amadey | 6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe
Size

255KB
MD5

36bf3ca7bff05bc29e138c172d2d274d
SHA1

9a19411740c7fb267fa3ab38660e7c7cbdd83c7d
SHA256

6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e
SHA512

cd89d7ec01fcabda2d75601f9c7aa7fc1e75a8df8089f38efae2bbe2def3267a6877cdf48c2aec15092f3d93cf7e4f8fb20bd74c8ed8153541a158ad68330216
SSDEEP

6144:SAdjEF2jicP5iOo2T8VrSd/sUAOzilfrqldZDBI1Sa:SAdoqiG59ou9iRrqlHS1Sa

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Extracted

Family

redline

Botnet

pixelscloud2.0

85.209.176.128:80

Extracted

Family

redline

Botnet

kukish

77.91.124.55:19071

Extracted

Family

redline

Botnet

@ytlogsbot

185.216.70.238:37515

Extracted

Family

amadey

Version

3.83

http://5.42.65.80/8bmeVwqx/index.php

Attributes

install_dir
207aa4515d
install_file
oneetx.exe
strings_key
3e634dd0840c68ae2ced83c2be7bf0d4

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 5 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI		AppLaunch.exe
		4056	schtasks.exe
		2956	schtasks.exe
		2104	schtasks.exe
		2308	schtasks.exe

Detected google phishing page
phishing google
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral1/memory/1020-319-0x0000000004DD0000-0x00000000056BB000-memory.dmp	family_glupteba
behavioral1/memory/1020-328-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/1020-479-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/1020-589-0x0000000004DD0000-0x00000000056BB000-memory.dmp	family_glupteba
behavioral1/memory/1020-590-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/1020-685-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/1020-733-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/3452-735-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/3452-1088-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/3452-1145-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/3924-1159-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/3924-1273-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/3924-1311-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/3924-1366-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/3924-1370-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/3924-1371-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/3924-1396-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/3924-1402-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba
behavioral1/memory/3924-1404-0x0000000000400000-0x0000000002FB8000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 17 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d60-146.dat	family_redline
behavioral1/files/0x0007000000016d60-153.dat	family_redline
behavioral1/memory/2896-167-0x00000000003A0000-0x00000000003FA000-memory.dmp	family_redline
behavioral1/files/0x0007000000017565-175.dat	family_redline
behavioral1/files/0x0007000000017565-176.dat	family_redline
behavioral1/files/0x00060000000170fc-178.dat	family_redline
behavioral1/files/0x00060000000170fc-183.dat	family_redline
behavioral1/files/0x00060000000170fc-182.dat	family_redline
behavioral1/files/0x00060000000170fc-181.dat	family_redline
behavioral1/memory/1680-189-0x00000000009B0000-0x0000000000B9A000-memory.dmp	family_redline
behavioral1/memory/1808-191-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/1680-197-0x00000000009B0000-0x0000000000B9A000-memory.dmp	family_redline
behavioral1/memory/1808-198-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/1808-199-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral1/memory/1748-202-0x0000000000BF0000-0x0000000000C4A000-memory.dmp	family_redline
behavioral1/memory/2220-207-0x00000000003E0000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2392-201-0x0000000000F30000-0x0000000000F4E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d60-146.dat	family_sectoprat
behavioral1/files/0x0007000000016d60-153.dat	family_sectoprat
behavioral1/memory/2392-201-0x0000000000F30000-0x0000000000F4E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
3808	bcdedit.exe
1608	bcdedit.exe
3016	bcdedit.exe
3648	bcdedit.exe
1972	bcdedit.exe
4092	bcdedit.exe
3884	bcdedit.exe
3812	bcdedit.exe
3872	bcdedit.exe
3852	bcdedit.exe
3816	bcdedit.exe
3920	bcdedit.exe
3804	bcdedit.exe
3956	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
3904	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1908-228-0x00000000003E0000-0x0000000000400000-memory.dmp	net_reactor
behavioral1/memory/1908-245-0x0000000001FE0000-0x0000000001FFE000-memory.dmp	net_reactor
behavioral1/memory/1908-265-0x0000000001FE0000-0x0000000001FF8000-memory.dmp	net_reactor
behavioral1/memory/1908-267-0x0000000001FE0000-0x0000000001FF8000-memory.dmp	net_reactor

Executes dropped EXE 30 IoCs

pid	Process
2332	9E71.exe
2744	9FC9.exe
2832	A3B2.exe
1908	A873.exe
2740	ABA0.exe
1740	wj2Sc1wu.exe
1772	Vt4Sp5Po.exe
2932	explothe.exe
2896	B1F7.exe
2084	Tp5Er8ax.exe
2392	B41A.exe
448	Fn3zL6nr.exe
988	1SH39BH0.exe
1748	B62D.exe
2220	2Lt723oN.exe
1680	BBE9.exe
2808	wherars
1000	D469.exe
1020	31839b57a4f11171d6abc8bbc4451ee4.exe
2208	oldplayer.exe
1076	oneetx.exe
3452	31839b57a4f11171d6abc8bbc4451ee4.exe
3924	csrss.exe
1748	patch.exe
3240	injector.exe
3032	oneetx.exe
3576	explothe.exe
3960	dsefix.exe
4084	windefender.exe
1988	windefender.exe

Loads dropped DLL 36 IoCs

pid	Process
2332	9E71.exe
2332	9E71.exe
1740	wj2Sc1wu.exe
1740	wj2Sc1wu.exe
1772	Vt4Sp5Po.exe
2740	ABA0.exe
1772	Vt4Sp5Po.exe
2084	Tp5Er8ax.exe
2084	Tp5Er8ax.exe
448	Fn3zL6nr.exe
448	Fn3zL6nr.exe
448	Fn3zL6nr.exe
988	1SH39BH0.exe
448	Fn3zL6nr.exe
2220	2Lt723oN.exe
1000	D469.exe
1000	D469.exe
1000	D469.exe
2208	oldplayer.exe
3452	31839b57a4f11171d6abc8bbc4451ee4.exe
3452	31839b57a4f11171d6abc8bbc4451ee4.exe
2468	rundll32.exe
2468	rundll32.exe
2468	rundll32.exe
2468	rundll32.exe
860	Process not Found
3924	csrss.exe
1748	patch.exe
1748	patch.exe
1748	patch.exe
1748	patch.exe
1748	patch.exe
1748	patch.exe
1748	patch.exe
1748	patch.exe
3924	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4084-1399-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1988-1400-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/4084-1401-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1988-1403-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Vt4Sp5Po.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Tp5Er8ax.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Fn3zL6nr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9E71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	wj2Sc1wu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2324 set thread context of 1092	2324	JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe	29
PID 1680 set thread context of 1808	1680	BBE9.exe	68

