glupteba | a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42

Analysis

max time kernel
137s
max time network
189s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42_JC.exe
Size

239KB
MD5

3240f8928a130bb155571570c563200a
SHA1

aa621ddde551f7e0dbeed157ab1eac3f1906f493
SHA256

a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42
SHA512

e7c357e54b7768f1a66e0dabe2c604afe3765eb858f8b4e5751659a4b373b10fb6cc1dc72641aabf83e34d097f28fa70a78482310ecd93e9aa0347378bde409b
SSDEEP

6144:dMcz8EQnRrxT5t9kFIndDK4lY4xohYA1au77C0G:dM7XnPz9uIgGLxoSA06

Score

10^/10

glupteba privateloader discovery dropper evasion loader persistence spyware stealer trojan upx vmprotect

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 15 IoCs

resource	yara_rule
behavioral1/memory/1960-221-0x0000000002B70000-0x000000000345B000-memory.dmp	family_glupteba
behavioral1/memory/1960-226-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2080-253-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1960-258-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1960-292-0x0000000002B70000-0x000000000345B000-memory.dmp	family_glupteba
behavioral1/memory/1960-297-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2080-299-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1668-309-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1576-310-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1668-350-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1920-357-0x0000000002A90000-0x000000000337B000-memory.dmp	family_glupteba
behavioral1/memory/1576-358-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1920-366-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1920-379-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1920-405-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

description	pid	Process	procid_target
PID 980 created 1328	980	1IGVLQgrJ09TAD4PM3tN5H2b.exe	7
PID 980 created 1328	980	1IGVLQgrJ09TAD4PM3tN5H2b.exe	7
PID 980 created 1328	980	1IGVLQgrJ09TAD4PM3tN5H2b.exe	7
PID 980 created 1328	980	1IGVLQgrJ09TAD4PM3tN5H2b.exe	7
PID 980 created 1328	980	1IGVLQgrJ09TAD4PM3tN5H2b.exe	7
PID 980 created 1328	980	1IGVLQgrJ09TAD4PM3tN5H2b.exe	7
PID 1168 created 1328	1168	updater.exe	7
PID 1168 created 1328	1168	updater.exe	7
PID 1168 created 1328	1168	updater.exe	7
PID 1168 created 1328	1168	updater.exe	7
PID 1168 created 1328	1168	updater.exe	7
PID 1168 created 1328	1168	updater.exe	7

Windows security bypass 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7NC866HmUTcrVKlxdN8JG7y6.exe = "0"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Z3k2JRXNcKIghSHyuXdadUv0.exe = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	1IGVLQgrJ09TAD4PM3tN5H2b.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
1756	netsh.exe
1112	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\International\Geo\Nation	9ApFpnMQMyAA4uHIhm7d6BE9.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wHQTgz3OjlxkcNik92IZRpx9.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6aer9fgjiur0A0P5ykcjZ4gt.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dnzCaGQEHuhbbb2R7GmxAB3G.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fzTxCuAAYGWzDggtxA7nFYtL.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\k85BjvQvoZxcV9O4Y9JJ9Jv2.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bxRCh61MtrU7lQAnJ5CSjFam.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AwGqWMquPpqTUzu2rn5V2fZq.bat	AddInProcess32.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nvWcWO1LIqbYEgK9mKwvp4Al.bat	AddInProcess32.exe

Executes dropped EXE 13 IoCs

pid	Process
1960	Z3k2JRXNcKIghSHyuXdadUv0.exe
2080	7NC866HmUTcrVKlxdN8JG7y6.exe
980	1IGVLQgrJ09TAD4PM3tN5H2b.exe
576	EwgL0q7bMFGQRsZ9rEy75TIH.exe
828	2QCSTHK7Q0pJKcAK9aIKzrIV.exe
1416	4GzAqKrH5PXPVqhV17myBrWI.exe
1456	9ApFpnMQMyAA4uHIhm7d6BE9.exe
1668	Z3k2JRXNcKIghSHyuXdadUv0.exe
1576	7NC866HmUTcrVKlxdN8JG7y6.exe
1168	updater.exe
1920	csrss.exe
672	injector.exe
2244	patch.exe

Loads dropped DLL 21 IoCs

pid	Process
1436	AddInProcess32.exe
1436	AddInProcess32.exe
1436	AddInProcess32.exe
1436	AddInProcess32.exe
1436	AddInProcess32.exe
1436	AddInProcess32.exe
1436	AddInProcess32.exe
1436	AddInProcess32.exe
828	2QCSTHK7Q0pJKcAK9aIKzrIV.exe
1436	AddInProcess32.exe
828	2QCSTHK7Q0pJKcAK9aIKzrIV.exe
468	Process not Found
1668	Z3k2JRXNcKIghSHyuXdadUv0.exe
1668	Z3k2JRXNcKIghSHyuXdadUv0.exe
1920	csrss.exe
848	Process not Found
2244	patch.exe
2244	patch.exe
2244	patch.exe
2244	patch.exe
2244	patch.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000014493-193.dat	upx
behavioral1/memory/1436-196-0x000000000BEC0000-0x000000000C40D000-memory.dmp	upx
behavioral1/files/0x0006000000014493-200.dat	upx
behavioral1/files/0x0006000000014493-199.dat	upx
behavioral1/memory/828-202-0x0000000000D40000-0x000000000128D000-memory.dmp	upx
behavioral1/memory/828-225-0x0000000000D40000-0x000000000128D000-memory.dmp	upx
behavioral1/memory/828-231-0x0000000000D40000-0x000000000128D000-memory.dmp	upx
behavioral1/files/0x0006000000014493-270.dat	upx
behavioral1/memory/828-363-0x0000000000D40000-0x000000000128D000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000600000001461a-236.dat	vmprotect
behavioral1/files/0x000600000001461a-234.dat	vmprotect
behavioral1/memory/1456-237-0x000000013F410000-0x000000013FADF000-memory.dmp	vmprotect
behavioral1/files/0x000600000001461a-271.dat	vmprotect

