishing google
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 12 IoCs

resource	yara_rule
behavioral1/memory/2300-146-0x0000000002A90000-0x000000000337B000-memory.dmp	family_glupteba
behavioral1/memory/2300-155-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2300-248-0x0000000002A90000-0x000000000337B000-memory.dmp	family_glupteba
behavioral1/memory/2300-449-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2300-451-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2300-735-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/568-738-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/568-747-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1500-1027-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1500-1028-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1500-1046-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1500-1066-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
756	bcdedit.exe
608	bcdedit.exe
1680	bcdedit.exe
2308	bcdedit.exe
548	bcdedit.exe
2740	bcdedit.exe
2392	bcdedit.exe
1072	bcdedit.exe
2040	bcdedit.exe
1636	bcdedit.exe
1812	bcdedit.exe
1960	bcdedit.exe
2932	bcdedit.exe
2784	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
1724	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Executes dropped EXE 15 IoCs

pid	Process
2672	42EA.exe
2516	44FD.exe
1072	4BF0.exe
2112	542C.exe
2460	ss41.exe
2316	toolspub2.exe
2300	31839b57a4f11171d6abc8bbc4451ee4.exe
748	toolspub2.exe
1660	5FE1.exe
2656	schtasks.exe
568	31839b57a4f11171d6abc8bbc4451ee4.exe
1500	csrss.exe
2696	patch.exe
1892	injector.exe
2776	dsefix.exe

Loads dropped DLL 28 IoCs

pid	Process
2816	rundll32.exe
2816	rundll32.exe
2816	rundll32.exe
2816	rundll32.exe
2112	542C.exe
2112	542C.exe
2112	542C.exe
2112	542C.exe
2112	542C.exe
2112	542C.exe
2316	toolspub2.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
1920	rundll32.exe
568	31839b57a4f11171d6abc8bbc4451ee4.exe
568	31839b57a4f11171d6abc8bbc4451ee4.exe
844	Process not Found
2696	patch.exe
2696	patch.exe
1500	csrss.exe
2696	patch.exe
2696	patch.exe
2696	patch.exe
2696	patch.exe
2696	patch.exe
2696	patch.exe
1500	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 2372	2212	JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe	28
PID 2316 set thread context of 748	2316	toolspub2.exe	48
PID 1660 set thread context of 760	1660	5FE1.exe	52
PID 2656 set thread context of 3032	2656	schtasks.exe	54

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20230918184414.cab	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2508	2516	WerFault.exe	32

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1324	schtasks.exe
2656	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50575b3160ead901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401827613"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{532F5FC1-5653-11EE-B87C-CE1068F0F1D9} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b000000000200000000001066000000010000200000004199ae1c4e0f744a5f7d638988dfbb602be34852bbabf89066b355123612b50d000000000e8000000002000020000000931c633a1fa8a32967c308dd2ec16e2a744e1eaa7072c36a6e7f1ea62f144ae5900000005392dd3a90799d60cd03d0f0d41c8159b8fae2d2c8b711e2451e7482cb5d47e487d9c0812904755b888719458191a231120aef08dcbbfc5aae756714805a6d3e27b6071ac66892894e76514f2e5f352f6e154bc9f48e7149e44e9a0dc82561fad5bd22159f8ac30dd1b9284b1c8037141de64f70aa5e459a509010495a907dc88391c5811c345ccf5c2cdb0722d6b04240000000f8e8ed9f5613a86fcae4d2342b5253baf5dbc735787beb0a646bc01ac3119f380b89363f25c23c9d8c644614ca44187d2837937f355e30ca06a05413f5e2ef5f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b0000000002000000000010660000000100002000000067b1936c180a689f3bb4bd2991bec648d373d6f32c2c400025b6e7883d8007d7000000000e80000000020000200000001888f502b11b1448e324047bb15e32099c4610f93dc8f2edf3bd57b12626934f20000000521c9492d962bc892d9fafd7838fe1ec0633481929a8025070703acf7f32003e40000000241dc47368ef4596ef32a30e4391df56d077b77bcac8bacee8e0fafd8cb39976b6d8474a8f5274e8b5e3956b9ddc70bc61dfac4c1856aafb28c077a2bc2576cd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{530E0C81-5653-11EE-B87C-CE1068F0F1D9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ss41.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ss41.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ss41.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ss41.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	AppLaunch.exe
2372	AppLaunch.exe
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1252	Process not Found

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2372	AppLaunch.exe
748	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1252	Process not Found
Token: SeShutdownPrivilege	1252	Process not Found
Token: SeShutdownPrivilege	1252	Process not Found
Token: SeShutdownPrivilege	1252	Process not Found
Token: SeShutdownPrivilege	1252	Process not Found
Token: SeDebugPrivilege	2672	42EA.exe
Token: SeDebugPrivilege	3032	vbc.exe
Token: SeDebugPrivilege	760	vbc.exe
Token: SeDebugPrivilege	2300	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	2300	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeSystemEnvironmentPrivilege	1500	csrss.exe
Token: SeShutdownPrivilege	1252	Process not Found
Token: SeShutdownPrivilege	1252	Process not Found
Token: SeShutdownPrivilege	1252	Process not Found
Token: SeShutdownPrivilege	1252	Process not Found

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1900	iexplore.exe
628	iexplore.exe
1252	Process not Found
1252	Process not Found
1252	Process not Found
1252	Process not Found