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231016091025.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2708	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2956	schtasks.exe
2104	schtasks.exe
2308	schtasks.exe
4056	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C3C54861-6C03-11EE-8A1C-F6205DB39F9E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C37B7DC1-6C03-11EE-8A1C-F6205DB39F9E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 604788ac1000da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f000000000200000000001066000000010000200000002cbfe60aa9576f32649b1877c29fed4a750fcd91936eca02d63b3e75b7a2eac0000000000e8000000002000020000000dbe39107e3617603003e47689feb9229bcf9e707dbd7a45e05e86e02f8ef461d900000003801eec7f11c4ad5a7c8511a488cb9db22cfd116afc33c52e16b641afcc864a124eb19bca0c09687118da61743bdb02d66951ac1ae4fe6a2a923e669607ced343f55132b4200f1b87f58ded2363e606ce799aafed84a4d6f8df6c1eeb9c003236e131c14b47139193fc0fca811f33f25781d470dc7e568973bf753b721806d4547b609ce5e0ff645b95afd3c8e2fdffa400000007708b97ddd534b15a5e742a9027bc20095260b36a730224830492eecadf2385efd3008d07f18ab5da28fc18290c7ab1287a7226cb17d37cd2acf8fd55c01faa9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404212369"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000b5ff89de31836dadd290d6991fdbb94842affdc6749cd4e089cb7f7d473ecf4f000000000e8000000002000020000000e6722e47dceb9cfe0e851453e4ab1a2e71a82337d0dfded898da4767b9d65434200000003a554750f1262ce39a612623307b9ebbe2aaaf6aa4f68f75c39dab3a106119404000000028f6c26e22ae6c1f627a1b75517ea43ab231de10244f22b374fd578f370209f1d023b9f919bea19c31a0947e3512bce8c67b932e5169a1c9539a81c58e9d2656	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1092	AppLaunch.exe
1092	AppLaunch.exe
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1244	Process not Found

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1092	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1244	Process not Found
Token: SeShutdownPrivilege	1244	Process not Found
Token: SeShutdownPrivilege	1244	Process not Found
Token: SeShutdownPrivilege	1244	Process not Found
Token: SeShutdownPrivilege	1244	Process not Found
Token: SeShutdownPrivilege	1244	Process not Found
Token: SeShutdownPrivilege	1244	Process not Found
Token: SeShutdownPrivilege	1244	Process not Found
Token: SeShutdownPrivilege	1244	Process not Found
Token: SeShutdownPrivilege	1244	Process not Found
Token: SeDebugPrivilege	2392	B41A.exe
Token: SeDebugPrivilege	1908	A873.exe
Token: SeDebugPrivilege	1748	patch.exe
Token: SeDebugPrivilege	2896	B1F7.exe
Token: SeDebugPrivilege	1808	vbc.exe
Token: SeDebugPrivilege	1020	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	1020	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeShutdownPrivilege	1244	Process not Found
Token: SeSystemEnvironmentPrivilege	3924	csrss.exe
Token: SeSecurityPrivilege	2708	sc.exe
Token: SeSecurityPrivilege	2708	sc.exe
Token: SeShutdownPrivilege	1244	Process not Found
Token: SeShutdownPrivilege	1244	Process not Found
Token: SeShutdownPrivilege	1244	Process not Found

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2800	iexplore.exe
1704	iexplore.exe
2208	oldplayer.exe
1244	Process not Found
1244	Process not Found
1244	Process not Found
1244	Process not Found

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2800	iexplore.exe
2800	iexplore.exe
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
1704	iexplore.exe
1704	iexplore.exe
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 1092	2324	JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe	29
PID 2324 wrote to memory of 1092	2324	JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe	29
PID 2324 wrote to memory of 1092	2324	JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe	29
PID 2324 wrote to memory of 1092	2324	JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe	29
PID 2324 wrote to memory of 1092	2324	JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe	29
PID 2324 wrote to memory of 1092	2324	JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe	29
PID 2324 wrote to memory of 1092	2324	JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe	29
PID 2324 wrote to memory of 1092	2324	JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe	29
PID 2324 wrote to memory of 1092	2324	JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe	29
PID 2324 wrote to memory of 1092	2324	JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe	29
PID 1244 wrote to memory of 2332	1244	Process not Found	30
PID 1244 wrote to memory of 2332	1244	Process not Found	30
PID 1244 wrote to memory of 2332	1244	Process not Found	30
PID 1244 wrote to memory of 2332	1244	Process not Found	30
PID 1244 wrote to memory of 2332	1244	Process not Found	30
PID 1244 wrote to memory of 2332	1244	Process not Found	30
PID 1244 wrote to memory of 2332	1244	Process not Found	30
PID 1244 wrote to memory of 2744	1244	Process not Found	31
PID 1244 wrote to memory of 2744	1244	Process not Found	31
PID 1244 wrote to memory of 2744	1244	Process not Found	31
PID 1244 wrote to memory of 2744	1244	Process not Found	31
PID 1244 wrote to memory of 2268	1244	Process not Found	32
PID 1244 wrote to memory of 2268	1244	Process not Found	32
PID 1244 wrote to memory of 2268	1244	Process not Found	32
PID 1244 wrote to memory of 2832	1244	Process not Found	34
PID 1244 wrote to memory of 2832	1244	Process not Found	34
PID 1244 wrote to memory of 2832	1244	Process not Found	34
PID 1244 wrote to memory of 2832	1244	Process not Found	34
PID 2268 wrote to memory of 2800	2268	cmd.exe	35
PID 2268 wrote to memory of 2800	2268	cmd.exe	35
PID 2268 wrote to memory of 2800	2268	cmd.exe	35
PID 2268 wrote to memory of 1704	2268	cmd.exe	37
PID 2268 wrote to memory of 1704	2268	cmd.exe	37
PID 2268 wrote to memory of 1704	2268	cmd.exe	37
PID 2800 wrote to memory of 2716	2800	iexplore.exe	38
PID 2800 wrote to memory of 2716	2800	iexplore.exe	38
PID 2800 wrote to memory of 2716	2800	iexplore.exe	38
PID 2800 wrote to memory of 2716	2800	iexplore.exe	38
PID 1244 wrote to memory of 1908	1244	Process not Found	39
PID 1244 wrote to memory of 1908	1244	Process not Found	39
PID 1244 wrote to memory of 1908	1244	Process not Found	39
PID 1244 wrote to memory of 1908	1244	Process not Found	39
PID 1244 wrote to memory of 2740	1244	Process not Found	40
PID 1244 wrote to memory of 2740	1244	Process not Found	40
PID 1244 wrote to memory of 2740	1244	Process not Found	40
PID 1244 wrote to memory of 2740	1244	Process not Found	40
PID 1704 wrote to memory of 2796	1704	iexplore.exe	41
PID 1704 wrote to memory of 2796	1704	iexplore.exe	41
PID 1704 wrote to memory of 2796	1704	iexplore.exe	41
PID 1704 wrote to memory of 2796	1704	iexplore.exe	41
PID 2332 wrote to memory of 1740	2332	9E71.exe	42
PID 2332 wrote to memory of 1740	2332	9E71.exe	42
PID 2332 wrote to memory of 1740	2332	9E71.exe	42
PID 2332 wrote to memory of 1740	2332	9E71.exe	42
PID 2332 wrote to memory of 1740	2332	9E71.exe	42
PID 2332 wrote to memory of 1740	2332	9E71.exe	42
PID 2332 wrote to memory of 1740	2332	9E71.exe	42
PID 1740 wrote to memory of 1772	1740	wj2Sc1wu.exe	43
PID 1740 wrote to memory of 1772	1740	wj2Sc1wu.exe	43
PID 1740 wrote to memory of 1772	1740	wj2Sc1wu.exe	43
PID 1740 wrote to memory of 1772	1740	wj2Sc1wu.exe	43
PID 1740 wrote to memory of 1772	1740	wj2Sc1wu.exe	43
PID 1740 wrote to memory of 1772	1740	wj2Sc1wu.exe	43
PID 1740 wrote to memory of 1772	1740	wj2Sc1wu.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe
"C:\Users\Admin\AppData\Local\Temp\JC_6fa3ea98b1b4983114433c2762498890759b5085a0470f76b71060d60c1b4b6e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - DcRat
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1092