Windows security modification 2 TTPs 8 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Z3k2JRXNcKIghSHyuXdadUv0.exe = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7NC866HmUTcrVKlxdN8JG7y6.exe = "0"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Z3k2JRXNcKIghSHyuXdadUv0.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	Z3k2JRXNcKIghSHyuXdadUv0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	7NC866HmUTcrVKlxdN8JG7y6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	api.myip.com
41	api.myip.com
43	ipinfo.io
44	ipinfo.io

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	9ApFpnMQMyAA4uHIhm7d6BE9.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	9ApFpnMQMyAA4uHIhm7d6BE9.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	9ApFpnMQMyAA4uHIhm7d6BE9.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	9ApFpnMQMyAA4uHIhm7d6BE9.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2184 set thread context of 1436	2184	a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42_JC.exe	29
PID 576 set thread context of 2968	576	EwgL0q7bMFGQRsZ9rEy75TIH.exe	78
PID 1168 set thread context of 2348	1168	updater.exe	95
PID 1168 set thread context of 1876	1168	updater.exe	96

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	7NC866HmUTcrVKlxdN8JG7y6.exe
File opened (read-only)	\??\VBoxMiniRdrDN	Z3k2JRXNcKIghSHyuXdadUv0.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	1IGVLQgrJ09TAD4PM3tN5H2b.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rss\csrss.exe	Z3k2JRXNcKIghSHyuXdadUv0.exe
File opened for modification	C:\Windows\rss	7NC866HmUTcrVKlxdN8JG7y6.exe
File created	C:\Windows\rss\csrss.exe	7NC866HmUTcrVKlxdN8JG7y6.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231012192831.cab	makecab.exe
File opened for modification	C:\Windows\rss	Z3k2JRXNcKIghSHyuXdadUv0.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2112	sc.exe
2968	sc.exe
992	sc.exe
1100	sc.exe
2476	sc.exe
2624	sc.exe
2388	sc.exe
736	sc.exe
2072	sc.exe
1952	sc.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1056	schtasks.exe
1816	schtasks.exe
1152	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	7NC866HmUTcrVKlxdN8JG7y6.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	9ApFpnMQMyAA4uHIhm7d6BE9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	9ApFpnMQMyAA4uHIhm7d6BE9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	9ApFpnMQMyAA4uHIhm7d6BE9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	9ApFpnMQMyAA4uHIhm7d6BE9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	9ApFpnMQMyAA4uHIhm7d6BE9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
980	1IGVLQgrJ09TAD4PM3tN5H2b.exe
980	1IGVLQgrJ09TAD4PM3tN5H2b.exe
1880	powershell.exe
980	1IGVLQgrJ09TAD4PM3tN5H2b.exe
980	1IGVLQgrJ09TAD4PM3tN5H2b.exe
1456	9ApFpnMQMyAA4uHIhm7d6BE9.exe
1456	9ApFpnMQMyAA4uHIhm7d6BE9.exe
1456	9ApFpnMQMyAA4uHIhm7d6BE9.exe
1456	9ApFpnMQMyAA4uHIhm7d6BE9.exe
1456	9ApFpnMQMyAA4uHIhm7d6BE9.exe
1456	9ApFpnMQMyAA4uHIhm7d6BE9.exe
1456	9ApFpnMQMyAA4uHIhm7d6BE9.exe
1456	9ApFpnMQMyAA4uHIhm7d6BE9.exe
1456	9ApFpnMQMyAA4uHIhm7d6BE9.exe
1456	9ApFpnMQMyAA4uHIhm7d6BE9.exe
1456	9ApFpnMQMyAA4uHIhm7d6BE9.exe
1456	9ApFpnMQMyAA4uHIhm7d6BE9.exe
980	1IGVLQgrJ09TAD4PM3tN5H2b.exe
980	1IGVLQgrJ09TAD4PM3tN5H2b.exe
980	1IGVLQgrJ09TAD4PM3tN5H2b.exe
980	1IGVLQgrJ09TAD4PM3tN5H2b.exe
980	1IGVLQgrJ09TAD4PM3tN5H2b.exe
980	1IGVLQgrJ09TAD4PM3tN5H2b.exe
1960	Z3k2JRXNcKIghSHyuXdadUv0.exe
2080	7NC866HmUTcrVKlxdN8JG7y6.exe
980	1IGVLQgrJ09TAD4PM3tN5H2b.exe
980	1IGVLQgrJ09TAD4PM3tN5H2b.exe
1576	7NC866HmUTcrVKlxdN8JG7y6.exe
1576	7NC866HmUTcrVKlxdN8JG7y6.exe
1576	7NC866HmUTcrVKlxdN8JG7y6.exe
1576	7NC866HmUTcrVKlxdN8JG7y6.exe
1576	7NC866HmUTcrVKlxdN8JG7y6.exe
1668	Z3k2JRXNcKIghSHyuXdadUv0.exe
1668	Z3k2JRXNcKIghSHyuXdadUv0.exe
1668	Z3k2JRXNcKIghSHyuXdadUv0.exe
1668	Z3k2JRXNcKIghSHyuXdadUv0.exe
1668	Z3k2JRXNcKIghSHyuXdadUv0.exe
1168	updater.exe
1168	updater.exe
2948	powershell.exe
1168	updater.exe
1168	updater.exe
2968	RegSvcs.exe
2968	RegSvcs.exe
1168	updater.exe
1168	updater.exe
1168	updater.exe
1168	updater.exe
1168	updater.exe
1168	updater.exe
1168	updater.exe
1168	updater.exe
2968	RegSvcs.exe
2968	RegSvcs.exe
2968	RegSvcs.exe
2968	RegSvcs.exe
2968	RegSvcs.exe
2968	RegSvcs.exe
672	injector.exe
1876	explorer.exe
672	injector.exe
1876	explorer.exe
2968	RegSvcs.exe
2968	RegSvcs.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	AddInProcess32.exe
Token: SeDebugPrivilege	576	EwgL0q7bMFGQRsZ9rEy75TIH.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1416	4GzAqKrH5PXPVqhV17myBrWI.exe
Token: SeShutdownPrivilege	2864	powercfg.exe
Token: SeShutdownPrivilege	2824	powercfg.exe
Token: SeShutdownPrivilege	2932	powercfg.exe
Token: SeShutdownPrivilege	2712	powercfg.exe
Token: SeDebugPrivilege	1960	Z3k2JRXNcKIghSHyuXdadUv0.exe
Token: SeImpersonatePrivilege	1960	Z3k2JRXNcKIghSHyuXdadUv0.exe
Token: SeDebugPrivilege	2080	7NC866HmUTcrVKlxdN8JG7y6.exe
Token: SeImpersonatePrivilege	2080	7NC866HmUTcrVKlxdN8JG7y6.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeShutdownPrivilege	856	powercfg.exe
Token: SeShutdownPrivilege	1804	powercfg.exe
Token: SeShutdownPrivilege	1848	powercfg.exe
Token: SeShutdownPrivilege	596	powercfg.exe
Token: SeDebugPrivilege	1168	updater.exe
Token: SeLockMemoryPrivilege	1876	explorer.exe
Token: SeSystemEnvironmentPrivilege	1920	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1436	2184	a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42_JC.exe	29
PID 2184 wrote to memory of 1436	2184	a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42_JC.exe	29
PID 2184 wrote to memory of 1436	2184	a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42_JC.exe	29
PID 2184 wrote to memory of 1436	2184	a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42_JC.exe	29
