dcrat | 14f12ce7401d5053a66773e6700addad23fc1d4e64bddabbc445ab198e477647

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
30/09/2023, 22:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

427KB
MD5

8cec8da3bda33b1200b5fd2292c6e62c
SHA1

c0f8fd0e784d1fd50ea38a72c1900532bbe2814a
SHA256

14f12ce7401d5053a66773e6700addad23fc1d4e64bddabbc445ab198e477647
SHA512

5723d30bc9b440a725e03a5c8206d7d41861948211a445be65b8a033c8320d7426c3251f2ec408a705169c055ded6757ea55e4c93cbbc70859a4847008a5518c
SSDEEP

6144:K8y+bnr+tp0yN90QEPAYwyWLwAWN7ayGG5cP+a1JMl5rfz4TC6cc48J8EYWQbM:YMrxy905YyWXejpkHgz4TVrTYrM

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

fabookie

http://app.nnnaajjjgc.com/check/safe

Signatures

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2720	schtasks.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""		file.exe
		2128	schtasks.exe
		1304	schtasks.exe

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/1584-1154-0x0000000003660000-0x0000000003791000-memory.dmp	family_fabookie
behavioral1/memory/1584-1187-0x0000000003660000-0x0000000003791000-memory.dmp	family_fabookie

Detected google phishing page
phishing google
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 17 IoCs

resource	yara_rule
behavioral1/memory/1892-1008-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/1892-1020-0x0000000004930000-0x000000000521B000-memory.dmp	family_glupteba
behavioral1/memory/1892-1157-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/1892-1158-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/1892-1171-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/1060-1177-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/1060-1186-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2244-1194-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2244-1273-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2244-1292-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2244-1296-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2244-1329-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2244-1333-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2244-1363-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2244-1367-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2244-1373-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2244-1385-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001a492-977.dat	family_redline
behavioral1/memory/2812-992-0x0000000001090000-0x00000000010EA000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 2920 created 1272	2920	FA2E.exe	21
PID 2920 created 1272	2920	FA2E.exe	21
PID 2920 created 1272	2920	FA2E.exe	21
PID 2920 created 1272	2920	FA2E.exe	21

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
2268	bcdedit.exe
2852	bcdedit.exe
2884	bcdedit.exe
2564	bcdedit.exe
1620	bcdedit.exe
1436	bcdedit.exe
1768	bcdedit.exe
1940	bcdedit.exe
2588	bcdedit.exe
1172	bcdedit.exe
764	bcdedit.exe
2988	bcdedit.exe
2728	bcdedit.exe
1756	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2132	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Executes dropped EXE 30 IoCs

pid	Process
2100	v3347808.exe
2180	a5934857.exe
2792	93E6.exe
2660	94D1.exe
2532	x9185365.exe
2536	x3490328.exe
1968	x9179884.exe
1044	x1354664.exe
320	9956.exe
756	g0286977.exe
1656	E5E1.exe
1584	ss41.exe
2812	E92D.exe
1372	toolspub2.exe
1892	31839b57a4f11171d6abc8bbc4451ee4.exe
1788	kos1.exe
1524	toolspub2.exe
2920	FA2E.exe
1764	set16.exe
652	kos.exe
2432	is-CPI4D.tmp
2036	previewer.exe
2484	previewer.exe
1060	31839b57a4f11171d6abc8bbc4451ee4.exe
2244	csrss.exe
1704	patch.exe
1904	injector.exe
2764	dsefix.exe
908	windefender.exe
2852	windefender.exe

Loads dropped DLL 64 IoCs

pid	Process
2956	file.exe
2100	v3347808.exe
2100	v3347808.exe
2100	v3347808.exe
2180	a5934857.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2612	WerFault.exe
2792	93E6.exe
2792	93E6.exe
2532	x9185365.exe
2532	x9185365.exe
2536	x3490328.exe
2536	x3490328.exe
1968	x9179884.exe
1968	x9179884.exe
1044	x1354664.exe
876	WerFault.exe
876	WerFault.exe
876	WerFault.exe
1044	x1354664.exe
1044	x1354664.exe
876	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
2472	WerFault.exe
756	g0286977.exe
2472	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
1656	E5E1.exe
1656	E5E1.exe
1656	E5E1.exe
1656	E5E1.exe
1656	E5E1.exe
1656	E5E1.exe
1372	toolspub2.exe
1656	E5E1.exe
1272	Explorer.EXE
1788	kos1.exe
1764	set16.exe
1764	set16.exe
1764	set16.exe
1788	kos1.exe
1764	set16.exe
2432	is-CPI4D.tmp
2432	is-CPI4D.tmp
2432	is-CPI4D.tmp
2432	is-CPI4D.tmp
2432	is-CPI4D.tmp
2036	previewer.exe
2036	previewer.exe
2432	is-CPI4D.tmp
2484	previewer.exe
2484	previewer.exe
1060	31839b57a4f11171d6abc8bbc4451ee4.exe
1060	31839b57a4f11171d6abc8bbc4451ee4.exe
824	Process not Found
1704	patch.exe
1704	patch.exe
1704	patch.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/908-1374-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2852-1379-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/908-1382-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2852-1389-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	x1354664.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3347808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	93E6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	x3490328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9185365.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	x9179884.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2180 set thread context of 3064	2180	a5934857.exe	31
PID 1372 set thread context of 1524	1372	toolspub2.exe	62

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PA Previewer\is-2NGGJ.tmp	is-CPI4D.tmp
File created	C:\Program Files (x86)\PA Previewer\is-R11RL.tmp	is-CPI4D.tmp
File created	C:\Program Files (x86)\PA Previewer\is-EVHU8.tmp	is-CPI4D.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-CPI4D.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-CPI4D.tmp
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-CPI4D.tmp
File created	C:\Program Files (x86)\PA Previewer\is-02IRK.tmp	is-CPI4D.tmp

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20230930221108.cab	Process not Found
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2824	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2612	2180	WerFault.exe	29
876	2660	WerFault.exe	34
2472	320	WerFault.exe	43
2248	756	WerFault.exe	44