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1900	iexplore.exe
1900	iexplore.exe
2100	IEXPLORE.EXE
2100	IEXPLORE.EXE
628	iexplore.exe
628	iexplore.exe
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2372	2212	JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe	28
PID 2212 wrote to memory of 2372	2212	JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe	28
PID 2212 wrote to memory of 2372	2212	JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe	28
PID 2212 wrote to memory of 2372	2212	JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe	28
PID 2212 wrote to memory of 2372	2212	JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe	28
PID 2212 wrote to memory of 2372	2212	JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe	28
PID 2212 wrote to memory of 2372	2212	JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe	28
PID 2212 wrote to memory of 2372	2212	JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe	28
PID 2212 wrote to memory of 2372	2212	JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe	28
PID 2212 wrote to memory of 2372	2212	JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe	28
PID 1252 wrote to memory of 2672	1252	Process not Found	31
PID 1252 wrote to memory of 2672	1252	Process not Found	31
PID 1252 wrote to memory of 2672	1252	Process not Found	31
PID 1252 wrote to memory of 2672	1252	Process not Found	31
PID 1252 wrote to memory of 2516	1252	Process not Found	32
PID 1252 wrote to memory of 2516	1252	Process not Found	32
PID 1252 wrote to memory of 2516	1252	Process not Found	32
PID 1252 wrote to memory of 2516	1252	Process not Found	32
PID 2516 wrote to memory of 2508	2516	44FD.exe	34
PID 2516 wrote to memory of 2508	2516	44FD.exe	34
PID 2516 wrote to memory of 2508	2516	44FD.exe	34
PID 2516 wrote to memory of 2508	2516	44FD.exe	34
PID 1252 wrote to memory of 1072	1252	Process not Found	35
PID 1252 wrote to memory of 1072	1252	Process not Found	35
PID 1252 wrote to memory of 1072	1252	Process not Found	35
PID 1252 wrote to memory of 1072	1252	Process not Found	35
PID 1252 wrote to memory of 2472	1252	Process not Found	36
PID 1252 wrote to memory of 2472	1252	Process not Found	36
PID 1252 wrote to memory of 2472	1252	Process not Found	36
PID 2472 wrote to memory of 1900	2472	cmd.exe	38
PID 2472 wrote to memory of 1900	2472	cmd.exe	38
PID 2472 wrote to memory of 1900	2472	cmd.exe	38
PID 1072 wrote to memory of 472	1072	4BF0.exe	39
PID 1072 wrote to memory of 472	1072	4BF0.exe	39
PID 1072 wrote to memory of 472	1072	4BF0.exe	39
PID 1072 wrote to memory of 472	1072	4BF0.exe	39
PID 2472 wrote to memory of 628	2472	cmd.exe	40
PID 2472 wrote to memory of 628	2472	cmd.exe	40
PID 2472 wrote to memory of 628	2472	cmd.exe	40
PID 472 wrote to memory of 2816	472	control.exe	41
PID 472 wrote to memory of 2816	472	control.exe	41
PID 472 wrote to memory of 2816	472	control.exe	41
PID 472 wrote to memory of 2816	472	control.exe	41
PID 472 wrote to memory of 2816	472	control.exe	41
PID 472 wrote to memory of 2816	472	control.exe	41
PID 472 wrote to memory of 2816	472	control.exe	41
PID 1900 wrote to memory of 2100	1900	iexplore.exe	43
PID 1900 wrote to memory of 2100	1900	iexplore.exe	43
PID 1900 wrote to memory of 2100	1900	iexplore.exe	43
PID 1900 wrote to memory of 2100	1900	iexplore.exe	43
PID 1252 wrote to memory of 2112	1252	Process not Found	44
PID 1252 wrote to memory of 2112	1252	Process not Found	44
PID 1252 wrote to memory of 2112	1252	Process not Found	44
PID 1252 wrote to memory of 2112	1252	Process not Found	44
PID 2112 wrote to memory of 2460	2112	542C.exe	45
PID 2112 wrote to memory of 2460	2112	542C.exe	45
PID 2112 wrote to memory of 2460	2112	542C.exe	45
PID 2112 wrote to memory of 2460	2112	542C.exe	45
PID 2112 wrote to memory of 2316	2112	542C.exe	46
PID 2112 wrote to memory of 2316	2112	542C.exe	46
PID 2112 wrote to memory of 2316	2112	542C.exe	46
PID 2112 wrote to memory of 2316	2112	542C.exe	46
PID 2112 wrote to memory of 2300	2112	542C.exe	47
PID 2112 wrote to memory of 2300	2112	542C.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe
"C:\Users\Admin\AppData\Local\Temp\JC_b5019c0273e01b49279aad834879eef43e73fd4b9187dc89ed0b07c88a8c9781.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - DcRat
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2372

C:\Users\Admin\AppData\Local\Temp\42EA.exe
C:\Users\Admin\AppData\Local\Temp\42EA.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Users\Admin\AppData\Local\Temp\44FD.exe
C:\Users\Admin\AppData\Local\Temp\44FD.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 516
  2⤵
  - Program crash
  PID:2508

C:\Users\Admin\AppData\Local\Temp\4BF0.exe
C:\Users\Admin\AppData\Local\Temp\4BF0.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\3fv5b.CPL",
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:472
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\3fv5b.CPL",
    3⤵
    - Loads dropped DLL
    PID:2816
  - - C:\Windows\system32\RunDll32.exe
      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\3fv5b.CPL",
      4⤵
      PID:1484
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\3fv5b.CPL",
        5⤵
        Loads dropped DLL
        
        PID:1920

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4D58.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:340993 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2100
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:628
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:628 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:944

C:\Users\Admin\AppData\Local\Temp\542C.exe
C:\Users\Admin\AppData\Local\Temp\542C.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\ss41.exe
  "C:\Users\Admin\AppData\Local\Temp\ss41.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2460
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2316
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:748
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:1404
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:1724
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Manipulates WinMon driver.
      Manipulates WinMonFS driver.
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1500
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Creates scheduled task(s)
        
        PID:2656
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:1560
    - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2696
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:756
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:608
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1680
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2308
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:548
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2740
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2392
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1072
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2040
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1636
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1812
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1960
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2932
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        
        PID:1892
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2784
    - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        5⤵
        Executes dropped EXE
        
        PID:2776
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1324

C:\Users\Admin\AppData\Local\Temp\5FE1.exe
C:\Users\Admin\AppData\Local\Temp\5FE1.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:760

C:\Users\Admin\AppData\Local\Temp\70B3.exe
C:\Users\Admin\AppData\Local\Temp\70B3.exe
1⤵
PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3032

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230918184414.log C:\Windows\Logs\CBS\CbsPersist_20230918184414.cab
1⤵
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_61128A96103E2384545A7DBE712CF869