PID 2184 wrote to memory of 1436	2184	a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42_JC.exe	29
PID 2184 wrote to memory of 1436	2184	a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42_JC.exe	29
PID 2184 wrote to memory of 1436	2184	a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42_JC.exe	29
PID 2184 wrote to memory of 1436	2184	a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42_JC.exe	29
PID 2184 wrote to memory of 1436	2184	a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42_JC.exe	29
PID 1436 wrote to memory of 1960	1436	AddInProcess32.exe	30
PID 1436 wrote to memory of 1960	1436	AddInProcess32.exe	30
PID 1436 wrote to memory of 1960	1436	AddInProcess32.exe	30
PID 1436 wrote to memory of 1960	1436	AddInProcess32.exe	30
PID 1436 wrote to memory of 2080	1436	AddInProcess32.exe	31
PID 1436 wrote to memory of 2080	1436	AddInProcess32.exe	31
PID 1436 wrote to memory of 2080	1436	AddInProcess32.exe	31
PID 1436 wrote to memory of 2080	1436	AddInProcess32.exe	31
PID 1436 wrote to memory of 980	1436	AddInProcess32.exe	32
PID 1436 wrote to memory of 980	1436	AddInProcess32.exe	32
PID 1436 wrote to memory of 980	1436	AddInProcess32.exe	32
PID 1436 wrote to memory of 980	1436	AddInProcess32.exe	32
PID 1436 wrote to memory of 576	1436	AddInProcess32.exe	33
PID 1436 wrote to memory of 576	1436	AddInProcess32.exe	33
PID 1436 wrote to memory of 576	1436	AddInProcess32.exe	33
PID 1436 wrote to memory of 576	1436	AddInProcess32.exe	33
PID 1436 wrote to memory of 828	1436	AddInProcess32.exe	34
PID 1436 wrote to memory of 828	1436	AddInProcess32.exe	34
PID 1436 wrote to memory of 828	1436	AddInProcess32.exe	34
PID 1436 wrote to memory of 828	1436	AddInProcess32.exe	34
PID 1436 wrote to memory of 828	1436	AddInProcess32.exe	34
PID 1436 wrote to memory of 828	1436	AddInProcess32.exe	34
PID 1436 wrote to memory of 828	1436	AddInProcess32.exe	34
PID 1436 wrote to memory of 1416	1436	AddInProcess32.exe	35
PID 1436 wrote to memory of 1416	1436	AddInProcess32.exe	35
PID 1436 wrote to memory of 1416	1436	AddInProcess32.exe	35
PID 1436 wrote to memory of 1416	1436	AddInProcess32.exe	35
PID 1436 wrote to memory of 1456	1436	AddInProcess32.exe	39
PID 1436 wrote to memory of 1456	1436	AddInProcess32.exe	39
PID 1436 wrote to memory of 1456	1436	AddInProcess32.exe	39
PID 1436 wrote to memory of 1456	1436	AddInProcess32.exe	39
PID 1696 wrote to memory of 2072	1696	cmd.exe	43
PID 1696 wrote to memory of 2072	1696	cmd.exe	43
PID 1696 wrote to memory of 2072	1696	cmd.exe	43
PID 1696 wrote to memory of 2624	1696	cmd.exe	44
PID 1696 wrote to memory of 2624	1696	cmd.exe	44
PID 1696 wrote to memory of 2624	1696	cmd.exe	44
PID 1696 wrote to memory of 2388	1696	cmd.exe	46
PID 1696 wrote to memory of 2388	1696	cmd.exe	46
PID 1696 wrote to memory of 2388	1696	cmd.exe	46
PID 1696 wrote to memory of 2112	1696	cmd.exe	47
PID 1696 wrote to memory of 2112	1696	cmd.exe	47
PID 1696 wrote to memory of 2112	1696	cmd.exe	47
PID 1696 wrote to memory of 2968	1696	cmd.exe	48
PID 1696 wrote to memory of 2968	1696	cmd.exe	48
PID 1696 wrote to memory of 2968	1696	cmd.exe	48
PID 2800 wrote to memory of 2864	2800	cmd.exe	56
PID 2800 wrote to memory of 2864	2800	cmd.exe	56
PID 2800 wrote to memory of 2864	2800	cmd.exe	56
PID 2800 wrote to memory of 2824	2800	cmd.exe	57
PID 2800 wrote to memory of 2824	2800	cmd.exe	57
PID 2800 wrote to memory of 2824	2800	cmd.exe	57
PID 2800 wrote to memory of 2932	2800	cmd.exe	60
PID 2800 wrote to memory of 2932	2800	cmd.exe	60
PID 2800 wrote to memory of 2932	2800	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a12c63a33382720b5ce010cc050106c3909316477b956ca8c17f4a1f6ca6aa42_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Users\Admin\Pictures\Z3k2JRXNcKIghSHyuXdadUv0.exe
    "C:\Users\Admin\Pictures\Z3k2JRXNcKIghSHyuXdadUv0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1960
  - - C:\Users\Admin\Pictures\Z3k2JRXNcKIghSHyuXdadUv0.exe
      "C:\Users\Admin\Pictures\Z3k2JRXNcKIghSHyuXdadUv0.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:1668
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1056
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:1112
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1816
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:680
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:672
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2244
- - C:\Users\Admin\Pictures\7NC866HmUTcrVKlxdN8JG7y6.exe
    "C:\Users\Admin\Pictures\7NC866HmUTcrVKlxdN8JG7y6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
  - - C:\Users\Admin\Pictures\7NC866HmUTcrVKlxdN8JG7y6.exe
      "C:\Users\Admin\Pictures\7NC866HmUTcrVKlxdN8JG7y6.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:1576
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1508
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:1756
- - C:\Users\Admin\Pictures\1IGVLQgrJ09TAD4PM3tN5H2b.exe
    "C:\Users\Admin\Pictures\1IGVLQgrJ09TAD4PM3tN5H2b.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:980
- - C:\Users\Admin\Pictures\EwgL0q7bMFGQRsZ9rEy75TIH.exe
    "C:\Users\Admin\Pictures\EwgL0q7bMFGQRsZ9rEy75TIH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2968
- - C:\Users\Admin\Pictures\2QCSTHK7Q0pJKcAK9aIKzrIV.exe
    "C:\Users\Admin\Pictures\2QCSTHK7Q0pJKcAK9aIKzrIV.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:828
- - C:\Users\Admin\Pictures\4GzAqKrH5PXPVqhV17myBrWI.exe
    "C:\Users\Admin\Pictures\4GzAqKrH5PXPVqhV17myBrWI.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Users\Admin\Pictures\9ApFpnMQMyAA4uHIhm7d6BE9.exe
    "C:\Users\Admin\Pictures\9ApFpnMQMyAA4uHIhm7d6BE9.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:1456