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2128	schtasks.exe
1304	schtasks.exe
2720	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac200000000020000000000106600000001000020000000c0dfb669cc50837be9c29d87f1ddbcd7d95f06b3e9c290a1fb12b0444b305c27000000000e8000000002000020000000cabfca919339e31fef3f6e413e298f0576f65489895c3bb8903e35608a2907fd900000003b8478ecbec56e9aca637aceee03b4b176de3627445137dc8217e68740af9ab3c1c75a3b94670c6cc32cda8fdc0e951f2c9e81da6176f51454767da8af2e2425123b28eb624bac04067e0003927f6e3200878bb3902ad70361a1989fe23bd1f75b88fe4f07c048791f26b57a4dec917d68534a769f91ce935b6021258fb5482b00440a136f1f7c968f424908322de0a740000000525c32654c1187eafc2f1c4d3f309f8562888f4c13d88de481c29f020e9f47a1816df4416e42c09c61702db45570bd58f769ab70df4f5c96b571dc32c9d4c548	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402876816"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f908080c5c8cf442941c5db076e34ac2000000000200000000001066000000010000200000001b2762cae986f1286cb3d69b2afa2a2928f562b2e53367783104fd32cbf04e11000000000e80000000020000200000004b578bc138b8245b869bb2f3065d1d35cec0eb952b803c1f893f2602309c6647200000005509d7591586d460fbf12879929b5392e8e59f2aead4ce679047a25fb0cfbfd1400000001b4945b421615055fba4fb881d670ef01e7f6818e00549cd42677303bc692392b8f6b403c06111436f2d2a3e59c0e06098ff8366dfc860138b15f5a54d2d54d2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{315CF491-5FDE-11EE-90AA-FAEDD45E79E3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{31A6BF31-5FDE-11EE-90AA-FAEDD45E79E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0424c08ebf3d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e419000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ss41.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ss41.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ss41.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ss41.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	AppLaunch.exe
3064	AppLaunch.exe
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3064	AppLaunch.exe
1524	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeDebugPrivilege	2036	previewer.exe
Token: SeDebugPrivilege	652	kos.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeDebugPrivilege	2812	E92D.exe
Token: SeDebugPrivilege	2484	previewer.exe
Token: SeDebugPrivilege	1892	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	1892	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeShutdownPrivilege	972	powercfg.exe
Token: SeShutdownPrivilege	2408	powercfg.exe
Token: SeShutdownPrivilege	1904	injector.exe
Token: SeShutdownPrivilege	2988	powercfg.exe
Token: SeSystemEnvironmentPrivilege	2244	csrss.exe
Token: SeSecurityPrivilege	2824	sc.exe
Token: SeSecurityPrivilege	2824	sc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1232	iexplore.exe
392	iexplore.exe
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1232	iexplore.exe
1232	iexplore.exe
1824	IEXPLORE.EXE
1824	IEXPLORE.EXE
392	iexplore.exe
392	iexplore.exe
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2100	2956	file.exe	28
PID 2956 wrote to memory of 2100	2956	file.exe	28
PID 2956 wrote to memory of 2100	2956	file.exe	28
PID 2956 wrote to memory of 2100	2956	file.exe	28
PID 2956 wrote to memory of 2100	2956	file.exe	28
PID 2956 wrote to memory of 2100	2956	file.exe	28
PID 2956 wrote to memory of 2100	2956	file.exe	28
PID 2100 wrote to memory of 2180	2100	v3347808.exe	29
PID 2100 wrote to memory of 2180	2100	v3347808.exe	29
PID 2100 wrote to memory of 2180	2100	v3347808.exe	29
PID 2100 wrote to memory of 2180	2100	v3347808.exe	29
PID 2100 wrote to memory of 2180	2100	v3347808.exe	29
PID 2100 wrote to memory of 2180	2100	v3347808.exe	29
PID 2100 wrote to memory of 2180	2100	v3347808.exe	29
PID 2180 wrote to memory of 3064	2180	a5934857.exe	31
PID 2180 wrote to memory of 3064	2180	a5934857.exe	31
PID 2180 wrote to memory of 3064	2180	a5934857.exe	31
PID 2180 wrote to memory of 3064	2180	a5934857.exe	31
PID 2180 wrote to memory of 3064	2180	a5934857.exe	31
PID 2180 wrote to memory of 3064	2180	a5934857.exe	31
PID 2180 wrote to memory of 3064	2180	a5934857.exe	31
PID 2180 wrote to memory of 3064	2180	a5934857.exe	31
PID 2180 wrote to memory of 3064	2180	a5934857.exe	31
PID 2180 wrote to memory of 3064	2180	a5934857.exe	31
PID 2180 wrote to memory of 2612	2180	a5934857.exe	32
PID 2180 wrote to memory of 2612	2180	a5934857.exe	32
PID 2180 wrote to memory of 2612	2180	a5934857.exe	32
PID 2180 wrote to memory of 2612	2180	a5934857.exe	32
PID 2180 wrote to memory of 2612	2180	a5934857.exe	32
PID 2180 wrote to memory of 2612	2180	a5934857.exe	32
PID 2180 wrote to memory of 2612	2180	a5934857.exe	32
PID 1272 wrote to memory of 2792	1272	Explorer.EXE	33
PID 1272 wrote to memory of 2792	1272	Explorer.EXE	33
PID 1272 wrote to memory of 2792	1272	Explorer.EXE	33
PID 1272 wrote to memory of 2792	1272	Explorer.EXE	33
PID 1272 wrote to memory of 2792	1272	Explorer.EXE	33
PID 1272 wrote to memory of 2792	1272	Explorer.EXE	33
PID 1272 wrote to memory of 2792	1272	Explorer.EXE	33
PID 1272 wrote to memory of 2660	1272	Explorer.EXE	34
PID 1272 wrote to memory of 2660	1272	Explorer.EXE	34
PID 1272 wrote to memory of 2660	1272	Explorer.EXE	34
PID 1272 wrote to memory of 2660	1272	Explorer.EXE	34
PID 2792 wrote to memory of 2532	2792	93E6.exe	36
PID 2792 wrote to memory of 2532	2792	93E6.exe	36
PID 2792 wrote to memory of 2532	2792	93E6.exe	36
PID 2792 wrote to memory of 2532	2792	93E6.exe	36
PID 2792 wrote to memory of 2532	2792	93E6.exe	36
PID 2792 wrote to memory of 2532	2792	93E6.exe	36
PID 2792 wrote to memory of 2532	2792	93E6.exe	36
PID 2532 wrote to memory of 2536	2532	x9185365.exe	37
PID 2532 wrote to memory of 2536	2532	x9185365.exe	37
PID 2532 wrote to memory of 2536	2532	x9185365.exe	37
PID 2532 wrote to memory of 2536	2532	x9185365.exe	37
PID 2532 wrote to memory of 2536	2532	x9185365.exe	37
PID 2532 wrote to memory of 2536	2532	x9185365.exe	37
PID 2532 wrote to memory of 2536	2532	x9185365.exe	37
PID 1272 wrote to memory of 2132	1272	Explorer.EXE	38
PID 1272 wrote to memory of 2132	1272	Explorer.EXE	38
PID 1272 wrote to memory of 2132	1272	Explorer.EXE	38
PID 2536 wrote to memory of 1968	2536	x3490328.exe	40
PID 2536 wrote to memory of 1968	2536	x3490328.exe	40
PID 2536 wrote to memory of 1968	2536	x3490328.exe	40
PID 2536 wrote to memory of 1968	2536	x3490328.exe	40
PID 2536 wrote to memory of 1968	2536	x3490328.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - DcRat
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 36
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2612
- C:\Users\Admin\AppData\Local\Temp\93E6.exe
  C:\Users\Admin\AppData\Local\Temp\93E6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9185365.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9185365.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3490328.exe
      C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3490328.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x9179884.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x9179884.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1968
      - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\x1354664.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\x1354664.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\g0286977.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\g0286977.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 32
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:2248
- C:\Users\Admin\AppData\Local\Temp\94D1.exe
  C:\Users\Admin\AppData\Local\Temp\94D1.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:876
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\96C5.bat" "
  2⤵
  PID:2132
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1232
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1232 CREDAT:340993 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1824
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:392
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:392 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2092
- C:\Users\Admin\AppData\Local\Temp\9956.exe
  C:\Users\Admin\AppData\Local\Temp\9956.exe
  2⤵
  - Executes dropped EXE
  PID:320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 36
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2472
- C:\Users\Admin\AppData\Local\Temp\E5E1.exe
  C:\Users\Admin\AppData\Local\Temp\E5E1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\ss41.exe
    "C:\Users\Admin\AppData\Local\Temp\ss41.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:1524
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:1060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2296
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:2132
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Manipulates WinMon driver.
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1304
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:1668
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1704
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2268
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2852
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2884
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2564
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1620
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1436
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1768
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1940
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2588
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1172
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:764
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2988
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2728
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1756
      - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        6⤵
        Executes dropped EXE
        