Filesize
472B

MD5
d281fce2707e4d03af467ca854f83111

SHA1
b0c50454ec97b8dd15e1a1e15a6b203be9d4b6b9

SHA256
78236e6ecac2a39afdfb01ec9cd2580b5fc0482757836cf13df046a8dea9b22b

SHA512
ec85f60a3c08ded5e8b217ddf5d765d456ab5acb283694fded0c4b54005d0984100d18ee13e65fcedf2f1994a2f19745f0fdd9e25c9121f2e4c4a40e65aae857

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1241f095d49009053bfcbe0f83c9804f

SHA1
cb35baab7aa03956876d66cc0d8fa70c851b6ee8

SHA256
d15a90ed4a795d2a21bbe34ee4e660f77e8d728327201db5e67a584d0dd7571f

SHA512
de0f084f251d6d39c37e31a6c4e51127d7c7033fcfec94b7fa42a58678a32a3cb87f767c592eee182248d2d11eafd310dbcd747d51c384c0fa743f106a017128

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b73c026a8a1201b96f8a6fa3b2b1c0d

SHA1
80157b3f75f3e8e2f303d853087f6123d3449c99

SHA256
0e21627348cf9f95e621803352f60138ed04c61bc606487251b37775174c2853

SHA512
074e095fa87eaf89a8fe3f8bae7ac06f25b69ca9b9e6531ddf60ff77d442b658289bacf81660038b593afa46fcf858c65e368acecfc5b28ffcc7b77220c6d3fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00218d5b1eb77585baafc00209e289c9

SHA1
0b49b18f3aadcaf2815e316791e9b709c0166067

SHA256
b3a03761cdc633aa14e2f816912f1b6f2bfba30015017843ceed9c2115533cd0

SHA512
c8b6f14e343a631df4d87d8d11f38e8bbfc15657cc6c671058fe94916f2b52f896a6c418be3951884aa06a17eeb5f4531d091bb7d90c7f3e7c92c1d0850241dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9e051be3ae009a2dc2ffc1d5c89b2a9

SHA1
380a649ce64fdb60e97b5622c856421298e44459

SHA256
c2045367d76c0a0f4db54b60296abc6b77342d7eabf152b4f786c091cac2209b

SHA512
b801a8053d42678c677103e56447e6d5c442f6136eefbd5f4a5e6179289117bb73292f902854df46c4ecb5dda27110ef1f72b593c330cf5f2bed9920687f87e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9d766d30554ea7515247063dbb329e6

SHA1
0c4e7c07be7c069e83420c4acc521db45e87ed25

SHA256
380eddc9de79b954b2e90269f4342e9a229895e3f93bb77ecdca6bfd6333e2c3

SHA512
b24431664155e2ef954ce4e564646222bd6b8d3cee813d26e59252d34b74feef7e8fb259b6f19e5d9d95ead5bae13c4304a811ade11cfa9692dcaf86f0ff7f24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27e787aac073da9bf0bc0e9673912116

SHA1
e025dc1d158173931ea148c7092ea415f966d328

SHA256
e458e74779a8d9d3eff7f2bbf8c82eb5401b054f0ad96edcc54a75e8a57ee140

SHA512
e48ce63b6da7b526ab28b461fc9c182cfbee6bbcc5f16815c673b8c29f364828e4c4a25c87110a77a4eb555d029a11efe900c18c4bc5593f815539fb9843eb9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27e787aac073da9bf0bc0e9673912116

SHA1
e025dc1d158173931ea148c7092ea415f966d328

SHA256
e458e74779a8d9d3eff7f2bbf8c82eb5401b054f0ad96edcc54a75e8a57ee140

SHA512
e48ce63b6da7b526ab28b461fc9c182cfbee6bbcc5f16815c673b8c29f364828e4c4a25c87110a77a4eb555d029a11efe900c18c4bc5593f815539fb9843eb9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27e787aac073da9bf0bc0e9673912116

SHA1
e025dc1d158173931ea148c7092ea415f966d328

SHA256
e458e74779a8d9d3eff7f2bbf8c82eb5401b054f0ad96edcc54a75e8a57ee140

SHA512
e48ce63b6da7b526ab28b461fc9c182cfbee6bbcc5f16815c673b8c29f364828e4c4a25c87110a77a4eb555d029a11efe900c18c4bc5593f815539fb9843eb9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27e787aac073da9bf0bc0e9673912116

SHA1
e025dc1d158173931ea148c7092ea415f966d328

SHA256
e458e74779a8d9d3eff7f2bbf8c82eb5401b054f0ad96edcc54a75e8a57ee140

SHA512
e48ce63b6da7b526ab28b461fc9c182cfbee6bbcc5f16815c673b8c29f364828e4c4a25c87110a77a4eb555d029a11efe900c18c4bc5593f815539fb9843eb9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21b88523dba5efaef2207e271a0e8a53

SHA1
1b8f6d6126ef75cd6a9c4bf8c75e214b4deac427

SHA256
042e447b87392b30eccfe47d1a5aa6bc5d6448d4d2f12a319f13fdb5b7f1383e

SHA512
88c38dc53dea2c498e6c20a8049d048f571ef9426ed00f57ff66871b8dfb75f50fcea531f9e2b0f10725cf435dd5e00676dd19088890f6a45056dea44f90df96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
152a7a67bb7e97ec30156e5b75ba4c07

SHA1
a5c810ebf1ab15fee63f514e4e5b4daf53347890

SHA256
6e6832b59bf1f53c9ac88577d39a1b9e1102d2a7e1a920849ca4d8ce0fa70974

SHA512
1534b6b99b18f33193db70dc935a76736d2c05fc557274d0c7a5f7ca2c8ea8f525277806cfe5f862e13fe600cbebed8ce25a8b73febb181be17d721ddc295649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38f8a63ec9545f4bdf13bfdd5f532a10