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2072
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2624
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2388
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2112
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2968
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1736
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"
  2⤵
  - Creates scheduled task(s)
  PID:1152
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:3068
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1952
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:992
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:736
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1100
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2476
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1720
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:596
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\iacrcjwhmdyc.xml"
  2⤵
  - Creates scheduled task(s)
  PID:1056
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:2348
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1876

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231012192831.log C:\Windows\Logs\CBS\CbsPersist_20231012192831.cab
1⤵
- Drops file in Windows directory
PID:2392

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7bd230deff2a60f06a28a7d7858330ae

SHA1
992139b3bb4f22ee1124be9107156937f5771949

SHA256
da28fdb703d04c8da905987849fdd0749922ac84997e86a4dc17cdea240a27b9

SHA512
c276834b94456b68a70a886b957d79a2eed5df57f71ce8db0263d684b5bee6ae46767fac59efa12449b847fa14573a8cb94e3b7d6ea707b0afbd121640a06577

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca94bc2c9866c3a451ccdf964e034e05

SHA1
6ca0c53eb6c4e514769196ea7dcc2cfefb1facbb

SHA256
b614949e0b05d81a45d0ded509bf58f4a950efc0dd0c1b166667fa5d1827ccb9

SHA512
b576fdc6098152cbb0bf21e0671d91ac512c477f7325d243fe72b5a87e6cd76bbdba2c6196d8be811cda5851dbf7456659fec4f96d01d591550d738ee1479d99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93eb8fbe8d19de63578ef2cea1e8b3b3

SHA1
e14fea6fa4e6c30542a7da14e16b68e930448d18

SHA256
c372f0fb375bca83b708137648c80a240ae2854591d53b77036820c762bde1a0

SHA512
6d1615e6767eaa49191f11ea37367332d933a6d733438016dfc90405135d5096cbceaddd5c3ef2a21e63dcd1355d341c38ba5103a1589061770fc375eab5170e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90995a4c83a9012a5911f40702e4dd18

SHA1
653ae53fb3410ad32b170c03342d061e78a01f18

SHA256
b4d961af0bec552ef7fd56b12217496e0842e77bf279c8547e51a7feb1cce984

SHA512
4d70a81f40d11dc0908c708d5436fd8ddd7c0929ba8aa6144b2f6e5b4134524c92c69b063653f6215667b08922f772efc508439527390710aff4478ed4b5d0d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a244da489a25aa7c9ce05f9309f9f21a

SHA1
6acd6e2665a8c22fc8003979f594302631e3bf77

SHA256
044ebf6fc26f9085fd8ba4d2e769e5a8a73563c2ab918f774aea8d9362aa9082

SHA512
58b9623879af3957330cd414e3586f97b096e78a25397d06c87bfd8fe4c82ed4d94717e7bd8fea50c96baa926df978885f87b0ac74b88b498774832e35e4154e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
375eeb364a06d33993d0c3dffbd03bc2

SHA1
c5e9ef4e6d497e068fa365f1645770bb113b22dd

SHA256
9f945f5a8bed082cc0d94573fd6888a9086229419094786811577b0da4b67dc2

SHA512
9cf4f4eeb1dc052d902414470d16ecfc6ffab6f12e41e381454fa75ea8ff4f8f1a5ad7c8b434fe110d5eabe0ac69485c7b938237dedc4d3bfb64b0ff55dcf201

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC13F.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC180.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\Pictures\1IGVLQgrJ09TAD4PM3tN5H2b.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
C:\Users\Admin\Pictures\1IGVLQgrJ09TAD4PM3tN5H2b.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
C:\Users\Admin\Pictures\2QCSTHK7Q0pJKcAK9aIKzrIV.exe