C:\Users\Admin\AppData\Local\Temp\9E71.exe
C:\Users\Admin\AppData\Local\Temp\9E71.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj2Sc1wu.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj2Sc1wu.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vt4Sp5Po.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vt4Sp5Po.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tp5Er8ax.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tp5Er8ax.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:2084
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fn3zL6nr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fn3zL6nr.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:448
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:988
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lt723oN.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lt723oN.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2220

C:\Users\Admin\AppData\Local\Temp\9FC9.exe
C:\Users\Admin\AppData\Local\Temp\9FC9.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\A17F.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:340993 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2716
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2796

C:\Users\Admin\AppData\Local\Temp\A3B2.exe
C:\Users\Admin\AppData\Local\Temp\A3B2.exe
1⤵
- Executes dropped EXE
PID:2832

C:\Users\Admin\AppData\Local\Temp\A873.exe
C:\Users\Admin\AppData\Local\Temp\A873.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Users\Admin\AppData\Local\Temp\ABA0.exe
C:\Users\Admin\AppData\Local\Temp\ABA0.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  - Executes dropped EXE
  PID:2932
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    PID:1752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:616
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      PID:3000
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2160
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:1292
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:2468

C:\Users\Admin\AppData\Local\Temp\B1F7.exe
C:\Users\Admin\AppData\Local\Temp\B1F7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2896

C:\Users\Admin\AppData\Local\Temp\B41A.exe
C:\Users\Admin\AppData\Local\Temp\B41A.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Users\Admin\AppData\Local\Temp\B62D.exe
C:\Users\Admin\AppData\Local\Temp\B62D.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Users\Admin\AppData\Local\Temp\BBE9.exe
C:\Users\Admin\AppData\Local\Temp\BBE9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1808

C:\Windows\system32\taskeng.exe
taskeng.exe {A8784029-E9E9-48AD-A330-1CD5B5752828} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]
1⤵
PID:2324
- C:\Users\Admin\AppData\Roaming\wherars
  C:\Users\Admin\AppData\Roaming\wherars
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
  C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  2⤵
  - Executes dropped EXE
  PID:3576

C:\Users\Admin\AppData\Local\Temp\D469.exe
C:\Users\Admin\AppData\Local\Temp\D469.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1020
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:3452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:3876
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:3904
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Manipulates WinMon driver.
      Manipulates WinMonFS driver.
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:3924
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2308
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:2688
    - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3808
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1608
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3016
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3648
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1972
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:4092
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3884
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3812
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3872
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3852
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3816
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3920
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3804
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        
        PID:3240
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        5⤵
        Executes dropped EXE
        
        PID:3960
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:4056
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        Executes dropped EXE
        
        PID:4084
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
- C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
  "C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:2208
- - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
    3⤵
    - Executes dropped EXE
    PID:1076
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:2104
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
      4⤵
      PID:2316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3012
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:2380
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:N"
        5⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:R" /E
        5⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2428
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:2236

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231016091025.log C:\Windows\Logs\CBS\CbsPersist_20231016091025.cab
1⤵
- Drops file in Windows directory
PID:3180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "220304902-21138004511975124437-555905405-1345245378-1882379157-1186279211-891814562"
1⤵
- Modifies data under HKEY_USERS
PID:3904

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9EBD80E624B865607A21974E30809640

Filesize
471B

MD5
69e854bd23c5909474ee243025da31be

SHA1
f3fddc38a4c6b9239d214dea51adf6fdafdbace1

SHA256
0b8193f810972158734d57f32f73e61e9a3bd6da0329df18a1516cab2b5ae414

SHA512
9b495e78c29c093d5809ee962d59c058d1af786d14f044fffeab7137c79a5d9e2366e562b74323c7fe69dc2149511644a496df8d177c5640f5c108714f1df3b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
8a7e22d25dd114ba6822a0968ca29d47

SHA1
9b97a4915eb71b1cff57fe5349bcc6751032fb0d

SHA256
e714546c6a12e5c2cbe17ce619868e8075f9d03bb1aa961a0bf130080e1cd151

SHA512
aecce21fd2844dff28a22dd6ec996224899f8326c1c9d5d7503d4bd60e75a47dc0c9add4a53301ea5369f7201e93fee823aab780f1cb1735e4478185df233eb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
492c2c258ae2d6f7b9078e0aa2036eed

SHA1
2939cf2b6ed9ebe9cb5da1d2641e5dcd49d74a3f

SHA256
f09411cfddf5695ed90554e8a5a51aa0be85e93601921557a6386a6a281f8d50

SHA512
630dd177c943ede0835775daad32a9febcc053ca2e88419748887704d77964fd029e658fa3282aff8e5b6789758cb577ad94b1fd221ffc2020d1e10de1e29256

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
78e686d148df964a8cad3e60ec280efe

SHA1
e19637159054212b5d8d753c15c3a4d1b19e4193

SHA256
d4888e4185bbcc32a2d435e181fb922d2967eaef3f4f29106efa283b4d451d38

SHA512
bf9924f5eb5193ffa49f5b796398b4fe346d383059ff2df3e7144e16fd7879f9934dc25ab1941a0efc320df59b8ca8bd5bf5bfa5ee94a2d7f21d3bf84471f4e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9adebe8f2ad35a47dd7fc4e48743018