SHA1
50526dac12ac10231f49df29386f58b278216eca

SHA256
a474f50b3b8082eb709fd80ad5e062888e5dbce5857281ff73e5b3ea5355cd4b

SHA512
a129f419613d8dcdae2597713ac987cd7fc7093439d9e3261948a0387b339837c7dc3d48d2e86a3c2f3464c0bcff9d063583e0b82f1d35fd773be8a7559d8195

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cbe0d5963184ee330d3350eda38729f2

SHA1
b56f2dd6861206316a9c36d1a8a4dbc0b8ff1bf7

SHA256
1d3a3486b0258075d7c456b206afeaf19f76a9cb5d230c9727da12b55bd67bc2

SHA512
7ed8e161b951aecaa545e245f6560b20b5fb94b479a20a9ef19faa83504c3dcc5fe6b8a1d50975ea45fb5acb8ef79fda1d19cb687822307de7d8367f312a6b2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb4e4e1c99bb789802a4f489493de46b

SHA1
63fbaecb93e7f149aae691d2c747c23585a8b26a

SHA256
e4d0713a9031febae28d5a8193364cfb5d5912705ef9eb54c89683aa9df9d894

SHA512
2c30a9fd3243c889554898d58f1113a1a4f028e9d5fdfbf191817ec8b2cfc425484edc09fc40e44df8daff9e45a5beb74369eb05d602871253804739f72383da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1241f095d49009053bfcbe0f83c9804f

SHA1
cb35baab7aa03956876d66cc0d8fa70c851b6ee8

SHA256
d15a90ed4a795d2a21bbe34ee4e660f77e8d728327201db5e67a584d0dd7571f

SHA512
de0f084f251d6d39c37e31a6c4e51127d7c7033fcfec94b7fa42a58678a32a3cb87f767c592eee182248d2d11eafd310dbcd747d51c384c0fa743f106a017128

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_61128A96103E2384545A7DBE712CF869

Filesize
410B

MD5
926785525429410c06e716df3fa8e6bc

SHA1
2af8f0310d804cbf0cece3c824eafbffb7b03548

SHA256
f2a1d6b8b8f09608720a330f433d46c76823acd21b804a0f94370615fb68127f

SHA512
0b3251a4b9b890e2347bb1b067af35915f33e94869077a95d2246e5a257347bb28135713d95eedf73689fa89f39eec0d0d81d2e87259724128be3faa0df04082

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_61128A96103E2384545A7DBE712CF869

Filesize
410B

MD5
d338a2c9a57db173bcd1f3c92f4d2e2a

SHA1
58848fea7a980d9f702ebe2ff6ba6810d94a9364

SHA256
2df42388b005f9854b2d530f6ef286da686b20c35947190fe77ff0e8fcb90f6e

SHA512
685ab644aff50cc999de3340f61a59b23c6be66faf6c04da9e4adeced1e1d7f29e467776d07301979462cde7a990944d902f135826f83bb1d8688994b6ccc018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{530E0C81-5653-11EE-B87C-CE1068F0F1D9}.dat

Filesize
5KB

MD5
1563a1033863fdab46f5f515fc3abdb5

SHA1
24b139ec50c440264842b9dbd36387281c875b9c

SHA256
f9c9cc697e3a924160124c19104e09b19ef7c0030768e8e641dcc2fd1e92c9e4

SHA512
d43663476df159c715ee5a93bbceb17726554911d33f8fd919f30ac70f32fd5659ba92617dbb9d2468d25633cce913ea9075031e938ba842bdb8fa1c085089b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bucspth\imagestore.dat

Filesize
4KB

MD5
8a4cdcffdc18ffced978a4a35b85f1ac

SHA1
16e205512049a9a7d5303510f70057acba580b22

SHA256
11cbe3daf144c930df58ed37861a6474fb943783c53c492c3785c50a9912a25f

SHA512
0c0c2f3ae3af485e175a779c6646c504433d7d852cf35cb754cd966e52aff076e2ab8f12f9cc643a1c5fab53a19a9f969a275b4086eb8e08f6d2259548ac6597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bucspth\imagestore.dat

Filesize
9KB

MD5
ccaa44b32aff416616ba77fad2d7d2e5

SHA1
243325f13fb7cb7f1f5effa7080b616f304b49e8

SHA256
6fdbe61a018784303e878c96e4b2eb137353164fd06532b21a1cb5913de3f03a

SHA512
15b3115c6831ca7893af4b82c72075bb285859ca858b98506d5b844be8b1fe48b352e9d5e4786a57300f27a3ea27d975ff42a41810ad7e157dde9d067818681a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NO1NR40C\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NO1NR40C\hLRJ1GG_y0J[1].ico

Filesize
4KB

MD5
8cddca427dae9b925e73432f8733e05a

SHA1
1999a6f624a25cfd938eef6492d34fdc4f55dedc

SHA256
89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62

SHA512
20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XJKHGHKT\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
637f73095de9f62dc6fcfbe9b3f6d3d6

SHA1
708771d9413e7df69189d2a0c283ec72bd63d99e

SHA256
6a678e471f24d7560be7cda7a49a34b4f0c2cb279b779984e5f002be3dfacf1d

SHA512
00d4d05c7b894d4c52dcbc75d555c76f966defed1934747ffe4a29d8dc1b426fad021a02a5e221dd583ac86d67661a6b9cddde13ad1465546439f52ed567aeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
637f73095de9f62dc6fcfbe9b3f6d3d6

SHA1
708771d9413e7df69189d2a0c283ec72bd63d99e

SHA256
6a678e471f24d7560be7cda7a49a34b4f0c2cb279b779984e5f002be3dfacf1d

SHA512
00d4d05c7b894d4c52dcbc75d555c76f966defed1934747ffe4a29d8dc1b426fad021a02a5e221dd583ac86d67661a6b9cddde13ad1465546439f52ed567aeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
637f73095de9f62dc6fcfbe9b3f6d3d6

SHA1
708771d9413e7df69189d2a0c283ec72bd63d99e

SHA256
6a678e471f24d7560be7cda7a49a34b4f0c2cb279b779984e5f002be3dfacf1d

SHA512
00d4d05c7b894d4c52dcbc75d555c76f966defed1934747ffe4a29d8dc1b426fad021a02a5e221dd583ac86d67661a6b9cddde13ad1465546439f52ed567aeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
637f73095de9f62dc6fcfbe9b3f6d3d6