        PID:2764
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2720
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
- - C:\Users\Admin\AppData\Local\Temp\kos1.exe
    "C:\Users\Admin\AppData\Local\Temp\kos1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\set16.exe
      "C:\Users\Admin\AppData\Local\Temp\set16.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\is-JV33U.tmp\is-CPI4D.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JV33U.tmp\is-CPI4D.tmp" /SL4 $702DE "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:2432
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 8
        6⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 8
        7⤵
        
        PID:2408
      - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -i
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
      - C:\Program Files (x86)\PA Previewer\previewer.exe
        
        "C:\Program Files (x86)\PA Previewer\previewer.exe" -s
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\kos.exe
      "C:\Users\Admin\AppData\Local\Temp\kos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:652
- C:\Users\Admin\AppData\Local\Temp\E92D.exe
  C:\Users\Admin\AppData\Local\Temp\E92D.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\FA2E.exe
  C:\Users\Admin\AppData\Local\Temp\FA2E.exe
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:2920
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1496
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:1904
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1720
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml"
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:2128
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1596

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230930221108.log C:\Windows\Logs\CBS\CbsPersist_20230930221108.cab
1⤵
PID:2144

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

Filesize
471B

MD5
3c85c63522b8d9311fd17b60cc3f0245

SHA1
05c4621bf02336bf463bc9247c63e2cf7ea7afca

SHA256
3c7cbe3679e411d320ca86d457cfc507d2f4b8e127d8d2748b9758fd79b0c7b4

SHA512
f548fa65114b27ce881e4782b43f0fe5478d3f6264ef286a9fb57a9996c706bad089096aa87650a26d3fa14361903c14c6c2eb0dc7bc6b1f9c6e6c273666676e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1727edeacff0988d23e33a4aacddb09a

SHA1
6bc48aea44750a354e175ebb4c3b1682ce2ce14c

SHA256
362bd24a6d0a778ff9d9c09315505e9e7950843cab457ac8c81d2ca4e7d7cba9

SHA512
1c87cf96c2ad556080a614c64948597b170bd0c0c9f9234b8b10a087a847c39aa96d3c17feeb9e30fc9da3494b9653d4e8742b31f962a4d61499b2bf8be7a617

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cdd18b79de04af3efe273ccee0e5543a

SHA1
02696d2eb05f168d5828178ef66d81809970221a

SHA256
80926dc44e670f24459500f223b07e71127880c09cc113ee0de4b5ddf3179016

SHA512
91ac0af6bb159efb9ca41621d4f7f41b75df067ecf4ef935c5b436cc9dd43dbf54078a97915c45261d3768ed45613af48c404a1831be81c1758927c327410312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c9779a2183badf4071c2faf5f37bba3

SHA1
f0deead4f9389f8bf6b36c8e1a3692098e653bcd

SHA256
2e696237d1d3d80715bb1ecb385b9f197c230f9346c39c950c5bf9fca3431703

SHA512
d3b81d3e96ce4532c2e584d32c093e969f7d4e15422767f552c105499d5877ef29ce3b8611a42b1b4319cd1a84ceca5953cdd2e0ceba4353a3ee2f212749c35a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16705a63a36400834d60f35cb507034b

SHA1
6cf4617934f4d23fe02aaffa405805573e7dd6fc

SHA256
7ef41d858c519b14cab814aff8e1699322681413d94bfaeb28fbda05be135fa7

SHA512
175e099ebe7f7901185c639a0062427a567b3630c8967c883cdc6a6d351473134642b33624baadc3b16bb9d1e468f5bd37d9fa5a8bf31350c81c5c3879ab27b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8b284ff43eec394fcf56a5a73ddb0c8

SHA1
65bd04289d901a72f7ef3ba32c7bc5ebdf5621be

SHA256
29ab9dc89cba53549b1a0240610fd0b61093b741932c0ac541c079493aefa0cf

SHA512
64ababa198ef33f181c1621bb79c50b8f6e2c951c9436918776814e6f511ed03bafbeb73c032da1806b25ef4ab0711da9ae3002b397a014e99b003f585cd2bb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37a2416513a8b70db222ae6ee9b36884

SHA1
dc0a5ad05ab2226c9e61cbc3eeb417d561bd875e

SHA256
dbab9c863b7c8571c12a0073c9b2bb9847d06deb80c7765ac2a71f3714e31b8d

SHA512
9babdc19c0ce7f13fd797ef3872116bd1020e281956d54449859440713c24e5e0b7e24314039a48febe7fe7d9eab354bd72db0138429de09f0b4e6f6c3c2897e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afb3662603310f4f9a83c999af0a526b

SHA1
fcbb302bab168662e834fe68b313fc962c3f3572

SHA256
0c4c239b9aa7a9f758107858d6858682d3e5fdb57ccce95749456cf31bd5f83e

SHA512
1d30baf753f9e4019536398fb8e2987e670f4be98304b3752d2c2f6911486c97f9a9d3907c92851b8e101817854f5552b8640cac94e6d04e8da0dd42f6d5f223

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11a0bdf321e546f5d821dfbe7aef60a8

SHA1
3f60e6e4573dc7bea74215928c403e3b0b1a2ced

SHA256
8c9af3410311a6a262c5dda2d14abd9c324ebf5e881050709c317c4a157c5b02

SHA512
f2ed68d979097423df3570de7c99039d8b43ad87e16c39013edc8cc23c07cccbd461557033d775b4211e31a005e51924b1f57d04e0a076d6cb1519ed993afde4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31968b73617b73bd8a716fd332baea95

SHA1
3fb732e8a20722f84a4b7055c25efc714acc8903

SHA256
3b1908a34803fc2f445d6189d48252e5129737177fa4659c208a430f5da86cfb

SHA512
1932a1df2967242074acb7b009a105e5382ccf04b8517be212e25c1301af5896b36457177cc62c9ae747e16fa746eb932c7b7b1e5aee149a4840ad55f7f4c683

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c25720a4ef57f52d12f4d06a8d98b392

SHA1
9d7a12b85f36b180d77532fea518bfb4ec6e72e7

SHA256
93b1ea4f9f5d728c23e72698a4832958f78dc1ef2de05bd43e05a2c3df1e083d

SHA512
ce33a5bd6339287f4303bf685d495a38622b69d57cb0c3fb888f66cc9ed2c35864aa078408665c8819c7f4a40771e8a27497db04dd596f25eb4b4b59a105fb08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b9512aeb2889e29284e4feb9af74e3a

SHA1
d4090eb489068f03ee20cf84e1650af248ea184d

SHA256
339a579d198e0bd931361a8ad90240f0c89b666fce0797f5635664dbea3361f4

SHA512
261bcf8de504e7b7fe276dd3e8780aa6ba672332b5996b8400ecd0eedb8a0bb84acfaa6ddf591bd8d3391c0627383230695f27e6d5864362fff8ae9772e9449b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e19f54cfd0264780208bad19d908f7d

SHA1
f27ff7f099c5830198c1d7b9e9ad7ce7aa87372f

SHA256
e9bcd4f00be43f23d5942edf0cd70e9112e7bc87cb0fa6015c1a314cfffad5a2

SHA512
54e20c98b4d7c6821028c2ccfe1d023327335735553c0340d0c29942fbc9d288de2862f4f88ee094f5f9006b5bc42d9ee15928f65f5ad4a9719134b7737098d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb93bdea2cafcb267da4bef45d8a89dc