Filesize
2.8MB

MD5
6fbde9004c71b1404663f8b22d5d406d

SHA1
64ca5936179fc4153358c5d359169eed6a1a4b90

SHA256
861c77d58bab20faf84aafd28f3fbf0d5931b33febb28cb0a63ebd8f5b5fe5e2

SHA512
e4ccc86769b7bfa5cb4568ef72021ae4de7c4e79db4aa9b80ec71ccb30d156bbb59f934c1ca433f6b32e2586c23b38ccef9f2a1e8ad13a42f80f84b918c67b81

Download Submit
C:\Users\Admin\Pictures\2QCSTHK7Q0pJKcAK9aIKzrIV.exe

Filesize
2.8MB

MD5
6fbde9004c71b1404663f8b22d5d406d

SHA1
64ca5936179fc4153358c5d359169eed6a1a4b90

SHA256
861c77d58bab20faf84aafd28f3fbf0d5931b33febb28cb0a63ebd8f5b5fe5e2

SHA512
e4ccc86769b7bfa5cb4568ef72021ae4de7c4e79db4aa9b80ec71ccb30d156bbb59f934c1ca433f6b32e2586c23b38ccef9f2a1e8ad13a42f80f84b918c67b81

Download Submit
C:\Users\Admin\Pictures\2QCSTHK7Q0pJKcAK9aIKzrIV.exe

Filesize
2.8MB

MD5
6fbde9004c71b1404663f8b22d5d406d

SHA1
64ca5936179fc4153358c5d359169eed6a1a4b90

SHA256
861c77d58bab20faf84aafd28f3fbf0d5931b33febb28cb0a63ebd8f5b5fe5e2

SHA512
e4ccc86769b7bfa5cb4568ef72021ae4de7c4e79db4aa9b80ec71ccb30d156bbb59f934c1ca433f6b32e2586c23b38ccef9f2a1e8ad13a42f80f84b918c67b81

Download Submit
C:\Users\Admin\Pictures\4GzAqKrH5PXPVqhV17myBrWI.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\4GzAqKrH5PXPVqhV17myBrWI.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\4GzAqKrH5PXPVqhV17myBrWI.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\7NC866HmUTcrVKlxdN8JG7y6.exe

Filesize
4.2MB

MD5
2900df342018c8b23910440e3c7c1468

SHA1
619ac0362e476ac50a01914430865c1d782f5b82

SHA256
39ec4280afaaa327e2b57bb555a0c5def776b40bf9199fd5f57c4125bae440ac

SHA512
1fe8eac255fd733b9ec42750c1d32d89d256a2f49aa2510d17c390d7d500d5efc247b83c025249f64fc8db47f15a3d33c1b126eff066f15db378a931d089f706

Download Submit
C:\Users\Admin\Pictures\7NC866HmUTcrVKlxdN8JG7y6.exe

Filesize
4.2MB

MD5
2900df342018c8b23910440e3c7c1468

SHA1
619ac0362e476ac50a01914430865c1d782f5b82

SHA256
39ec4280afaaa327e2b57bb555a0c5def776b40bf9199fd5f57c4125bae440ac

SHA512
1fe8eac255fd733b9ec42750c1d32d89d256a2f49aa2510d17c390d7d500d5efc247b83c025249f64fc8db47f15a3d33c1b126eff066f15db378a931d089f706

Download Submit
C:\Users\Admin\Pictures\7NC866HmUTcrVKlxdN8JG7y6.exe

Filesize
4.2MB

MD5
2900df342018c8b23910440e3c7c1468

SHA1
619ac0362e476ac50a01914430865c1d782f5b82

SHA256
39ec4280afaaa327e2b57bb555a0c5def776b40bf9199fd5f57c4125bae440ac

SHA512
1fe8eac255fd733b9ec42750c1d32d89d256a2f49aa2510d17c390d7d500d5efc247b83c025249f64fc8db47f15a3d33c1b126eff066f15db378a931d089f706

Download Submit
C:\Users\Admin\Pictures\7NC866HmUTcrVKlxdN8JG7y6.exe

Filesize
4.2MB

MD5
2900df342018c8b23910440e3c7c1468

SHA1
619ac0362e476ac50a01914430865c1d782f5b82

SHA256
39ec4280afaaa327e2b57bb555a0c5def776b40bf9199fd5f57c4125bae440ac

SHA512
1fe8eac255fd733b9ec42750c1d32d89d256a2f49aa2510d17c390d7d500d5efc247b83c025249f64fc8db47f15a3d33c1b126eff066f15db378a931d089f706

Download Submit
C:\Users\Admin\Pictures\9ApFpnMQMyAA4uHIhm7d6BE9.exe

Filesize
2.6MB

MD5
1cbf0540443b57f70f8f09dfb0386d94

SHA1
9e542c09f464bdcefbcf50e45a04dc3af60027a9

SHA256
559b465bc7a517cdac15770e26da966a6e3ffb6235ad949bc9e9a66c7dc656bb

SHA512
909f3414ba2b1912a331e2388c467ee9b26977b5c3703fde75b10caee9fdc1d5972a63fff4480fa44a1643024627f7763de41cd2f5dc982f0747b291e6a6d0af

Download Submit
C:\Users\Admin\Pictures\9ApFpnMQMyAA4uHIhm7d6BE9.exe

Filesize
2.6MB

MD5
1cbf0540443b57f70f8f09dfb0386d94

SHA1
9e542c09f464bdcefbcf50e45a04dc3af60027a9

SHA256
559b465bc7a517cdac15770e26da966a6e3ffb6235ad949bc9e9a66c7dc656bb

SHA512
909f3414ba2b1912a331e2388c467ee9b26977b5c3703fde75b10caee9fdc1d5972a63fff4480fa44a1643024627f7763de41cd2f5dc982f0747b291e6a6d0af

Download Submit
C:\Users\Admin\Pictures\EwgL0q7bMFGQRsZ9rEy75TIH.exe

Filesize
4.9MB

MD5
f7f4c10dd56dd175ed57b936d3ae87d1

SHA1
df2c485537f84ab875071c431a21f2cdf477605c

SHA256
a39eba51e56a3038058473c7d625e3331961938985451ff4120a518a80fa09ce

SHA512
7dc0909929e4cac8daeb0e36fb481a43a36004c36bc26565f2a442e26edb1c3bc9882e370be1ed16f715df77541879e4a444aa7ef53d80fb284745e89eeb7171