SHA1
708771d9413e7df69189d2a0c283ec72bd63d99e

SHA256
6a678e471f24d7560be7cda7a49a34b4f0c2cb279b779984e5f002be3dfacf1d

SHA512
00d4d05c7b894d4c52dcbc75d555c76f966defed1934747ffe4a29d8dc1b426fad021a02a5e221dd583ac86d67661a6b9cddde13ad1465546439f52ed567aeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fv5b.CPL

Filesize
1.4MB

MD5
46e52c1934680f078dc9c8d945891752

SHA1
42465cbb04b0f2c1d1858f5a3d1bb3174ad024dc

SHA256
53ace6b74aff50bc422f5ca3362f58cb33ed24a8817acc5f09fdfe6a922d0213

SHA512
367a0b960860e0aff56cc850590e5d49f348645977c8e99a4f5f2604edbd539b2ea9cee1ec8428f5ae5ebb25e0071783127400b9faa95d190dfbcd0bb45de524

Download Submit
C:\Users\Admin\AppData\Local\Temp\42EA.exe

Filesize
341KB

MD5
8669fe397a7225ede807202f6a9d8390

SHA1
04a806a5c4218cb703cba85d3e636d0c8cbae043

SHA256
1624a759791e49ce8f79dd249d3ac2aede589ffbe53db342e4c99e2fbbc1b90e

SHA512
29cad49434172a910ba7635058ecc02aacf43f648ee98b2c47c561332403a96847b5da817358095f7638295b238de8874bf34fb393670096bbf3caeb388a9c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\42EA.exe

Filesize
341KB

MD5
8669fe397a7225ede807202f6a9d8390

SHA1
04a806a5c4218cb703cba85d3e636d0c8cbae043

SHA256
1624a759791e49ce8f79dd249d3ac2aede589ffbe53db342e4c99e2fbbc1b90e

SHA512
29cad49434172a910ba7635058ecc02aacf43f648ee98b2c47c561332403a96847b5da817358095f7638295b238de8874bf34fb393670096bbf3caeb388a9c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\44FD.exe

Filesize
412KB

MD5
5200fbe07521eb001f145afb95d40283

SHA1
df6cfdf15b58a0bb24255b3902886dc375f3346f

SHA256
00c3f29f9a8aec0774256501c562275e2d866f0130a2b8a58d74003c6c77e812

SHA512
c38359959ce1083f94d2206d1b4b317e8c5d493168013b4e8c406acb5a55fd4f85ec7ce4d5e400b9105fd82eae3d6301d52346f040a64c09981185c66f2cbf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BF0.exe

Filesize
1.7MB

MD5
9783bec4f09c7463038cab0749c39ffe

SHA1
563de407668db64db3ea1361b7a642d9bc6d0e5b

SHA256
ad7a72ce76aedde5a34f8e586ed4138be0a24a870f6f32e45ae3f9319d5fb476

SHA512
6efa8f3431bcc8de3f6be6ca144aa9a8207bc71095e6bd50f14cdc0ed8ec413d4ecc8260c45cb6f0796fffb625fcbb88233e569c179f35cc9a3882730810c777

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BF0.exe

Filesize
1.7MB

MD5
9783bec4f09c7463038cab0749c39ffe

SHA1
563de407668db64db3ea1361b7a642d9bc6d0e5b

SHA256
ad7a72ce76aedde5a34f8e586ed4138be0a24a870f6f32e45ae3f9319d5fb476

SHA512
6efa8f3431bcc8de3f6be6ca144aa9a8207bc71095e6bd50f14cdc0ed8ec413d4ecc8260c45cb6f0796fffb625fcbb88233e569c179f35cc9a3882730810c777

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D58.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\4D58.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\542C.exe

Filesize
4.6MB

MD5
b32d5a382373d7df0c1fec9f15f0724a

SHA1
472fc4c27859f39e8b9a0bf784949f72944dc52b

SHA256
010fe481ba6275ebbf71e102e66d73f5d819252f2b4b1893d2acf53c04f4200f

SHA512
1320be23719f86e043beaeea8affa9ab125a68a1210f596c4424d4a5a2a9ef72eb572578897722842ad0586afe1d669ff816648ea3eeb3aa0b8379c9066da3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5FE1.exe

Filesize
1.3MB

MD5
ee88a284fb166e55f13a75ea3096d22c

SHA1
8d1ca81068a1286f89ce4bc23a4ce3d3e5bf64e4

SHA256
0fc6f52cae946a367dca16728eab871b1610fc044c2bc3d5ab640a71e49e50a1

SHA512
aadde4249c9ee5db44abc503dcc58e06ab305951b2ee37c432f1013cfed67e8734eb7dc833cf920784f79a7e599125ee8a10ba95cbe769779bea562799080dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\70B3.exe

Filesize
1.3MB

MD5
6d52fc20fc9abf70dcdefb26ac76a19e

SHA1
e6434e73d48f6daf0d5652140e777787d05b67b7

SHA256
7d894c6acba11d5280e7183805c11c36a7dd93ef4f650a2671c827fa59265a37

SHA512
83a4e7cb8936b45f46f069ce63d6027a38ff7364290d2f8c4105f931c6923737415f51f20bc7890bc32d3de107f02e3aebecd62788d10c426e0e6d641d79642e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6DA3.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6F4A.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
298KB

MD5
8bd874c0500c7112d04cfad6fda75524

SHA1
d04a20e3bb7ffe5663f69c870457ad4edeb00192

SHA256
22aa36bd2f8ace8d959f22cf0e99bfe1d3fd655c075aa14a3232fb9e0f35adc2

SHA512
d6c43d5a5d1bfca1dddfb6283eafcd1f274e52812ccfee877298dfc74930fe6a8ec7035f95107600742ef19a630bee3ca3fab1fc7ab3ff717bea8f8c05e384d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
298KB