SHA1
0679144ecea2107b33ca63ee4578abb03d20854b

SHA256
311a4d6e7d5a19232daa7d6060b8b88fde68631536887ae9a6b7f14523401d77

SHA512
86e75e1be44c50f699d4f3704ecc01ffd19f231a5d279036ff87ae321e7d07b3e18b64ad5a55cf7b54892791c18b6caa2c7f69e019ec9aa12cc04350bd5bd08b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a105fec3b4faf6942cffa7bb6c29305e

SHA1
3e2365330c4eef1875980d667b59e082c8e15852

SHA256
b4face5f5eb500741ec697a0351ce6f5a47dea46eefeef9e91675d8ab1bbde8e

SHA512
04700cc0e7e408cc31a0c3e7c6a4f328d2ccbc24332050a5b428c5353a3ccd77d8df34d91c1839e1a4a801209a37ee458b8f8377ff8cf33c74fed7528aa11739

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
04f524b0697da528599bf1fc15cf3bda

SHA1
aeb166527aeb76591005a24d417f92de24a530f4

SHA256
41d81bcd35645ba0c7445f18685a44400aa93d7c5687e81051f3b326ac43a37b

SHA512
a0a4537a32e1799c70ccfe96245f5495c25b250ba1fbe9045cb21fec0fc5a79222872801de66cf0ad8851e5b88377ec0ad304f93bf7db99ddbddc79f0946c95f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
154765de64989df36b2d8cab4eb80da7

SHA1
9371b37543f3529732f2a994331fe4845b1df2ab

SHA256
dbae04f37d9744f0e27993c360d0f64faa56b8c8e10a2a644ad9adc10f71237f

SHA512
7b0c9921e346f9f72f457f16fd51d10d59dd32c2125072c174351ec6dff27d1c2710d05f04d74295dc69be3e23316ae4cb43cdf416e2bab6927ef43f66228b2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52d4268e546aac17aba3bf952eede3de

SHA1
e466112ce9bbbb0ed16767c3ffa3778c302fe330

SHA256
fcd04ee9e531c34f9c658330a28b461bac347cb45290fc22d7ef6ea6c89d43ff

SHA512
6d5c443c852fcb283df374318415aaad4e064a7d5394ffc48f838f71768645a758b213ee9368bf566f2ab1afedbe5b8165d80e332b4f271f3608b69d7a8f454d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa2979230243336d1534255228d636b5

SHA1
8e1403a1fd389a343c0f313760b3e686dde29ab4

SHA256
b08c324cb32e9493e8c9a839cf7c3e75a6dcb075d33a25149c8d61363b314d42

SHA512
0f87e23deefa731cbf14cd8bc951a94b745fea4ebab91d2b2c09c5e4ccff1caa3822ed6c7b756dfd38c1d68e696f8a97f100c6b346c9d8d044aef5ea19c58621

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a89d4f2e54794c71b8f7f595fb37a55b

SHA1
8983902954716de0bc5707320f48356b032eb226

SHA256
244d7d0779b7e55e7ed1dac1b72ac5a31a9fd69d439516799ab718ffa07d5056

SHA512
8be6bb0fc8fe0c1546089eb8946f08bd0dd0fd6fa4baec160bf91a5977b7b83054a85a5454bb3e2edfa151dde260d93c3ecc4dcadbac4ab0b9689962ee0790ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eaf158057ba399a53f4152082177d739

SHA1
965df4065c5303104a029b7d14e45ba31907e7d1

SHA256
72d868c9a174775a85d291648e457aeaf180c92357f47fa78e2d65c9f0f7eafc

SHA512
8aed114a7de479c5fe1cbab581e60633a7669c54c9ad0d7bdaa0aac73dc275a676869727d14f2f3da941adb96e77e91b8886ab9c80ebced22a1559639e3a71f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30c52cc9570f0d5889221b2e935d32d4

SHA1
e01a0b6240d5b3764663b6c5fb09c489ab125e7a

SHA256
b444a037b4dc96b49b918d462a6b1b53cfea2812c8a093b7f84b3b2e9d7b28f7

SHA512
81078659500440c19300d2db9928c84416457ec713f7a27191705feedbc38f766443010657483c34714d0dc26d843977f6f683c97d0f6a5fd182a38fe5235ce5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9EBD80E624B865607A21974E30809640

Filesize
406B

MD5
a59676c10e76c099d4d143efdd4c9092

SHA1
55f9ee648b78a7f97f13acfc55e39aa0792ab2ea

SHA256
9a378bd7ecafbd40d17682d528e1731e8f11391321f6ce8897b88768658380da

SHA512
86867aabfe446381fe489942f9c846c16959b26f1f09fcbe3a46263f368a54ea6a2d238cddf80083a66be127043e16771f745cdc646d14addb328e1113df1435

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ddc63d8def3de294ae6cc7db840056c3

SHA1
6c14c895b1ace7b0afc728706bd574fa5a0b0a5e

SHA256
5f40ab6d9ddf94e316f6c8ed0d9296ef447cdca514e5e01b541ac43f13e709fd

SHA512
c4244f9a39a1671716e839b2b499c07d5f0a3b6927622d90222d3d5a92ddec597705502259bb59c9bae217fba191b5cd606491b1b46767cafa8c52589e90f942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C37B7DC1-6C03-11EE-8A1C-F6205DB39F9E}.dat

Filesize
5KB

MD5
724c9cc7226eb0b2453e9acd42029970

SHA1
3dcbe1e01ff7416ebd2138b5489b1b583a67b630

SHA256
bc77231856b76694afb83f5dfed98eec7e6296ff36c07afbf3a4a0f82515009f

SHA512
dc78d4dc77b5342019b6cfecf2553120287e47bbce0ccbbb8f20fae14ba06dd3bc214960b4e16fe8b1112924c9a9c799707229f73caea951f60783cb7ad26cab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\iehkyjx\imagestore.dat

Filesize
5KB

MD5
32c4e9b786960c0d7fd012c71ad8e57c

SHA1
93798c968a521599955021647e98f1e7ec0607ad

SHA256
f6c07d407db5795b8bf9a10255258cb3f36d627a140f3272f01a9905c6aec932

SHA512
c27160fa4cd3239d2513aa2ae2967beb8c7ab55aee71ff8696386be10fc775ce849cbecd2fa22df59aac5d89bafcfe287c594ff4cc649f29826ccb26d9d8dbf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\iehkyjx\imagestore.dat

Filesize
9KB

MD5
22ba07ce9eff35f9bd66824aa4d06612

SHA1
524ec7126547bd0c04dc2917dc92abb4255d6a45

SHA256
41e15570bae2fc188d740c5b7645b56013427692c20ee3684b87ab3bda802a93

SHA512
2263c6e37d43438512fd81f3029c5bcbb571e4973c0b7bb2317ce7fd5e59052531d7d06facdaeef37441fed3e3da3b1d62a7200d9804f425e5ec830b6b7a9e7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\186K4QOS\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2DS6H085\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RPR9MST4\hLRJ1GG_y0J[1].ico