Download Submit
C:\Users\Admin\Pictures\EwgL0q7bMFGQRsZ9rEy75TIH.exe

Filesize
4.9MB

MD5
f7f4c10dd56dd175ed57b936d3ae87d1

SHA1
df2c485537f84ab875071c431a21f2cdf477605c

SHA256
a39eba51e56a3038058473c7d625e3331961938985451ff4120a518a80fa09ce

SHA512
7dc0909929e4cac8daeb0e36fb481a43a36004c36bc26565f2a442e26edb1c3bc9882e370be1ed16f715df77541879e4a444aa7ef53d80fb284745e89eeb7171

Download Submit
C:\Users\Admin\Pictures\EwgL0q7bMFGQRsZ9rEy75TIH.exe

Filesize
4.9MB

MD5
f7f4c10dd56dd175ed57b936d3ae87d1

SHA1
df2c485537f84ab875071c431a21f2cdf477605c

SHA256
a39eba51e56a3038058473c7d625e3331961938985451ff4120a518a80fa09ce

SHA512
7dc0909929e4cac8daeb0e36fb481a43a36004c36bc26565f2a442e26edb1c3bc9882e370be1ed16f715df77541879e4a444aa7ef53d80fb284745e89eeb7171

Download Submit
C:\Users\Admin\Pictures\Z3k2JRXNcKIghSHyuXdadUv0.exe

Filesize
4.2MB

MD5
00b06f2f558948ac23dcdcd53264eab9

SHA1
b3b2416bddb79980114d5dd9a9ee41ee473032a0

SHA256
646a0e14e04bc81dca0730d14cef0287f4ce62e25afddafcb6e0433dbe73608f

SHA512
e5a1f14c0ff1bf58dcef7e914df0d1798a34b6a2fb8b4865f04e46c77b915a0907306918e37097c547dcfbb13d53f6742b49aebedeb2e5bab6a6c14365d5df18

Download Submit
C:\Users\Admin\Pictures\Z3k2JRXNcKIghSHyuXdadUv0.exe

Filesize
4.2MB

MD5
00b06f2f558948ac23dcdcd53264eab9

SHA1
b3b2416bddb79980114d5dd9a9ee41ee473032a0

SHA256
646a0e14e04bc81dca0730d14cef0287f4ce62e25afddafcb6e0433dbe73608f

SHA512
e5a1f14c0ff1bf58dcef7e914df0d1798a34b6a2fb8b4865f04e46c77b915a0907306918e37097c547dcfbb13d53f6742b49aebedeb2e5bab6a6c14365d5df18

Download Submit
C:\Users\Admin\Pictures\Z3k2JRXNcKIghSHyuXdadUv0.exe

Filesize
4.2MB

MD5
00b06f2f558948ac23dcdcd53264eab9

SHA1
b3b2416bddb79980114d5dd9a9ee41ee473032a0

SHA256
646a0e14e04bc81dca0730d14cef0287f4ce62e25afddafcb6e0433dbe73608f

SHA512
e5a1f14c0ff1bf58dcef7e914df0d1798a34b6a2fb8b4865f04e46c77b915a0907306918e37097c547dcfbb13d53f6742b49aebedeb2e5bab6a6c14365d5df18

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
C:\Windows\TEMP\iacrcjwhmdyc.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
00b06f2f558948ac23dcdcd53264eab9

SHA1
b3b2416bddb79980114d5dd9a9ee41ee473032a0

SHA256
646a0e14e04bc81dca0730d14cef0287f4ce62e25afddafcb6e0433dbe73608f

SHA512
e5a1f14c0ff1bf58dcef7e914df0d1798a34b6a2fb8b4865f04e46c77b915a0907306918e37097c547dcfbb13d53f6742b49aebedeb2e5bab6a6c14365d5df18

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
00b06f2f558948ac23dcdcd53264eab9

SHA1
b3b2416bddb79980114d5dd9a9ee41ee473032a0

SHA256
646a0e14e04bc81dca0730d14cef0287f4ce62e25afddafcb6e0433dbe73608f

SHA512
e5a1f14c0ff1bf58dcef7e914df0d1798a34b6a2fb8b4865f04e46c77b915a0907306918e37097c547dcfbb13d53f6742b49aebedeb2e5bab6a6c14365d5df18

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_231012192816837828.dll

Filesize
4.7MB

MD5
9e0d1f5e1b19e6f5c5041e6228185374

SHA1
5abc65f947c88a51949707cf3dd44826d3877f4e

SHA256
2f7174e4db37dc516fd222c3331a266cb75dca9c3914bdc93b6000d119e566b6

SHA512
a17185c7460e2e15858581a86d6ec35acbf48a20d680eafd2bc0ac809e58fa3645e1d29ee8d936d89bcab67bfe86889a59f69a26c90a0ca68e13df70713afcd4

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Users\Admin\Pictures\1IGVLQgrJ09TAD4PM3tN5H2b.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
\Users\Admin\Pictures\2QCSTHK7Q0pJKcAK9aIKzrIV.exe

Filesize
2.8MB

MD5
6fbde9004c71b1404663f8b22d5d406d

SHA1
64ca5936179fc4153358c5d359169eed6a1a4b90

SHA256
861c77d58bab20faf84aafd28f3fbf0d5931b33febb28cb0a63ebd8f5b5fe5e2

SHA512
e4ccc86769b7bfa5cb4568ef72021ae4de7c4e79db4aa9b80ec71ccb30d156bbb59f934c1ca433f6b32e2586c23b38ccef9f2a1e8ad13a42f80f84b918c67b81

Download Submit
\Users\Admin\Pictures\4GzAqKrH5PXPVqhV17myBrWI.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
\Users\Admin\Pictures\7NC866HmUTcrVKlxdN8JG7y6.exe