MD5
8bd874c0500c7112d04cfad6fda75524

SHA1
d04a20e3bb7ffe5663f69c870457ad4edeb00192

SHA256
22aa36bd2f8ace8d959f22cf0e99bfe1d3fd655c075aa14a3232fb9e0f35adc2

SHA512
d6c43d5a5d1bfca1dddfb6283eafcd1f274e52812ccfee877298dfc74930fe6a8ec7035f95107600742ef19a630bee3ca3fab1fc7ab3ff717bea8f8c05e384d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
227KB

MD5
fccd5785d54697b968ebe3c55641c4b3

SHA1
f3353f2cfb27100ea14ae6ad02a72f834694fbf3

SHA256
757568f5af7731014baf25b6941c179d14b2041d2aa8a43e482a942e99d86f82

SHA512
0360e3c3469219f6c13ab3bd0c47304c6bb1319463c4102433156400ebfbf468b88f9b469eeb01e78ed32021adb93d52e9dd410dcc9d44e5dbee67f9a51aed6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
227KB

MD5
fccd5785d54697b968ebe3c55641c4b3

SHA1
f3353f2cfb27100ea14ae6ad02a72f834694fbf3

SHA256
757568f5af7731014baf25b6941c179d14b2041d2aa8a43e482a942e99d86f82

SHA512
0360e3c3469219f6c13ab3bd0c47304c6bb1319463c4102433156400ebfbf468b88f9b469eeb01e78ed32021adb93d52e9dd410dcc9d44e5dbee67f9a51aed6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
227KB

MD5
fccd5785d54697b968ebe3c55641c4b3

SHA1
f3353f2cfb27100ea14ae6ad02a72f834694fbf3

SHA256
757568f5af7731014baf25b6941c179d14b2041d2aa8a43e482a942e99d86f82

SHA512
0360e3c3469219f6c13ab3bd0c47304c6bb1319463c4102433156400ebfbf468b88f9b469eeb01e78ed32021adb93d52e9dd410dcc9d44e5dbee67f9a51aed6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
227KB

MD5
fccd5785d54697b968ebe3c55641c4b3

SHA1
f3353f2cfb27100ea14ae6ad02a72f834694fbf3

SHA256
757568f5af7731014baf25b6941c179d14b2041d2aa8a43e482a942e99d86f82

SHA512
0360e3c3469219f6c13ab3bd0c47304c6bb1319463c4102433156400ebfbf468b88f9b469eeb01e78ed32021adb93d52e9dd410dcc9d44e5dbee67f9a51aed6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LV0W1I27.txt

Filesize
608B

MD5
135546de659c640c3cd55c239df9593b

SHA1
91e06cdf1ace5adb5cf50517a1faf9e0c06c7ea3

SHA256
f3a088663570894e7baef2387b2390b6ee5a00708a09aab57fbce4f674f6d4cc

SHA512
1577acc0a8b49362114c9c3e35d7e3cca905d76d439b3544de38eef8afc35112e881f886ebfc36976fdabe3f8ec47d55ed3edd523870cbb82e675ddde358c3fc

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
637f73095de9f62dc6fcfbe9b3f6d3d6

SHA1
708771d9413e7df69189d2a0c283ec72bd63d99e

SHA256
6a678e471f24d7560be7cda7a49a34b4f0c2cb279b779984e5f002be3dfacf1d

SHA512
00d4d05c7b894d4c52dcbc75d555c76f966defed1934747ffe4a29d8dc1b426fad021a02a5e221dd583ac86d67661a6b9cddde13ad1465546439f52ed567aeb5

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
637f73095de9f62dc6fcfbe9b3f6d3d6

SHA1
708771d9413e7df69189d2a0c283ec72bd63d99e

SHA256
6a678e471f24d7560be7cda7a49a34b4f0c2cb279b779984e5f002be3dfacf1d

SHA512
00d4d05c7b894d4c52dcbc75d555c76f966defed1934747ffe4a29d8dc1b426fad021a02a5e221dd583ac86d67661a6b9cddde13ad1465546439f52ed567aeb5

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
637f73095de9f62dc6fcfbe9b3f6d3d6

SHA1
708771d9413e7df69189d2a0c283ec72bd63d99e

SHA256
6a678e471f24d7560be7cda7a49a34b4f0c2cb279b779984e5f002be3dfacf1d

SHA512
00d4d05c7b894d4c52dcbc75d555c76f966defed1934747ffe4a29d8dc1b426fad021a02a5e221dd583ac86d67661a6b9cddde13ad1465546439f52ed567aeb5

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
637f73095de9f62dc6fcfbe9b3f6d3d6

SHA1
708771d9413e7df69189d2a0c283ec72bd63d99e

SHA256
6a678e471f24d7560be7cda7a49a34b4f0c2cb279b779984e5f002be3dfacf1d

SHA512
00d4d05c7b894d4c52dcbc75d555c76f966defed1934747ffe4a29d8dc1b426fad021a02a5e221dd583ac86d67661a6b9cddde13ad1465546439f52ed567aeb5

Download Submit
\Users\Admin\AppData\Local\Temp\3fv5b.cpl

Filesize
1.4MB

MD5
46e52c1934680f078dc9c8d945891752

SHA1
42465cbb04b0f2c1d1858f5a3d1bb3174ad024dc

SHA256
53ace6b74aff50bc422f5ca3362f58cb33ed24a8817acc5f09fdfe6a922d0213

SHA512
367a0b960860e0aff56cc850590e5d49f348645977c8e99a4f5f2604edbd539b2ea9cee1ec8428f5ae5ebb25e0071783127400b9faa95d190dfbcd0bb45de524

Download Submit
\Users\Admin\AppData\Local\Temp\3fv5b.cpl

Filesize
1.4MB

MD5
46e52c1934680f078dc9c8d945891752

SHA1
42465cbb04b0f2c1d1858f5a3d1bb3174ad024dc

SHA256
53ace6b74aff50bc422f5ca3362f58cb33ed24a8817acc5f09fdfe6a922d0213

SHA512
367a0b960860e0aff56cc850590e5d49f348645977c8e99a4f5f2604edbd539b2ea9cee1ec8428f5ae5ebb25e0071783127400b9faa95d190dfbcd0bb45de524