Filesize
4KB

MD5
8cddca427dae9b925e73432f8733e05a

SHA1
1999a6f624a25cfd938eef6492d34fdc4f55dedc

SHA256
89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62

SHA512
20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
81e4fc7bd0ee078ccae9523fa5cb17a3

SHA1
4d25ca2e8357dc2688477b45247d02a3967c98a4

SHA256
c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee

SHA512
4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
81e4fc7bd0ee078ccae9523fa5cb17a3

SHA1
4d25ca2e8357dc2688477b45247d02a3967c98a4

SHA256
c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee

SHA512
4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
81e4fc7bd0ee078ccae9523fa5cb17a3

SHA1
4d25ca2e8357dc2688477b45247d02a3967c98a4

SHA256
c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee

SHA512
4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
81e4fc7bd0ee078ccae9523fa5cb17a3

SHA1
4d25ca2e8357dc2688477b45247d02a3967c98a4

SHA256
c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee

SHA512
4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E71.exe

Filesize
1.1MB

MD5
836a38caaae69ce3f1f5fc23ced607a4

SHA1
15074e86cb042ffcaf2e2bdf4374a2bce8751733

SHA256
d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922

SHA512
821b8df1cb39900f1ee29738352ecd6905f184d50144b80ea315d9374e0a9cd2c044082925a42a31bb33a61ca284284d362e7f476b0064a0bb3d03a2198d8152

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E71.exe

Filesize
1.1MB

MD5
836a38caaae69ce3f1f5fc23ced607a4

SHA1
15074e86cb042ffcaf2e2bdf4374a2bce8751733

SHA256
d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922

SHA512
821b8df1cb39900f1ee29738352ecd6905f184d50144b80ea315d9374e0a9cd2c044082925a42a31bb33a61ca284284d362e7f476b0064a0bb3d03a2198d8152

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FC9.exe

Filesize
314KB

MD5
617cb59a7d2c6f2cdac7f597b6f49877

SHA1
f84a2295c63c2ed5f023f2d04269fcfaaa636ef4

SHA256
4f671bdd32c8c9c8745bddcdcc6fc661fa3b6ab99b81bd9762835a6a24ceffef

SHA512
e58c696e654bac6cc23618daea04f99eeb98e8ad9514fd3533759922837721726602e51b0cf76c279c5b7e6e80e0f687301ce82865adc0f85fef7c4bdfccfb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9FC9.exe

Filesize
314KB

MD5
617cb59a7d2c6f2cdac7f597b6f49877

SHA1
f84a2295c63c2ed5f023f2d04269fcfaaa636ef4

SHA256
4f671bdd32c8c9c8745bddcdcc6fc661fa3b6ab99b81bd9762835a6a24ceffef

SHA512
e58c696e654bac6cc23618daea04f99eeb98e8ad9514fd3533759922837721726602e51b0cf76c279c5b7e6e80e0f687301ce82865adc0f85fef7c4bdfccfb5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\A17F.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\A17F.bat

Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3B2.exe

Filesize
355KB

MD5
7405fa0bd79b1c6646717c2ec6301d92

SHA1
13c4107292b65d676243508faa180d2e02ac6d0f

SHA256
2273cb273bd45c8499df8e52e79a2e67926fa4078baf75381fa19997f5db3038

SHA512
8306e0093df708371b3df2afd9ecfd4ff3da491410ffd900c385d7f7722545e8dedc973f39a6aa30ccf7eb7f8aab111d1cbaee8be6732facec9f612e85c95cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A3B2.exe

Filesize
355KB

MD5
7405fa0bd79b1c6646717c2ec6301d92

SHA1
13c4107292b65d676243508faa180d2e02ac6d0f

SHA256
2273cb273bd45c8499df8e52e79a2e67926fa4078baf75381fa19997f5db3038

SHA512
8306e0093df708371b3df2afd9ecfd4ff3da491410ffd900c385d7f7722545e8dedc973f39a6aa30ccf7eb7f8aab111d1cbaee8be6732facec9f612e85c95cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\A873.exe

Filesize
188KB

MD5
425e2a994509280a8c1e2812dfaad929

SHA1
4d5eff2fb3835b761e2516a873b537cbaacea1fe

SHA256
6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a

SHA512
080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABA0.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABA0.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1F7.exe

Filesize
430KB

MD5
bd11f2559ac0485e2c05cdb9a632f475

SHA1
68a0d8fa32aa70c02978cf903f820ec67a7973d3

SHA256
d77617d6633bee3d878ec0e24576868511d446f47bdb4ef644fdb8849ba7e497

SHA512
d0490bc8f90b9cf640e53e70fb64d37cfe35516bc2034bacbd5044c187663078b7e0cfe0382c878cdc4c699155c879ec608ed55eac8aaea873930aeb3bd10b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1F7.exe

Filesize
430KB

MD5
bd11f2559ac0485e2c05cdb9a632f475

SHA1
68a0d8fa32aa70c02978cf903f820ec67a7973d3

SHA256
d77617d6633bee3d878ec0e24576868511d446f47bdb4ef644fdb8849ba7e497

SHA512
d0490bc8f90b9cf640e53e70fb64d37cfe35516bc2034bacbd5044c187663078b7e0cfe0382c878cdc4c699155c879ec608ed55eac8aaea873930aeb3bd10b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\B1F7.exe

Filesize
430KB

MD5
bd11f2559ac0485e2c05cdb9a632f475

SHA1
68a0d8fa32aa70c02978cf903f820ec67a7973d3

SHA256
d77617d6633bee3d878ec0e24576868511d446f47bdb4ef644fdb8849ba7e497

SHA512
d0490bc8f90b9cf640e53e70fb64d37cfe35516bc2034bacbd5044c187663078b7e0cfe0382c878cdc4c699155c879ec608ed55eac8aaea873930aeb3bd10b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\B41A.exe