Filesize
4.2MB

MD5
2900df342018c8b23910440e3c7c1468

SHA1
619ac0362e476ac50a01914430865c1d782f5b82

SHA256
39ec4280afaaa327e2b57bb555a0c5def776b40bf9199fd5f57c4125bae440ac

SHA512
1fe8eac255fd733b9ec42750c1d32d89d256a2f49aa2510d17c390d7d500d5efc247b83c025249f64fc8db47f15a3d33c1b126eff066f15db378a931d089f706

Download Submit
\Users\Admin\Pictures\7NC866HmUTcrVKlxdN8JG7y6.exe

Filesize
4.2MB

MD5
2900df342018c8b23910440e3c7c1468

SHA1
619ac0362e476ac50a01914430865c1d782f5b82

SHA256
39ec4280afaaa327e2b57bb555a0c5def776b40bf9199fd5f57c4125bae440ac

SHA512
1fe8eac255fd733b9ec42750c1d32d89d256a2f49aa2510d17c390d7d500d5efc247b83c025249f64fc8db47f15a3d33c1b126eff066f15db378a931d089f706

Download Submit
\Users\Admin\Pictures\9ApFpnMQMyAA4uHIhm7d6BE9.exe

Filesize
2.6MB

MD5
1cbf0540443b57f70f8f09dfb0386d94

SHA1
9e542c09f464bdcefbcf50e45a04dc3af60027a9

SHA256
559b465bc7a517cdac15770e26da966a6e3ffb6235ad949bc9e9a66c7dc656bb

SHA512
909f3414ba2b1912a331e2388c467ee9b26977b5c3703fde75b10caee9fdc1d5972a63fff4480fa44a1643024627f7763de41cd2f5dc982f0747b291e6a6d0af

Download Submit
\Users\Admin\Pictures\EwgL0q7bMFGQRsZ9rEy75TIH.exe

Filesize
4.9MB

MD5
f7f4c10dd56dd175ed57b936d3ae87d1

SHA1
df2c485537f84ab875071c431a21f2cdf477605c

SHA256
a39eba51e56a3038058473c7d625e3331961938985451ff4120a518a80fa09ce

SHA512
7dc0909929e4cac8daeb0e36fb481a43a36004c36bc26565f2a442e26edb1c3bc9882e370be1ed16f715df77541879e4a444aa7ef53d80fb284745e89eeb7171

Download Submit
\Users\Admin\Pictures\Opera_installer_231012192829197828.dll

Filesize
4.7MB

MD5
9e0d1f5e1b19e6f5c5041e6228185374

SHA1
5abc65f947c88a51949707cf3dd44826d3877f4e

SHA256
2f7174e4db37dc516fd222c3331a266cb75dca9c3914bdc93b6000d119e566b6

SHA512
a17185c7460e2e15858581a86d6ec35acbf48a20d680eafd2bc0ac809e58fa3645e1d29ee8d936d89bcab67bfe86889a59f69a26c90a0ca68e13df70713afcd4

Download Submit
\Users\Admin\Pictures\Z3k2JRXNcKIghSHyuXdadUv0.exe

Filesize
4.2MB

MD5
00b06f2f558948ac23dcdcd53264eab9

SHA1
b3b2416bddb79980114d5dd9a9ee41ee473032a0

SHA256
646a0e14e04bc81dca0730d14cef0287f4ce62e25afddafcb6e0433dbe73608f

SHA512
e5a1f14c0ff1bf58dcef7e914df0d1798a34b6a2fb8b4865f04e46c77b915a0907306918e37097c547dcfbb13d53f6742b49aebedeb2e5bab6a6c14365d5df18

Download Submit
\Users\Admin\Pictures\Z3k2JRXNcKIghSHyuXdadUv0.exe

Filesize
4.2MB

MD5
00b06f2f558948ac23dcdcd53264eab9

SHA1
b3b2416bddb79980114d5dd9a9ee41ee473032a0

SHA256
646a0e14e04bc81dca0730d14cef0287f4ce62e25afddafcb6e0433dbe73608f

SHA512
e5a1f14c0ff1bf58dcef7e914df0d1798a34b6a2fb8b4865f04e46c77b915a0907306918e37097c547dcfbb13d53f6742b49aebedeb2e5bab6a6c14365d5df18

Download Submit
\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
00b06f2f558948ac23dcdcd53264eab9

SHA1
b3b2416bddb79980114d5dd9a9ee41ee473032a0

SHA256
646a0e14e04bc81dca0730d14cef0287f4ce62e25afddafcb6e0433dbe73608f

SHA512
e5a1f14c0ff1bf58dcef7e914df0d1798a34b6a2fb8b4865f04e46c77b915a0907306918e37097c547dcfbb13d53f6742b49aebedeb2e5bab6a6c14365d5df18

Download Submit
\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
00b06f2f558948ac23dcdcd53264eab9

SHA1
b3b2416bddb79980114d5dd9a9ee41ee473032a0

SHA256
646a0e14e04bc81dca0730d14cef0287f4ce62e25afddafcb6e0433dbe73608f

SHA512
e5a1f14c0ff1bf58dcef7e914df0d1798a34b6a2fb8b4865f04e46c77b915a0907306918e37097c547dcfbb13d53f6742b49aebedeb2e5bab6a6c14365d5df18

Download Submit
memory/576-198-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/576-330-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/576-339-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/576-337-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/576-334-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/576-260-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/576-409-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/576-254-0x0000000005220000-0x0000000005260000-memory.dmp

Filesize
256KB

Download
memory/576-348-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/576-332-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/576-311-0x0000000005220000-0x0000000005260000-memory.dmp

Filesize
256KB

Download
memory/576-223-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/576-315-0x0000000000980000-0x000000000099C000-memory.dmp

Filesize
112KB

Download
memory/576-316-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/576-317-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/576-341-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/576-328-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/576-326-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/576-210-0x00000000001B0000-0x0000000000694000-memory.dmp

Filesize
4.9MB

Download
memory/576-319-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/576-323-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/576-321-0x0000000000980000-0x0000000000995000-memory.dmp