Download Submit
\Users\Admin\AppData\Local\Temp\3fv5b.cpl

Filesize
1.4MB

MD5
46e52c1934680f078dc9c8d945891752

SHA1
42465cbb04b0f2c1d1858f5a3d1bb3174ad024dc

SHA256
53ace6b74aff50bc422f5ca3362f58cb33ed24a8817acc5f09fdfe6a922d0213

SHA512
367a0b960860e0aff56cc850590e5d49f348645977c8e99a4f5f2604edbd539b2ea9cee1ec8428f5ae5ebb25e0071783127400b9faa95d190dfbcd0bb45de524

Download Submit
\Users\Admin\AppData\Local\Temp\3fv5b.cpl

Filesize
1.4MB

MD5
46e52c1934680f078dc9c8d945891752

SHA1
42465cbb04b0f2c1d1858f5a3d1bb3174ad024dc

SHA256
53ace6b74aff50bc422f5ca3362f58cb33ed24a8817acc5f09fdfe6a922d0213

SHA512
367a0b960860e0aff56cc850590e5d49f348645977c8e99a4f5f2604edbd539b2ea9cee1ec8428f5ae5ebb25e0071783127400b9faa95d190dfbcd0bb45de524

Download Submit
\Users\Admin\AppData\Local\Temp\3fv5b.cpl

Filesize
1.4MB

MD5
46e52c1934680f078dc9c8d945891752

SHA1
42465cbb04b0f2c1d1858f5a3d1bb3174ad024dc

SHA256
53ace6b74aff50bc422f5ca3362f58cb33ed24a8817acc5f09fdfe6a922d0213

SHA512
367a0b960860e0aff56cc850590e5d49f348645977c8e99a4f5f2604edbd539b2ea9cee1ec8428f5ae5ebb25e0071783127400b9faa95d190dfbcd0bb45de524

Download Submit
\Users\Admin\AppData\Local\Temp\3fv5b.cpl

Filesize
1.4MB

MD5
46e52c1934680f078dc9c8d945891752

SHA1
42465cbb04b0f2c1d1858f5a3d1bb3174ad024dc

SHA256
53ace6b74aff50bc422f5ca3362f58cb33ed24a8817acc5f09fdfe6a922d0213

SHA512
367a0b960860e0aff56cc850590e5d49f348645977c8e99a4f5f2604edbd539b2ea9cee1ec8428f5ae5ebb25e0071783127400b9faa95d190dfbcd0bb45de524

Download Submit
\Users\Admin\AppData\Local\Temp\3fv5b.cpl

Filesize
1.4MB

MD5
46e52c1934680f078dc9c8d945891752

SHA1
42465cbb04b0f2c1d1858f5a3d1bb3174ad024dc

SHA256
53ace6b74aff50bc422f5ca3362f58cb33ed24a8817acc5f09fdfe6a922d0213

SHA512
367a0b960860e0aff56cc850590e5d49f348645977c8e99a4f5f2604edbd539b2ea9cee1ec8428f5ae5ebb25e0071783127400b9faa95d190dfbcd0bb45de524

Download Submit
\Users\Admin\AppData\Local\Temp\3fv5b.cpl

Filesize
1.4MB

MD5
46e52c1934680f078dc9c8d945891752

SHA1
42465cbb04b0f2c1d1858f5a3d1bb3174ad024dc

SHA256
53ace6b74aff50bc422f5ca3362f58cb33ed24a8817acc5f09fdfe6a922d0213

SHA512
367a0b960860e0aff56cc850590e5d49f348645977c8e99a4f5f2604edbd539b2ea9cee1ec8428f5ae5ebb25e0071783127400b9faa95d190dfbcd0bb45de524

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
298KB

MD5
8bd874c0500c7112d04cfad6fda75524

SHA1
d04a20e3bb7ffe5663f69c870457ad4edeb00192

SHA256
22aa36bd2f8ace8d959f22cf0e99bfe1d3fd655c075aa14a3232fb9e0f35adc2

SHA512
d6c43d5a5d1bfca1dddfb6283eafcd1f274e52812ccfee877298dfc74930fe6a8ec7035f95107600742ef19a630bee3ca3fab1fc7ab3ff717bea8f8c05e384d8

Download Submit
\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
298KB

MD5
8bd874c0500c7112d04cfad6fda75524

SHA1
d04a20e3bb7ffe5663f69c870457ad4edeb00192

SHA256
22aa36bd2f8ace8d959f22cf0e99bfe1d3fd655c075aa14a3232fb9e0f35adc2

SHA512
d6c43d5a5d1bfca1dddfb6283eafcd1f274e52812ccfee877298dfc74930fe6a8ec7035f95107600742ef19a630bee3ca3fab1fc7ab3ff717bea8f8c05e384d8

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
227KB

MD5
fccd5785d54697b968ebe3c55641c4b3

SHA1
f3353f2cfb27100ea14ae6ad02a72f834694fbf3

SHA256
757568f5af7731014baf25b6941c179d14b2041d2aa8a43e482a942e99d86f82

SHA512
0360e3c3469219f6c13ab3bd0c47304c6bb1319463c4102433156400ebfbf468b88f9b469eeb01e78ed32021adb93d52e9dd410dcc9d44e5dbee67f9a51aed6d

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
227KB

MD5
fccd5785d54697b968ebe3c55641c4b3

SHA1
f3353f2cfb27100ea14ae6ad02a72f834694fbf3

SHA256
757568f5af7731014baf25b6941c179d14b2041d2aa8a43e482a942e99d86f82

SHA512
0360e3c3469219f6c13ab3bd0c47304c6bb1319463c4102433156400ebfbf468b88f9b469eeb01e78ed32021adb93d52e9dd410dcc9d44e5dbee67f9a51aed6d