Filesize
95KB

MD5
7f28547a6060699461824f75c96feaeb

SHA1
744195a7d3ef1aa32dcb99d15f73e26a20813259

SHA256
ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff

SHA512
eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

Download Submit
C:\Users\Admin\AppData\Local\Temp\B41A.exe

Filesize
95KB

MD5
7f28547a6060699461824f75c96feaeb

SHA1
744195a7d3ef1aa32dcb99d15f73e26a20813259

SHA256
ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff

SHA512
eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

Download Submit
C:\Users\Admin\AppData\Local\Temp\B62D.exe

Filesize
341KB

MD5
20e21e63bb7a95492aec18de6aa85ab9

SHA1
6cbf2079a42d86bf155c06c7ad5360c539c02b15

SHA256
96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17

SHA512
73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\B62D.exe

Filesize
341KB

MD5
20e21e63bb7a95492aec18de6aa85ab9

SHA1
6cbf2079a42d86bf155c06c7ad5360c539c02b15

SHA256
96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17

SHA512
73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBE9.exe

Filesize
1.6MB

MD5
db2d8ad07251a98aa2e8f86ed93651ee

SHA1
a14933e0c55c5b7ef6f017d4e24590b89684583f

SHA256
7e3ab286683f5e4139e0cda21a5d8765a8f7cd227f5b23634f2075d1a43cf24e

SHA512
6255a434623e6a5188f86f07ed32f45ba84b39b43a1fc2d45f659f0b447ecd3ddea95aaee1f0b14c9845c29a065423a2037ef7f3c70af78a257c0a984e254d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCC75.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\D469.exe

Filesize
4.3MB

MD5
5678c3a93dafcd5ba94fd33528c62276

SHA1
8cdd901481b7080e85b6c25c18226a005edfdb74

SHA256
2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d

SHA512
b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D469.exe

Filesize
4.3MB

MD5
5678c3a93dafcd5ba94fd33528c62276

SHA1
8cdd901481b7080e85b6c25c18226a005edfdb74

SHA256
2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d

SHA512
b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj2Sc1wu.exe

Filesize
1.0MB

MD5
193963f09541048cf035b3504a388c92

SHA1
790b0fd99a4794eb958d166b239204b7f847b293

SHA256
89d92ce9f10e849410fcad3cc1c388647fdbdafc1b3fd56fd0695130613e592e

SHA512
3926e91da58fe6ed9b5e5063365e36e1e2b05ea80bc626002fb9d4aeda50f29d11cf2c58b8c44ef14039aba9b36329a726b4c1ec6129f47922956ae9252ced7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj2Sc1wu.exe

Filesize
1.0MB

MD5
193963f09541048cf035b3504a388c92

SHA1
790b0fd99a4794eb958d166b239204b7f847b293

SHA256
89d92ce9f10e849410fcad3cc1c388647fdbdafc1b3fd56fd0695130613e592e

SHA512
3926e91da58fe6ed9b5e5063365e36e1e2b05ea80bc626002fb9d4aeda50f29d11cf2c58b8c44ef14039aba9b36329a726b4c1ec6129f47922956ae9252ced7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vt4Sp5Po.exe

Filesize
839KB

MD5
0be9ec8a4dd67da4d9bf82362b3281bb

SHA1
17c9321ce4e65362d79a5075fae2ffc2e12562fb

SHA256
607b2ae23604ebcf43d12729776d7ce72e7ddb558e37f378a5d31bc87813494b

SHA512
3e834fb3d8af74aa637e99a71d0f04c2bba4d4e9deb3076df9153e7a72214d0c53db7a8297eb211c0b49d10e4c076c0526206a27ff7b8290492bd9e0ec70a646

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vt4Sp5Po.exe

Filesize
839KB

MD5
0be9ec8a4dd67da4d9bf82362b3281bb

SHA1
17c9321ce4e65362d79a5075fae2ffc2e12562fb

SHA256
607b2ae23604ebcf43d12729776d7ce72e7ddb558e37f378a5d31bc87813494b

SHA512
3e834fb3d8af74aa637e99a71d0f04c2bba4d4e9deb3076df9153e7a72214d0c53db7a8297eb211c0b49d10e4c076c0526206a27ff7b8290492bd9e0ec70a646

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tp5Er8ax.exe

Filesize
591KB

MD5
369740c6d89d313a48a795e543cb1c8f

SHA1
b6891b018ce0cdd4f0e393f731c572e57dfd4927

SHA256
02b1dae2e41619dfaff3fd2c9c2fcbbb337f26ec519aeda4f5a5daf385d84994

SHA512
1e545a6b89edf21ccf4240431dc9172d71f26af99361c6950dde48016fadd2064b0f65db6a01e807cec017fd03240600869160236c2a8b7d2f5bac4c200d7ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tp5Er8ax.exe

Filesize
591KB

MD5
369740c6d89d313a48a795e543cb1c8f

SHA1
b6891b018ce0cdd4f0e393f731c572e57dfd4927

SHA256
02b1dae2e41619dfaff3fd2c9c2fcbbb337f26ec519aeda4f5a5daf385d84994

SHA512
1e545a6b89edf21ccf4240431dc9172d71f26af99361c6950dde48016fadd2064b0f65db6a01e807cec017fd03240600869160236c2a8b7d2f5bac4c200d7ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fn3zL6nr.exe

Filesize
396KB

MD5
0d0d9be70edd172d9f39f88c5120f2a8

SHA1
6a4b01a94d842f717f0430df6ae0fc2aee427812

SHA256
6846fa28d6a789db18a2bf29811d4b383634e9a848536640f910dec1c709eb75

SHA512
50d6feacd947e33138aefd09e0040e35162b9a9b794c8bc91202d713cc23fe720ca9f51b7313b07f86a4a985e152c752ecc8730dbe6743a0cd4ce821b5d9632b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fn3zL6nr.exe

Filesize
396KB

MD5
0d0d9be70edd172d9f39f88c5120f2a8

SHA1
6a4b01a94d842f717f0430df6ae0fc2aee427812

SHA256
6846fa28d6a789db18a2bf29811d4b383634e9a848536640f910dec1c709eb75

SHA512
50d6feacd947e33138aefd09e0040e35162b9a9b794c8bc91202d713cc23fe720ca9f51b7313b07f86a4a985e152c752ecc8730dbe6743a0cd4ce821b5d9632b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exe

Filesize
314KB

MD5
8cef6a83ddb511ef699e1bdfdb430d20

SHA1
8839d5d82eef037dad8fa83771748829b3a98583

SHA256
9903c299e98e6a2d5a4b4e6902e26fef536fd639df1a2aeec4ca41499f6df96b

SHA512
e4afa47c46f86dc59d739af1ebfe75898108ff9312b1612e70cdfea51cfd98c72dab62bf0be3a8c8b7f49f6e0626f093fe44c7944cbfcac63908a069afb46ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exe

Filesize
314KB

MD5
8cef6a83ddb511ef699e1bdfdb430d20

SHA1
8839d5d82eef037dad8fa83771748829b3a98583

SHA256
9903c299e98e6a2d5a4b4e6902e26fef536fd639df1a2aeec4ca41499f6df96b

SHA512
e4afa47c46f86dc59d739af1ebfe75898108ff9312b1612e70cdfea51cfd98c72dab62bf0be3a8c8b7f49f6e0626f093fe44c7944cbfcac63908a069afb46ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exe