Filesize
84KB

Download
memory/828-231-0x0000000000D40000-0x000000000128D000-memory.dmp

Filesize
5.3MB

Download
memory/828-202-0x0000000000D40000-0x000000000128D000-memory.dmp

Filesize
5.3MB

Download
memory/828-363-0x0000000000D40000-0x000000000128D000-memory.dmp

Filesize
5.3MB

Download
memory/828-225-0x0000000000D40000-0x000000000128D000-memory.dmp

Filesize
5.3MB

Download
memory/980-230-0x000000013F120000-0x000000013F663000-memory.dmp

Filesize
5.3MB

Download
memory/980-303-0x000000013F120000-0x000000013F663000-memory.dmp

Filesize
5.3MB

Download
memory/980-209-0x000000013F120000-0x000000013F663000-memory.dmp

Filesize
5.3MB

Download
memory/980-261-0x000000013F120000-0x000000013F663000-memory.dmp

Filesize
5.3MB

Download
memory/980-308-0x000000013F120000-0x000000013F663000-memory.dmp

Filesize
5.3MB

Download
memory/1168-360-0x000000013F820000-0x000000013FD63000-memory.dmp

Filesize
5.3MB

Download
memory/1416-222-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/1416-298-0x0000000005C80000-0x0000000005CC0000-memory.dmp

Filesize
256KB

Download
memory/1416-376-0x0000000005C80000-0x0000000005CC0000-memory.dmp

Filesize
256KB

Download
memory/1416-228-0x0000000001310000-0x000000000162C000-memory.dmp

Filesize
3.1MB

Download
memory/1416-265-0x0000000005C80000-0x0000000005CC0000-memory.dmp

Filesize
256KB

Download
memory/1416-324-0x0000000005C80000-0x0000000005CC0000-memory.dmp

Filesize
256KB

Download
memory/1416-293-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/1436-5-0x0000000004800000-0x0000000004840000-memory.dmp

Filesize
256KB

Download
memory/1436-197-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/1436-1-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1436-4-0x0000000074420000-0x0000000074B0E000-memory.dmp

Filesize
6.9MB

Download
memory/1436-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1436-3-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1436-196-0x000000000BEC0000-0x000000000C40D000-memory.dmp

Filesize
5.3MB

Download
memory/1436-201-0x0000000004800000-0x0000000004840000-memory.dmp

Filesize
256KB

Download
memory/1456-237-0x000000013F410000-0x000000013FADF000-memory.dmp

Filesize
6.8MB

Download
memory/1576-358-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1576-306-0x0000000002940000-0x0000000002D38000-memory.dmp

Filesize
4.0MB

Download
memory/1576-310-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1576-312-0x0000000002940000-0x0000000002D38000-memory.dmp

Filesize
4.0MB

Download
memory/1668-350-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1668-309-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1668-305-0x00000000027A0000-0x0000000002B98000-memory.dmp

Filesize
4.0MB

Download
memory/1668-302-0x00000000027A0000-0x0000000002B98000-memory.dmp

Filesize
4.0MB

Download
memory/1876-460-0x0000000000BB0000-0x0000000000BD0000-memory.dmp

Filesize
128KB

Download
memory/1876-461-0x0000000000B90000-0x0000000000BB0000-memory.dmp

Filesize
128KB

Download
memory/1876-454-0x0000000000BB0000-0x0000000000BD0000-memory.dmp

Filesize
128KB

Download
memory/1876-455-0x0000000000B90000-0x0000000000BB0000-memory.dmp

Filesize
128KB

Download
memory/1880-251-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/1880-250-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/1880-242-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/1880-256-0x00000000027C0000-0x0000000002840000-memory.dmp

Filesize
512KB

Download
memory/1880-241-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/1880-257-0x00000000027CB000-0x0000000002832000-memory.dmp

Filesize
412KB

Download
memory/1880-255-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/1880-252-0x000007FEF5660000-0x000007FEF5FFD000-memory.dmp

Filesize
9.6MB

Download
memory/1920-357-0x0000000002A90000-0x000000000337B000-memory.dmp

Filesize
8.9MB

Download
memory/1920-352-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/1920-379-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1920-356-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/1920-366-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1920-405-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1920-402-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/1960-221-0x0000000002B70000-0x000000000345B000-memory.dmp

Filesize
8.9MB

Download
memory/1960-207-0x0000000002770000-0x0000000002B68000-memory.dmp

Filesize
4.0MB

Download
memory/1960-280-0x0000000002770000-0x0000000002B68000-memory.dmp

Filesize
4.0MB

Download
memory/1960-185-0x0000000002770000-0x0000000002B68000-memory.dmp

Filesize
4.0MB

Download
memory/1960-258-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1960-297-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1960-226-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1960-292-0x0000000002B70000-0x000000000345B000-memory.dmp

Filesize
8.9MB

Download
memory/2080-253-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2080-299-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2080-224-0x0000000002720000-0x0000000002B18000-memory.dmp

Filesize
4.0MB

Download
memory/2080-203-0x0000000002720000-0x0000000002B18000-memory.dmp

Filesize
4.0MB

Download
memory/2244-470-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2244-445-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2244-459-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2948-383-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

Filesize
9.6MB

Download
memory/2948-388-0x00000000010A0000-0x0000000001120000-memory.dmp

Filesize
512KB

Download
memory/2948-401-0x00000000010A0000-0x0000000001120000-memory.dmp

Filesize
512KB

Download
memory/2948-380-0x0000000019BB0000-0x0000000019E92000-memory.dmp

Filesize
2.9MB

Download
memory/2948-385-0x00000000010A0000-0x0000000001120000-memory.dmp

Filesize
512KB

Download
memory/2948-387-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

Filesize
9.6MB

Download
memory/2948-389-0x00000000010A0000-0x0000000001120000-memory.dmp

Filesize
512KB

Download
memory/2948-403-0x000007FEF4E70000-0x000007FEF580D000-memory.dmp

Filesize
9.6MB

Download
memory/2948-381-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/2968-425-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2968-378-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2968-384-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2968-408-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download