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
227KB

MD5
fccd5785d54697b968ebe3c55641c4b3

SHA1
f3353f2cfb27100ea14ae6ad02a72f834694fbf3

SHA256
757568f5af7731014baf25b6941c179d14b2041d2aa8a43e482a942e99d86f82

SHA512
0360e3c3469219f6c13ab3bd0c47304c6bb1319463c4102433156400ebfbf468b88f9b469eeb01e78ed32021adb93d52e9dd410dcc9d44e5dbee67f9a51aed6d

Download Submit
\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
637f73095de9f62dc6fcfbe9b3f6d3d6

SHA1
708771d9413e7df69189d2a0c283ec72bd63d99e

SHA256
6a678e471f24d7560be7cda7a49a34b4f0c2cb279b779984e5f002be3dfacf1d

SHA512
00d4d05c7b894d4c52dcbc75d555c76f966defed1934747ffe4a29d8dc1b426fad021a02a5e221dd583ac86d67661a6b9cddde13ad1465546439f52ed567aeb5

Download Submit
\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
637f73095de9f62dc6fcfbe9b3f6d3d6

SHA1
708771d9413e7df69189d2a0c283ec72bd63d99e

SHA256
6a678e471f24d7560be7cda7a49a34b4f0c2cb279b779984e5f002be3dfacf1d

SHA512
00d4d05c7b894d4c52dcbc75d555c76f966defed1934747ffe4a29d8dc1b426fad021a02a5e221dd583ac86d67661a6b9cddde13ad1465546439f52ed567aeb5

Download Submit
memory/568-747-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/568-738-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/568-736-0x0000000002810000-0x0000000002C08000-memory.dmp

Filesize
4.0MB

Download
memory/568-737-0x0000000002810000-0x0000000002C08000-memory.dmp

Filesize
4.0MB

Download
memory/568-749-0x0000000002810000-0x0000000002C08000-memory.dmp

Filesize
4.0MB

Download
memory/748-187-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/748-138-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/748-142-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/748-140-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/760-156-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/760-166-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/760-157-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/760-163-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/760-205-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/760-468-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/760-164-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/760-1026-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/760-485-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/760-161-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/760-167-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1252-186-0x0000000002F00000-0x0000000002F16000-memory.dmp

Filesize
88KB

Download
memory/1252-5-0x0000000002A40000-0x0000000002A56000-memory.dmp

Filesize
88KB

Download
memory/1500-1027-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1500-1066-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1500-1046-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1500-1028-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1500-748-0x0000000002630000-0x0000000002A28000-memory.dmp

Filesize
4.0MB

Download
memory/1500-750-0x0000000002630000-0x0000000002A28000-memory.dmp

Filesize
4.0MB

Download
memory/1660-153-0x00000000012C0000-0x0000000001468000-memory.dmp

Filesize
1.7MB

Download
memory/1660-165-0x00000000012C0000-0x0000000001468000-memory.dmp

Filesize
1.7MB

Download
memory/1660-154-0x00000000012C0000-0x0000000001468000-memory.dmp

Filesize
1.7MB

Download
memory/1920-712-0x00000000027B0000-0x00000000028A2000-memory.dmp

Filesize
968KB

Download
memory/1920-732-0x00000000027B0000-0x00000000028A2000-memory.dmp

Filesize
968KB

Download
memory/1920-709-0x00000000027B0000-0x00000000028A2000-memory.dmp

Filesize
968KB

Download
memory/1920-708-0x00000000026A0000-0x00000000027AC000-memory.dmp

Filesize
1.0MB

Download
memory/1920-324-0x0000000000190000-0x0000000000196000-memory.dmp

Filesize
24KB

Download
memory/2300-735-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2300-146-0x0000000002A90000-0x000000000337B000-memory.dmp

Filesize
8.9MB

Download
memory/2300-135-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/2300-248-0x0000000002A90000-0x000000000337B000-memory.dmp

Filesize
8.9MB

Download
memory/2300-155-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2300-451-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2300-449-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2300-145-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/2316-133-0x00000000008B0000-0x00000000009B0000-memory.dmp

Filesize
1024KB

Download
memory/2316-134-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2372-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2372-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2372-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2372-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2372-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2372-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2460-115-0x00000000FF600000-0x00000000FF64E000-memory.dmp

Filesize
312KB

Download
memory/2460-482-0x00000000026C0000-0x00000000027F1000-memory.dmp

Filesize
1.2MB

Download
memory/2460-479-0x0000000003490000-0x0000000003601000-memory.dmp

Filesize
1.4MB

Download
memory/2460-751-0x00000000026C0000-0x00000000027F1000-memory.dmp

Filesize
1.2MB

Download
memory/2516-23-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/2516-28-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-144-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2656-245-0x0000000000890000-0x0000000000A38000-memory.dmp

Filesize
1.7MB

Download
memory/2656-232-0x0000000000890000-0x0000000000A38000-memory.dmp

Filesize
1.7MB

Download
memory/2656-230-0x0000000000890000-0x0000000000A38000-memory.dmp

Filesize
1.7MB

Download
memory/2672-29-0x0000000007260000-0x00000000072A0000-memory.dmp

Filesize
256KB

Download
memory/2672-1029-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-143-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-17-0x0000000000280000-0x00000000002DA000-memory.dmp

Filesize
360KB

Download
memory/2672-22-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/2672-152-0x0000000007260000-0x00000000072A0000-memory.dmp

Filesize
256KB

Download
memory/2696-998-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2696-980-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2816-272-0x0000000010000000-0x0000000010165000-memory.dmp

Filesize
1.4MB

Download
memory/2816-99-0x0000000010000000-0x0000000010165000-memory.dmp

Filesize
1.4MB

Download
memory/2816-98-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/2816-229-0x00000000024C0000-0x00000000025CC000-memory.dmp

Filesize
1.0MB

Download
memory/2816-254-0x00000000026E0000-0x00000000027D2000-memory.dmp

Filesize
968KB

Download
memory/2816-250-0x00000000026E0000-0x00000000027D2000-memory.dmp

Filesize
968KB

Download
memory/2816-273-0x00000000026E0000-0x00000000027D2000-memory.dmp

Filesize
968KB

Download
memory/3032-249-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-252-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download
memory/3032-1025-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-713-0x0000000074220000-0x000000007490E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-733-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download