SHA1
8764e525e052dedc7222bb1fa0e5827aea0ca7dd

SHA256
75aa26f2d5bf316168467fa147c882cc3a47cecddc4fdd8f19e500e54af01b12

SHA512
b1efae69362f4c4d837c312a7e8cd8753930beb25595f8115d38206f7fd544ed3dcd07d42ed5e37e26e2c8be61a21c04ce254939f9a769658458a73a68c82a84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

Filesize
406B

MD5
f2a17cab0066018a082bf9506065e361

SHA1
8d3e145f193a8d65d0e642c08b7bdd55d5ea207f

SHA256
628f17bcf1c7236681015a01c77f1b8652bf42852e220d26d65217b0e34deb5e

SHA512
58d7644eee65ffd4fd8b3aea44af7c6900fabaccb9f1587cd460903bc329c733503f91ebe1c96cd78ebf7adb78603418885ed8392e5a4876fbc43ad1ab0193cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_88B06D18F336F4573DA4CD16EEF01E99

Filesize
406B

MD5
15a43445ca2688030f416eb9fcd9ee78

SHA1
701d64e0a91c1d3875a5a489d5d35be5e2e284b2

SHA256
10c4a18b2a6c4e4c6ebdd7d95bec49638fc0c3a3d952038fafe4c2192597a661

SHA512
5053e5cd54f11668c0b0000a526125f2604c913137645aee4f8f6076d334b2a345e327f0d77eb7d3d59f5c9740e38b901745ce200e904c573c393b4b313a8380

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f07b8f074e679ebabaefb5c9d931f2ec

SHA1
039ddcb29247ff716fa702fcb6331f469f380a56

SHA256
a4ef404ae7716948114f82a432bfe033b9d34637bf05098477c0aa9d128bade3

SHA512
d4c8f221ad3726941c894c1f37db53f21621f01ed9b82c00f11cf52ac70f6daff338b67d66ff2da4f2e7c6b13738d15f4a4b7f9ecd4e67e87a6dfc6ac08e6440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{315CF491-5FDE-11EE-90AA-FAEDD45E79E3}.dat

Filesize
5KB

MD5
64251f1b5e485168edfa477a50d61e2a

SHA1
a7227fb1900f695b13d5005127c5aa00557d696d

SHA256
998a5adb865948f5611012dbf0ae59cca9b99fc833e89e6becf7c90179092b31

SHA512
0a934beaf421431ad9f28bb71c83df004eff2c40e71dea7c83f28ce81aef7a054017fc5643999efdf507b1b73e0dae515544291b5b412cfee35743aacfb3c4e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5h7y85m\imagestore.dat

Filesize
5KB

MD5
97edc3e96c442b0c18a631959c19d6cb

SHA1
2e32da3c4df6a639f228e37dae88c88dd63ff320

SHA256
00770129543ce952b19960c2f6b56184942bc45750f515e3683448a7ff009922

SHA512
b6b3e46f90bd44872eb3b6621951ae5d04f78fea9d1fc9e5b593ee133d818b16c1cf177bd12057932384428aa6a1482f60aef4d2096e56d4372064444b55202c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5h7y85m\imagestore.dat

Filesize
9KB

MD5
b715a8ffd24e0a5b714cc9a8f93331f0

SHA1
ef79c021813e538e5c59bcf4c47c384a69eded60

SHA256
7c994f96d36fd6a1687e1c80d1b9299c9cc4d3de6b08d31a3a824a8bc4e35048

SHA512
2ea68d3426bc4804cf1cbdfdcd7c153e6b7ab923701ca299f1c39209962a6827a6d907acda29f6bab89ee12a072838102ffba918bdc88d92bfff4871414eb0fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7E9TXN45\hLRJ1GG_y0J[1].ico

Filesize
4KB

MD5
8cddca427dae9b925e73432f8733e05a

SHA1
1999a6f624a25cfd938eef6492d34fdc4f55dedc

SHA256
89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62

SHA512
20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7E9TXN45\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ABGWT92S\favicon[2].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\93E6.exe

Filesize
1.0MB

MD5
26a94d3fea2244861be8140c6acb2b49

SHA1
de730504e44110a9f1923b858cd5ee2a3cd72cd2

SHA256
c9695798ea1e94e39d82b6624fec3f9aea38086b109de06a7e4bd3411e998fa9

SHA512
7b5515a581cfed0afbd99eef41315a82e0494a814dc16f989e1d14a65288d1c67c3f4a7d9892e68f499b8f6b6782b9da72a38887724fe744b532ff93854e1d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\93E6.exe

Filesize
1.0MB

MD5
26a94d3fea2244861be8140c6acb2b49

SHA1
de730504e44110a9f1923b858cd5ee2a3cd72cd2

SHA256
c9695798ea1e94e39d82b6624fec3f9aea38086b109de06a7e4bd3411e998fa9

SHA512
7b5515a581cfed0afbd99eef41315a82e0494a814dc16f989e1d14a65288d1c67c3f4a7d9892e68f499b8f6b6782b9da72a38887724fe744b532ff93854e1d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\94D1.exe

Filesize
276KB

MD5
8fcdd768668c750919704d83e48dc905

SHA1
5c346c0070b1916f34817ef6d70df45be7f6d72e

SHA256
943331c244cbbdccb54759760a2520be456ea2847878d5a61b6c1c239e758f06

SHA512
336dd28205785c3c57e9f70b598b2d1736f27906ffc88edf77b93dd20abf2f722e4d64cde67c0711702d61d7fbcda687569b6f95375e68bcd6c4a58675366563

Download Submit
C:\Users\Admin\AppData\Local\Temp\94D1.exe

Filesize
276KB

MD5
8fcdd768668c750919704d83e48dc905

SHA1
5c346c0070b1916f34817ef6d70df45be7f6d72e

SHA256
943331c244cbbdccb54759760a2520be456ea2847878d5a61b6c1c239e758f06

SHA512
336dd28205785c3c57e9f70b598b2d1736f27906ffc88edf77b93dd20abf2f722e4d64cde67c0711702d61d7fbcda687569b6f95375e68bcd6c4a58675366563

Download Submit
C:\Users\Admin\AppData\Local\Temp\96C5.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\96C5.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\9956.exe

Filesize
310KB

MD5
da21b103cbfa0cffc6beab2abcb5be8a

SHA1
a7f250d84b21f61d7b0f6c01e4986aff4a648a40

SHA256
7c3a088040cbd7895bc654dcc40cd0055758ac2e613d170afe04a547528fdc7b

SHA512
b4f02701f6ab3d3b84c68773f220b1089702c2e88ca17a1ec2e355706e41be88d363ac1e0fd9296eff239a4d2e710115ec8aff8c562b8512006ec176aa673b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\9956.exe

Filesize
310KB

MD5
da21b103cbfa0cffc6beab2abcb5be8a

SHA1
a7f250d84b21f61d7b0f6c01e4986aff4a648a40

SHA256
7c3a088040cbd7895bc654dcc40cd0055758ac2e613d170afe04a547528fdc7b

SHA512
b4f02701f6ab3d3b84c68773f220b1089702c2e88ca17a1ec2e355706e41be88d363ac1e0fd9296eff239a4d2e710115ec8aff8c562b8512006ec176aa673b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA2C7.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E5E1.exe