Filesize
314KB

MD5
8cef6a83ddb511ef699e1bdfdb430d20

SHA1
8839d5d82eef037dad8fa83771748829b3a98583

SHA256
9903c299e98e6a2d5a4b4e6902e26fef536fd639df1a2aeec4ca41499f6df96b

SHA512
e4afa47c46f86dc59d739af1ebfe75898108ff9312b1612e70cdfea51cfd98c72dab62bf0be3a8c8b7f49f6e0626f093fe44c7944cbfcac63908a069afb46ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lt723oN.exe

Filesize
222KB

MD5
24aaff529d54683757167da84006c817

SHA1
b14ab5da418d25aa6952f9cda70e9893c5aded16

SHA256
a90671a7bccaeed9e32566cee7ca0c2af235df1d819c919c6669d4d117c4fd5a

SHA512
b1c3832091380bf6fd2e6272388cca3abde93e9ec83daea69bb73132261daa3a769da09d3fcffd09cb10157cf15f42cf0a85fc77cf0d50defd3889a3c8777891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lt723oN.exe

Filesize
222KB

MD5
24aaff529d54683757167da84006c817

SHA1
b14ab5da418d25aa6952f9cda70e9893c5aded16

SHA256
a90671a7bccaeed9e32566cee7ca0c2af235df1d819c919c6669d4d117c4fd5a

SHA512
b1c3832091380bf6fd2e6272388cca3abde93e9ec83daea69bb73132261daa3a769da09d3fcffd09cb10157cf15f42cf0a85fc77cf0d50defd3889a3c8777891

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD1E4.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DD3.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1DE8.tmp

Filesize
92KB

MD5
9c3d41e4722dcc865c20255a59633821

SHA1
f3d6bb35f00f830a21d442a69bc5d30075e0c09b

SHA256
8a9827a58c3989200107213c7a8f6bc8074b6bd0db04b7f808bd123d2901972d

SHA512
55f0e7f0b42b21a0f27ef85366ccc5aa2b11efaad3fddb5de56207e8a17ee7077e7d38bde61ab53b96fae87c1843b57c3f79846ece076a5ab128a804951a3e14

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\wherars

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
C:\Users\Admin\AppData\Roaming\wherars

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
81e4fc7bd0ee078ccae9523fa5cb17a3

SHA1
4d25ca2e8357dc2688477b45247d02a3967c98a4

SHA256
c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee

SHA512
4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
81e4fc7bd0ee078ccae9523fa5cb17a3

SHA1
4d25ca2e8357dc2688477b45247d02a3967c98a4

SHA256
c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee

SHA512
4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

Download Submit
\Users\Admin\AppData\Local\Temp\9E71.exe

Filesize
1.1MB

MD5
836a38caaae69ce3f1f5fc23ced607a4

SHA1
15074e86cb042ffcaf2e2bdf4374a2bce8751733

SHA256
d2fffb4fd8a5fcf0e9d5bc967e1502c7f90fc856fe3bd5132032217d45006922

SHA512
821b8df1cb39900f1ee29738352ecd6905f184d50144b80ea315d9374e0a9cd2c044082925a42a31bb33a61ca284284d362e7f476b0064a0bb3d03a2198d8152

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj2Sc1wu.exe

Filesize
1.0MB

MD5
193963f09541048cf035b3504a388c92

SHA1
790b0fd99a4794eb958d166b239204b7f847b293

SHA256
89d92ce9f10e849410fcad3cc1c388647fdbdafc1b3fd56fd0695130613e592e

SHA512
3926e91da58fe6ed9b5e5063365e36e1e2b05ea80bc626002fb9d4aeda50f29d11cf2c58b8c44ef14039aba9b36329a726b4c1ec6129f47922956ae9252ced7d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\wj2Sc1wu.exe

Filesize
1.0MB

MD5
193963f09541048cf035b3504a388c92

SHA1
790b0fd99a4794eb958d166b239204b7f847b293

SHA256
89d92ce9f10e849410fcad3cc1c388647fdbdafc1b3fd56fd0695130613e592e

SHA512
3926e91da58fe6ed9b5e5063365e36e1e2b05ea80bc626002fb9d4aeda50f29d11cf2c58b8c44ef14039aba9b36329a726b4c1ec6129f47922956ae9252ced7d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vt4Sp5Po.exe

Filesize
839KB

MD5
0be9ec8a4dd67da4d9bf82362b3281bb

SHA1
17c9321ce4e65362d79a5075fae2ffc2e12562fb

SHA256
607b2ae23604ebcf43d12729776d7ce72e7ddb558e37f378a5d31bc87813494b

SHA512
3e834fb3d8af74aa637e99a71d0f04c2bba4d4e9deb3076df9153e7a72214d0c53db7a8297eb211c0b49d10e4c076c0526206a27ff7b8290492bd9e0ec70a646

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Vt4Sp5Po.exe

Filesize
839KB

MD5
0be9ec8a4dd67da4d9bf82362b3281bb

SHA1
17c9321ce4e65362d79a5075fae2ffc2e12562fb

SHA256
607b2ae23604ebcf43d12729776d7ce72e7ddb558e37f378a5d31bc87813494b

SHA512
3e834fb3d8af74aa637e99a71d0f04c2bba4d4e9deb3076df9153e7a72214d0c53db7a8297eb211c0b49d10e4c076c0526206a27ff7b8290492bd9e0ec70a646

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tp5Er8ax.exe

Filesize
591KB

MD5
369740c6d89d313a48a795e543cb1c8f

SHA1
b6891b018ce0cdd4f0e393f731c572e57dfd4927

SHA256
02b1dae2e41619dfaff3fd2c9c2fcbbb337f26ec519aeda4f5a5daf385d84994

SHA512
1e545a6b89edf21ccf4240431dc9172d71f26af99361c6950dde48016fadd2064b0f65db6a01e807cec017fd03240600869160236c2a8b7d2f5bac4c200d7ee3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tp5Er8ax.exe

Filesize
591KB

MD5
369740c6d89d313a48a795e543cb1c8f

SHA1
b6891b018ce0cdd4f0e393f731c572e57dfd4927

SHA256
02b1dae2e41619dfaff3fd2c9c2fcbbb337f26ec519aeda4f5a5daf385d84994

SHA512
1e545a6b89edf21ccf4240431dc9172d71f26af99361c6950dde48016fadd2064b0f65db6a01e807cec017fd03240600869160236c2a8b7d2f5bac4c200d7ee3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fn3zL6nr.exe

Filesize
396KB

MD5
0d0d9be70edd172d9f39f88c5120f2a8

SHA1
6a4b01a94d842f717f0430df6ae0fc2aee427812

SHA256
6846fa28d6a789db18a2bf29811d4b383634e9a848536640f910dec1c709eb75

SHA512
50d6feacd947e33138aefd09e0040e35162b9a9b794c8bc91202d713cc23fe720ca9f51b7313b07f86a4a985e152c752ecc8730dbe6743a0cd4ce821b5d9632b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\Fn3zL6nr.exe