Filesize
6.4MB

MD5
3c81534d635fbe4bfab2861d98422f70

SHA1
9cc995fa42313cd82eacaad9e3fe818cd3805f58

SHA256
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f

SHA512
132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

Download Submit
C:\Users\Admin\AppData\Local\Temp\E92D.exe

Filesize
341KB

MD5
53df0c8b56120e03e1657e366720ecd9

SHA1
a09ccc5dfa35fe46f1203e5e95c3025ff2f0930d

SHA256
bc3a7ba547b8a0f5cc6be6748eb9fa06ae2d09ca4b3c158add5e4868197c72ff

SHA512
b940864beb7a9d300173e98e343a7d21bef9b3aa48f3d198816b8e9909463f35354312ffb699893e27ef312504d1ddcad9288792ec2492086d3716d217c1011b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

Filesize
325KB

MD5
67a1b31081ef62bb8ce59d0a1e56ff3a

SHA1
0ec0e4670ade51e1b6af30a2a05708266058eada

SHA256
8abea1edccaffa386797268d582bebd5a3ecc7cd93bd730f31b69e90d05f7745

SHA512
a94d12034135b3ab20a9529f7d7b20a20b6e09fa8ba3479d46c53ff8d2b4ff6c5cd15dd538c989ad2c513c17d26eecc385a3e3867aaa5b1c61bbbadc0dca5942

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

Filesize
325KB

MD5
67a1b31081ef62bb8ce59d0a1e56ff3a

SHA1
0ec0e4670ade51e1b6af30a2a05708266058eada

SHA256
8abea1edccaffa386797268d582bebd5a3ecc7cd93bd730f31b69e90d05f7745

SHA512
a94d12034135b3ab20a9529f7d7b20a20b6e09fa8ba3479d46c53ff8d2b4ff6c5cd15dd538c989ad2c513c17d26eecc385a3e3867aaa5b1c61bbbadc0dca5942

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

Filesize
166KB

MD5
2a9c0887c124fefda2d88716a3746b5b

SHA1
0b42239384e6d76bf3fc728f00d7b3462c98d40a

SHA256
2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145

SHA512
4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

Filesize
166KB

MD5
2a9c0887c124fefda2d88716a3746b5b

SHA1
0b42239384e6d76bf3fc728f00d7b3462c98d40a

SHA256
2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145

SHA512
4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

Filesize
166KB

MD5
2a9c0887c124fefda2d88716a3746b5b

SHA1
0b42239384e6d76bf3fc728f00d7b3462c98d40a

SHA256
2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145

SHA512
4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9185365.exe

Filesize
931KB

MD5
48b1727650d180d5d2bfc51ea90108e4

SHA1
ad447f7fa768d276b2c5ee37574e93b8594778a3

SHA256
0d7b047cfcada969198aea6162c434d48cbacffec0e6bb06e2f9763275de053f

SHA512
8bc0dddd28bb7dcb45db83cdfa576a99e7cad70f1bc8f409e6b0f5480750b5b1a272a93b08e88581a2495e2e6924c5018110fc2bc1c6149cfe289bf905d46ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9185365.exe

Filesize
931KB

MD5
48b1727650d180d5d2bfc51ea90108e4

SHA1
ad447f7fa768d276b2c5ee37574e93b8594778a3

SHA256
0d7b047cfcada969198aea6162c434d48cbacffec0e6bb06e2f9763275de053f

SHA512
8bc0dddd28bb7dcb45db83cdfa576a99e7cad70f1bc8f409e6b0f5480750b5b1a272a93b08e88581a2495e2e6924c5018110fc2bc1c6149cfe289bf905d46ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3490328.exe

Filesize
748KB

MD5
fc728d6abd04be5401735385b82706b6

SHA1
a5a74781b9a768ef30fa1ba7b890f6049da51352

SHA256
ab2eadf977f954413b51fa720a749cce15d84aca42ff12b674e7a1599f014cf1

SHA512
69007ea0c967734e6995c0dfcdbb0ddbd59cf91518cb61e492af3380f6c9863e51983e994ca589755e76634b7885bdb395236213685108a4240c22b76e8166b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3490328.exe

Filesize
748KB

MD5
fc728d6abd04be5401735385b82706b6

SHA1
a5a74781b9a768ef30fa1ba7b890f6049da51352

SHA256
ab2eadf977f954413b51fa720a749cce15d84aca42ff12b674e7a1599f014cf1

SHA512
69007ea0c967734e6995c0dfcdbb0ddbd59cf91518cb61e492af3380f6c9863e51983e994ca589755e76634b7885bdb395236213685108a4240c22b76e8166b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x9179884.exe

Filesize
516KB

MD5
3559853a0486dfc73dddbacbdd7d168d

SHA1
192df594266e7782acbfed0a51e7720a3f48a237

SHA256
3d2f43acbd43a31276d831a5f12aa6c89c353673bb044c8d4f6c8db0399f4ed6

SHA512
b7c5efc5db4cf3ff85d58e5bc055980f24a4c0646ce8ee2be3fa1a07ae4397e48bd91758566d751075cbdbb16cb6e826e4a599f042337571a57e26feb2bc11c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x9179884.exe

Filesize
516KB

MD5
3559853a0486dfc73dddbacbdd7d168d

SHA1
192df594266e7782acbfed0a51e7720a3f48a237

SHA256
3d2f43acbd43a31276d831a5f12aa6c89c353673bb044c8d4f6c8db0399f4ed6

SHA512
b7c5efc5db4cf3ff85d58e5bc055980f24a4c0646ce8ee2be3fa1a07ae4397e48bd91758566d751075cbdbb16cb6e826e4a599f042337571a57e26feb2bc11c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\x1354664.exe

Filesize
350KB

MD5
b86a7ec2d00b6390007a92ce3e6e2fdf

SHA1
f204601ad9af77f5f89e583465cfa208315b1fb6

SHA256
b79cb93c8cc1b40b43cdbbed584d00cb8966a9892bb506f820dafe6b05a33c6f

SHA512
58e29caa58fa3b6cd4e3f9e22449ed67288ce7c936eefac9ea2498b909b8f858616caf197769c86daca64d82c76ebc2f7ba86a9fba45628ee57daf8f5db179b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\x1354664.exe

Filesize
350KB

MD5
b86a7ec2d00b6390007a92ce3e6e2fdf

SHA1
f204601ad9af77f5f89e583465cfa208315b1fb6

SHA256
b79cb93c8cc1b40b43cdbbed584d00cb8966a9892bb506f820dafe6b05a33c6f

SHA512
58e29caa58fa3b6cd4e3f9e22449ed67288ce7c936eefac9ea2498b909b8f858616caf197769c86daca64d82c76ebc2f7ba86a9fba45628ee57daf8f5db179b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\g0286977.exe

Filesize
276KB

MD5
36e2da51b07559373a2086a3782677f2

SHA1
df3d784f80514b0f2a21e1ea3c811c582303eba1

SHA256
d6c56fac3d2b69bad7589bb1b4d2ecc790e918c0cf0733065ed8c20160c53f5d

SHA512
5cd2dca321c4b672603350844c4ea4f67507b8db42fe65936f466a94944c95a49c53cf68e50573abd8fe295a86031513df1759ee80889e31c59b77f595bbb11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\g0286977.exe

Filesize
276KB

MD5
36e2da51b07559373a2086a3782677f2

SHA1
df3d784f80514b0f2a21e1ea3c811c582303eba1

SHA256
d6c56fac3d2b69bad7589bb1b4d2ecc790e918c0cf0733065ed8c20160c53f5d

SHA512
5cd2dca321c4b672603350844c4ea4f67507b8db42fe65936f466a94944c95a49c53cf68e50573abd8fe295a86031513df1759ee80889e31c59b77f595bbb11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\g0286977.exe

Filesize
276KB

MD5
36e2da51b07559373a2086a3782677f2

SHA1
df3d784f80514b0f2a21e1ea3c811c582303eba1

SHA256
d6c56fac3d2b69bad7589bb1b4d2ecc790e918c0cf0733065ed8c20160c53f5d

SHA512
5cd2dca321c4b672603350844c4ea4f67507b8db42fe65936f466a94944c95a49c53cf68e50573abd8fe295a86031513df1759ee80889e31c59b77f595bbb11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA394.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
\Users\Admin\AppData\Local\Temp\93E6.exe

Filesize
1.0MB

MD5
26a94d3fea2244861be8140c6acb2b49

SHA1
de730504e44110a9f1923b858cd5ee2a3cd72cd2

SHA256
c9695798ea1e94e39d82b6624fec3f9aea38086b109de06a7e4bd3411e998fa9

SHA512
7b5515a581cfed0afbd99eef41315a82e0494a814dc16f989e1d14a65288d1c67c3f4a7d9892e68f499b8f6b6782b9da72a38887724fe744b532ff93854e1d65

Download Submit
\Users\Admin\AppData\Local\Temp\94D1.exe

Filesize
276KB

MD5
8fcdd768668c750919704d83e48dc905

SHA1
5c346c0070b1916f34817ef6d70df45be7f6d72e

SHA256
943331c244cbbdccb54759760a2520be456ea2847878d5a61b6c1c239e758f06

SHA512
336dd28205785c3c57e9f70b598b2d1736f27906ffc88edf77b93dd20abf2f722e4d64cde67c0711702d61d7fbcda687569b6f95375e68bcd6c4a58675366563

Download Submit
\Users\Admin\AppData\Local\Temp\94D1.exe

Filesize
276KB

MD5
8fcdd768668c750919704d83e48dc905

SHA1
5c346c0070b1916f34817ef6d70df45be7f6d72e

SHA256
943331c244cbbdccb54759760a2520be456ea2847878d5a61b6c1c239e758f06

SHA512
336dd28205785c3c57e9f70b598b2d1736f27906ffc88edf77b93dd20abf2f722e4d64cde67c0711702d61d7fbcda687569b6f95375e68bcd6c4a58675366563

Download Submit
\Users\Admin\AppData\Local\Temp\94D1.exe

Filesize
276KB

MD5
8fcdd768668c750919704d83e48dc905

SHA1
5c346c0070b1916f34817ef6d70df45be7f6d72e

SHA256
943331c244cbbdccb54759760a2520be456ea2847878d5a61b6c1c239e758f06

SHA512
336dd28205785c3c57e9f70b598b2d1736f27906ffc88edf77b93dd20abf2f722e4d64cde67c0711702d61d7fbcda687569b6f95375e68bcd6c4a58675366563

Download Submit
\Users\Admin\AppData\Local\Temp\94D1.exe

Filesize
276KB

MD5
8fcdd768668c750919704d83e48dc905

SHA1
5c346c0070b1916f34817ef6d70df45be7f6d72e

SHA256
943331c244cbbdccb54759760a2520be456ea2847878d5a61b6c1c239e758f06

SHA512
336dd28205785c3c57e9f70b598b2d1736f27906ffc88edf77b93dd20abf2f722e4d64cde67c0711702d61d7fbcda687569b6f95375e68bcd6c4a58675366563

Download Submit
\Users\Admin\AppData\Local\Temp\9956.exe

Filesize
310KB

MD5
da21b103cbfa0cffc6beab2abcb5be8a

SHA1
a7f250d84b21f61d7b0f6c01e4986aff4a648a40

SHA256
7c3a088040cbd7895bc654dcc40cd0055758ac2e613d170afe04a547528fdc7b

SHA512
b4f02701f6ab3d3b84c68773f220b1089702c2e88ca17a1ec2e355706e41be88d363ac1e0fd9296eff239a4d2e710115ec8aff8c562b8512006ec176aa673b90

Download Submit
\Users\Admin\AppData\Local\Temp\9956.exe

Filesize
310KB

MD5
da21b103cbfa0cffc6beab2abcb5be8a

SHA1
a7f250d84b21f61d7b0f6c01e4986aff4a648a40

SHA256
7c3a088040cbd7895bc654dcc40cd0055758ac2e613d170afe04a547528fdc7b

SHA512
b4f02701f6ab3d3b84c68773f220b1089702c2e88ca17a1ec2e355706e41be88d363ac1e0fd9296eff239a4d2e710115ec8aff8c562b8512006ec176aa673b90

Download Submit
\Users\Admin\AppData\Local\Temp\9956.exe

Filesize
310KB

MD5
da21b103cbfa0cffc6beab2abcb5be8a

SHA1
a7f250d84b21f61d7b0f6c01e4986aff4a648a40

SHA256
7c3a088040cbd7895bc654dcc40cd0055758ac2e613d170afe04a547528fdc7b

SHA512
b4f02701f6ab3d3b84c68773f220b1089702c2e88ca17a1ec2e355706e41be88d363ac1e0fd9296eff239a4d2e710115ec8aff8c562b8512006ec176aa673b90

Download Submit
\Users\Admin\AppData\Local\Temp\9956.exe

Filesize
310KB

MD5
da21b103cbfa0cffc6beab2abcb5be8a

SHA1
a7f250d84b21f61d7b0f6c01e4986aff4a648a40

SHA256
7c3a088040cbd7895bc654dcc40cd0055758ac2e613d170afe04a547528fdc7b

SHA512
b4f02701f6ab3d3b84c68773f220b1089702c2e88ca17a1ec2e355706e41be88d363ac1e0fd9296eff239a4d2e710115ec8aff8c562b8512006ec176aa673b90

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

Filesize
325KB

MD5
67a1b31081ef62bb8ce59d0a1e56ff3a

SHA1
0ec0e4670ade51e1b6af30a2a05708266058eada

SHA256
8abea1edccaffa386797268d582bebd5a3ecc7cd93bd730f31b69e90d05f7745

SHA512
a94d12034135b3ab20a9529f7d7b20a20b6e09fa8ba3479d46c53ff8d2b4ff6c5cd15dd538c989ad2c513c17d26eecc385a3e3867aaa5b1c61bbbadc0dca5942

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3347808.exe

Filesize
325KB

MD5
67a1b31081ef62bb8ce59d0a1e56ff3a

SHA1
0ec0e4670ade51e1b6af30a2a05708266058eada

SHA256
8abea1edccaffa386797268d582bebd5a3ecc7cd93bd730f31b69e90d05f7745

SHA512
a94d12034135b3ab20a9529f7d7b20a20b6e09fa8ba3479d46c53ff8d2b4ff6c5cd15dd538c989ad2c513c17d26eecc385a3e3867aaa5b1c61bbbadc0dca5942

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

Filesize
166KB

MD5
2a9c0887c124fefda2d88716a3746b5b

SHA1
0b42239384e6d76bf3fc728f00d7b3462c98d40a

SHA256
2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145

SHA512
4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

Filesize
166KB

MD5
2a9c0887c124fefda2d88716a3746b5b

SHA1
0b42239384e6d76bf3fc728f00d7b3462c98d40a

SHA256
2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145

SHA512
4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

Filesize
166KB

MD5
2a9c0887c124fefda2d88716a3746b5b

SHA1
0b42239384e6d76bf3fc728f00d7b3462c98d40a

SHA256
2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145

SHA512
4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

Filesize
166KB

MD5
2a9c0887c124fefda2d88716a3746b5b

SHA1
0b42239384e6d76bf3fc728f00d7b3462c98d40a

SHA256
2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145

SHA512
4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

Filesize
166KB

MD5
2a9c0887c124fefda2d88716a3746b5b

SHA1
0b42239384e6d76bf3fc728f00d7b3462c98d40a

SHA256
2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145

SHA512
4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

Filesize
166KB

MD5
2a9c0887c124fefda2d88716a3746b5b

SHA1
0b42239384e6d76bf3fc728f00d7b3462c98d40a

SHA256
2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145

SHA512
4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5934857.exe

Filesize
166KB

MD5
2a9c0887c124fefda2d88716a3746b5b

SHA1
0b42239384e6d76bf3fc728f00d7b3462c98d40a

SHA256
2255adc341fea412cac0201d71655709ad06af82dfa0c861f8a38f76f0559145

SHA512
4b769fcfa9bc3fe84fb6b096e72ff74dde87f3391557bc68e9babe00dd458d0f70070defec40aaace0164156d5656005496043cdf324be0071f029aa9e1f2c09

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9185365.exe

Filesize
931KB

MD5
48b1727650d180d5d2bfc51ea90108e4

SHA1
ad447f7fa768d276b2c5ee37574e93b8594778a3

SHA256
0d7b047cfcada969198aea6162c434d48cbacffec0e6bb06e2f9763275de053f

SHA512
8bc0dddd28bb7dcb45db83cdfa576a99e7cad70f1bc8f409e6b0f5480750b5b1a272a93b08e88581a2495e2e6924c5018110fc2bc1c6149cfe289bf905d46ed7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9185365.exe

Filesize
931KB

MD5
48b1727650d180d5d2bfc51ea90108e4

SHA1
ad447f7fa768d276b2c5ee37574e93b8594778a3

SHA256
0d7b047cfcada969198aea6162c434d48cbacffec0e6bb06e2f9763275de053f

SHA512
8bc0dddd28bb7dcb45db83cdfa576a99e7cad70f1bc8f409e6b0f5480750b5b1a272a93b08e88581a2495e2e6924c5018110fc2bc1c6149cfe289bf905d46ed7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3490328.exe

Filesize
748KB

MD5
fc728d6abd04be5401735385b82706b6

SHA1
a5a74781b9a768ef30fa1ba7b890f6049da51352

SHA256
ab2eadf977f954413b51fa720a749cce15d84aca42ff12b674e7a1599f014cf1

SHA512
69007ea0c967734e6995c0dfcdbb0ddbd59cf91518cb61e492af3380f6c9863e51983e994ca589755e76634b7885bdb395236213685108a4240c22b76e8166b3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3490328.exe

Filesize
748KB

MD5
fc728d6abd04be5401735385b82706b6

SHA1
a5a74781b9a768ef30fa1ba7b890f6049da51352

SHA256
ab2eadf977f954413b51fa720a749cce15d84aca42ff12b674e7a1599f014cf1

SHA512
69007ea0c967734e6995c0dfcdbb0ddbd59cf91518cb61e492af3380f6c9863e51983e994ca589755e76634b7885bdb395236213685108a4240c22b76e8166b3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\x9179884.exe

Filesize
516KB

MD5
3559853a0486dfc73dddbacbdd7d168d

SHA1
192df594266e7782acbfed0a51e7720a3f48a237

SHA256
3d2f43acbd43a31276d831a5f12aa6c89c353673bb044c8d4f6c8db0399f4ed6

SHA512
b7c5efc5db4cf3ff85d58e5bc055980f24a4c0646ce8ee2be3fa1a07ae4397e48bd91758566d751075cbdbb16cb6e826e4a599f042337571a57e26feb2bc11c7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\x9179884.exe

Filesize
516KB

MD5
3559853a0486dfc73dddbacbdd7d168d

SHA1
192df594266e7782acbfed0a51e7720a3f48a237

SHA256
3d2f43acbd43a31276d831a5f12aa6c89c353673bb044c8d4f6c8db0399f4ed6

SHA512
b7c5efc5db4cf3ff85d58e5bc055980f24a4c0646ce8ee2be3fa1a07ae4397e48bd91758566d751075cbdbb16cb6e826e4a599f042337571a57e26feb2bc11c7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP005.TMP\x1354664.exe

Filesize
350KB

MD5
b86a7ec2d00b6390007a92ce3e6e2fdf

SHA1
f204601ad9af77f5f89e583465cfa208315b1fb6

SHA256
b79cb93c8cc1b40b43cdbbed584d00cb8966a9892bb506f820dafe6b05a33c6f

SHA512
58e29caa58fa3b6cd4e3f9e22449ed67288ce7c936eefac9ea2498b909b8f858616caf197769c86daca64d82c76ebc2f7ba86a9fba45628ee57daf8f5db179b7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP005.TMP\x1354664.exe

Filesize
350KB

MD5
b86a7ec2d00b6390007a92ce3e6e2fdf

SHA1
f204601ad9af77f5f89e583465cfa208315b1fb6

SHA256
b79cb93c8cc1b40b43cdbbed584d00cb8966a9892bb506f820dafe6b05a33c6f

SHA512
58e29caa58fa3b6cd4e3f9e22449ed67288ce7c936eefac9ea2498b909b8f858616caf197769c86daca64d82c76ebc2f7ba86a9fba45628ee57daf8f5db179b7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP006.TMP\g0286977.exe

Filesize
276KB

MD5
36e2da51b07559373a2086a3782677f2

SHA1
df3d784f80514b0f2a21e1ea3c811c582303eba1

SHA256
d6c56fac3d2b69bad7589bb1b4d2ecc790e918c0cf0733065ed8c20160c53f5d

SHA512
5cd2dca321c4b672603350844c4ea4f67507b8db42fe65936f466a94944c95a49c53cf68e50573abd8fe295a86031513df1759ee80889e31c59b77f595bbb11f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP006.TMP\g0286977.exe

Filesize
276KB

MD5
36e2da51b07559373a2086a3782677f2

SHA1
df3d784f80514b0f2a21e1ea3c811c582303eba1

SHA256
d6c56fac3d2b69bad7589bb1b4d2ecc790e918c0cf0733065ed8c20160c53f5d

SHA512
5cd2dca321c4b672603350844c4ea4f67507b8db42fe65936f466a94944c95a49c53cf68e50573abd8fe295a86031513df1759ee80889e31c59b77f595bbb11f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP006.TMP\g0286977.exe

Filesize
276KB

MD5
36e2da51b07559373a2086a3782677f2

SHA1
df3d784f80514b0f2a21e1ea3c811c582303eba1

SHA256
d6c56fac3d2b69bad7589bb1b4d2ecc790e918c0cf0733065ed8c20160c53f5d

SHA512
5cd2dca321c4b672603350844c4ea4f67507b8db42fe65936f466a94944c95a49c53cf68e50573abd8fe295a86031513df1759ee80889e31c59b77f595bbb11f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP006.TMP\g0286977.exe

Filesize
276KB

MD5
36e2da51b07559373a2086a3782677f2

SHA1
df3d784f80514b0f2a21e1ea3c811c582303eba1

SHA256
d6c56fac3d2b69bad7589bb1b4d2ecc790e918c0cf0733065ed8c20160c53f5d

SHA512
5cd2dca321c4b672603350844c4ea4f67507b8db42fe65936f466a94944c95a49c53cf68e50573abd8fe295a86031513df1759ee80889e31c59b77f595bbb11f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP006.TMP\g0286977.exe

Filesize
276KB

MD5
36e2da51b07559373a2086a3782677f2

SHA1
df3d784f80514b0f2a21e1ea3c811c582303eba1

SHA256
d6c56fac3d2b69bad7589bb1b4d2ecc790e918c0cf0733065ed8c20160c53f5d

SHA512
5cd2dca321c4b672603350844c4ea4f67507b8db42fe65936f466a94944c95a49c53cf68e50573abd8fe295a86031513df1759ee80889e31c59b77f595bbb11f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP006.TMP\g0286977.exe

Filesize
276KB

MD5
36e2da51b07559373a2086a3782677f2

SHA1
df3d784f80514b0f2a21e1ea3c811c582303eba1

SHA256
d6c56fac3d2b69bad7589bb1b4d2ecc790e918c0cf0733065ed8c20160c53f5d

SHA512
5cd2dca321c4b672603350844c4ea4f67507b8db42fe65936f466a94944c95a49c53cf68e50573abd8fe295a86031513df1759ee80889e31c59b77f595bbb11f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP006.TMP\g0286977.exe

Filesize
276KB

MD5
36e2da51b07559373a2086a3782677f2

SHA1
df3d784f80514b0f2a21e1ea3c811c582303eba1

SHA256
d6c56fac3d2b69bad7589bb1b4d2ecc790e918c0cf0733065ed8c20160c53f5d

SHA512
5cd2dca321c4b672603350844c4ea4f67507b8db42fe65936f466a94944c95a49c53cf68e50573abd8fe295a86031513df1759ee80889e31c59b77f595bbb11f

Download Submit
\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
\Users\Admin\AppData\Local\Temp\ss41.exe

Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
memory/652-1147-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/652-1145-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/652-1116-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/652-1175-0x000007FEF56C0000-0x000007FEF60AC000-memory.dmp

Filesize
9.9MB

Download
memory/652-1178-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/908-1374-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/908-1382-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1060-1186-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/1060-1177-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/1060-1176-0x0000000004260000-0x0000000004658000-memory.dmp

Filesize
4.0MB

Download
memory/1060-1173-0x0000000004260000-0x0000000004658000-memory.dmp

Filesize
4.0MB

Download
memory/1272-32-0x00000000029C0000-0x00000000029D6000-memory.dmp

Filesize
88KB

Download
memory/1272-1119-0x0000000003E70000-0x0000000003E86000-memory.dmp

Filesize
88KB

Download
memory/1372-995-0x0000000000272000-0x0000000000285000-memory.dmp

Filesize
76KB

Download
memory/1372-996-0x00000000003A0000-0x00000000003A9000-memory.dmp

Filesize
36KB

Download
memory/1524-1019-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1524-993-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1524-988-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1524-1120-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1584-1154-0x0000000003660000-0x0000000003791000-memory.dmp

Filesize
1.2MB

Download
memory/1584-1187-0x0000000003660000-0x0000000003791000-memory.dmp

Filesize
1.2MB

Download
memory/1584-967-0x00000000FFC10000-0x00000000FFC7A000-memory.dmp

Filesize
424KB

Download
memory/1584-1153-0x00000000034E0000-0x0000000003651000-memory.dmp

Filesize
1.4MB

Download
memory/1704-1210-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1704-1201-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1764-1097-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1764-1169-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1788-1021-0x00000000707F0000-0x0000000070EDE000-memory.dmp

Filesize
6.9MB

Download
memory/1788-1095-0x00000000707F0000-0x0000000070EDE000-memory.dmp

Filesize
6.9MB

Download
memory/1788-997-0x0000000000D70000-0x0000000000EE4000-memory.dmp

Filesize
1.5MB

Download
memory/1892-1157-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/1892-1158-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/1892-1020-0x0000000004930000-0x000000000521B000-memory.dmp

Filesize
8.9MB

Download
memory/1892-1171-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/1892-990-0x0000000004530000-0x0000000004928000-memory.dmp

Filesize
4.0MB

Download
memory/1892-1008-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/1892-1018-0x0000000004530000-0x0000000004928000-memory.dmp

Filesize
4.0MB

Download
memory/2036-1150-0x0000000000F10000-0x0000000001101000-memory.dmp

Filesize
1.9MB

Download
memory/2036-1163-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2036-1159-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2036-1149-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2036-1146-0x0000000000F10000-0x0000000001101000-memory.dmp

Filesize
1.9MB

Download
memory/2244-1329-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2244-1194-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2244-1333-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2244-1363-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2244-1296-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2244-1272-0x0000000004220000-0x0000000004618000-memory.dmp

Filesize
4.0MB

Download
memory/2244-1367-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2244-1185-0x0000000004220000-0x0000000004618000-memory.dmp

Filesize
4.0MB

Download
memory/2244-1188-0x0000000004220000-0x0000000004618000-memory.dmp

Filesize
4.0MB

Download
memory/2244-1373-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2244-1273-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2244-1385-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2244-1292-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2432-1172-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2432-1189-0x0000000003890000-0x0000000003A81000-memory.dmp

Filesize
1.9MB

Download
memory/2432-1148-0x0000000003890000-0x0000000003A81000-memory.dmp

Filesize
1.9MB

Download
memory/2432-1179-0x0000000003890000-0x0000000003A81000-memory.dmp

Filesize
1.9MB

Download
memory/2484-1191-0x0000000000C00000-0x0000000000DF1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-1344-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-1386-0x00000000029C0000-0x0000000002A09000-memory.dmp

Filesize
292KB

Download
memory/2484-1381-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-1376-0x00000000029C0000-0x0000000002A09000-memory.dmp

Filesize
292KB

Download
memory/2484-1164-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-1279-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-1193-0x0000000000C00000-0x0000000000DF1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-1368-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-1297-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-1174-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-1165-0x0000000000C00000-0x0000000000DF1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-1330-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-1364-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2484-1166-0x0000000000C00000-0x0000000000DF1000-memory.dmp

Filesize
1.9MB

Download
memory/2812-998-0x00000000707F0000-0x0000000070EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2812-1274-0x00000000707F0000-0x0000000070EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2812-1068-0x00000000072A0000-0x00000000072E0000-memory.dmp

Filesize
256KB

Download
memory/2812-992-0x0000000001090000-0x00000000010EA000-memory.dmp

Filesize
360KB

Download
memory/2812-1161-0x00000000707F0000-0x0000000070EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2812-1170-0x00000000072A0000-0x00000000072E0000-memory.dmp

Filesize
256KB

Download
memory/2852-1379-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2852-1389-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2920-1167-0x000000013FEE0000-0x0000000140410000-memory.dmp

Filesize
5.2MB

Download
memory/2920-1196-0x000000013FEE0000-0x0000000140410000-memory.dmp

Filesize
5.2MB

Download
memory/3064-24-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3064-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3064-26-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3064-33-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3064-27-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3064-23-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download