Filesize
396KB

MD5
0d0d9be70edd172d9f39f88c5120f2a8

SHA1
6a4b01a94d842f717f0430df6ae0fc2aee427812

SHA256
6846fa28d6a789db18a2bf29811d4b383634e9a848536640f910dec1c709eb75

SHA512
50d6feacd947e33138aefd09e0040e35162b9a9b794c8bc91202d713cc23fe720ca9f51b7313b07f86a4a985e152c752ecc8730dbe6743a0cd4ce821b5d9632b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exe

Filesize
314KB

MD5
8cef6a83ddb511ef699e1bdfdb430d20

SHA1
8839d5d82eef037dad8fa83771748829b3a98583

SHA256
9903c299e98e6a2d5a4b4e6902e26fef536fd639df1a2aeec4ca41499f6df96b

SHA512
e4afa47c46f86dc59d739af1ebfe75898108ff9312b1612e70cdfea51cfd98c72dab62bf0be3a8c8b7f49f6e0626f093fe44c7944cbfcac63908a069afb46ce5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exe

Filesize
314KB

MD5
8cef6a83ddb511ef699e1bdfdb430d20

SHA1
8839d5d82eef037dad8fa83771748829b3a98583

SHA256
9903c299e98e6a2d5a4b4e6902e26fef536fd639df1a2aeec4ca41499f6df96b

SHA512
e4afa47c46f86dc59d739af1ebfe75898108ff9312b1612e70cdfea51cfd98c72dab62bf0be3a8c8b7f49f6e0626f093fe44c7944cbfcac63908a069afb46ce5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1SH39BH0.exe

Filesize
314KB

MD5
8cef6a83ddb511ef699e1bdfdb430d20

SHA1
8839d5d82eef037dad8fa83771748829b3a98583

SHA256
9903c299e98e6a2d5a4b4e6902e26fef536fd639df1a2aeec4ca41499f6df96b

SHA512
e4afa47c46f86dc59d739af1ebfe75898108ff9312b1612e70cdfea51cfd98c72dab62bf0be3a8c8b7f49f6e0626f093fe44c7944cbfcac63908a069afb46ce5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lt723oN.exe

Filesize
222KB

MD5
24aaff529d54683757167da84006c817

SHA1
b14ab5da418d25aa6952f9cda70e9893c5aded16

SHA256
a90671a7bccaeed9e32566cee7ca0c2af235df1d819c919c6669d4d117c4fd5a

SHA512
b1c3832091380bf6fd2e6272388cca3abde93e9ec83daea69bb73132261daa3a769da09d3fcffd09cb10157cf15f42cf0a85fc77cf0d50defd3889a3c8777891

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Lt723oN.exe

Filesize
222KB

MD5
24aaff529d54683757167da84006c817

SHA1
b14ab5da418d25aa6952f9cda70e9893c5aded16

SHA256
a90671a7bccaeed9e32566cee7ca0c2af235df1d819c919c6669d4d117c4fd5a

SHA512
b1c3832091380bf6fd2e6272388cca3abde93e9ec83daea69bb73132261daa3a769da09d3fcffd09cb10157cf15f42cf0a85fc77cf0d50defd3889a3c8777891

Download Submit
\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
\Users\Admin\AppData\Local\Temp\oldplayer.exe

Filesize
198KB

MD5
a64a886a695ed5fb9273e73241fec2f7

SHA1
363244ca05027c5beb938562df5b525a2428b405

SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

SHA512
122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

Download Submit
memory/1000-324-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/1000-266-0x0000000000AC0000-0x0000000000F18000-memory.dmp

Filesize
4.3MB

Download
memory/1000-268-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/1020-319-0x0000000004DD0000-0x00000000056BB000-memory.dmp

Filesize
8.9MB

Download
memory/1020-581-0x00000000049D0000-0x0000000004DC8000-memory.dmp

Filesize
4.0MB

Download
memory/1020-328-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/1020-479-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/1020-589-0x0000000004DD0000-0x00000000056BB000-memory.dmp

Filesize
8.9MB

Download
memory/1020-590-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/1020-685-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/1020-280-0x00000000049D0000-0x0000000004DC8000-memory.dmp

Filesize
4.0MB

Download
memory/1020-733-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/1020-318-0x00000000049D0000-0x0000000004DC8000-memory.dmp

Filesize
4.0MB

Download
memory/1092-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1092-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1092-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1092-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1092-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1092-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1244-12-0x000007FEF6170000-0x000007FEF62B3000-memory.dmp

Filesize
1.3MB

Download
memory/1244-13-0x000007FEAC170000-0x000007FEAC17A000-memory.dmp

Filesize
40KB

Download
memory/1244-5-0x0000000003A30000-0x0000000003A46000-memory.dmp

Filesize
88KB

Download
memory/1680-188-0x00000000009B0000-0x0000000000B9A000-memory.dmp

Filesize
1.9MB

Download
memory/1680-189-0x00000000009B0000-0x0000000000B9A000-memory.dmp

Filesize
1.9MB

Download
memory/1680-197-0x00000000009B0000-0x0000000000B9A000-memory.dmp

Filesize
1.9MB

Download
memory/1748-686-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/1748-333-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/1748-1312-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1748-202-0x0000000000BF0000-0x0000000000C4A000-memory.dmp

Filesize
360KB

Download
memory/1748-1324-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1748-352-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/1748-206-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/1808-216-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/1808-350-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/1808-1113-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/1808-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-190-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-373-0x00000000074B0000-0x00000000074F0000-memory.dmp

Filesize
256KB

Download
memory/1808-198-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1808-195-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1908-334-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/1908-336-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/1908-229-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/1908-245-0x0000000001FE0000-0x0000000001FFE000-memory.dmp

Filesize
120KB

Download
memory/1908-208-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/1908-267-0x0000000001FE0000-0x0000000001FF8000-memory.dmp

Filesize
96KB

Download
memory/1908-383-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/1908-225-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/1908-265-0x0000000001FE0000-0x0000000001FF8000-memory.dmp

Filesize
96KB

Download
memory/1908-228-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1908-507-0x0000000004920000-0x0000000004960000-memory.dmp

Filesize
256KB

Download
memory/1988-1400-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1988-1403-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2208-353-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2220-207-0x00000000003E0000-0x000000000041E000-memory.dmp

Filesize
248KB

Download
memory/2392-335-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/2392-684-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/2392-201-0x0000000000F30000-0x0000000000F4E000-memory.dmp

Filesize
120KB

Download
memory/2392-227-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download
memory/2392-224-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/2392-365-0x00000000005A0000-0x00000000005E0000-memory.dmp

Filesize
256KB

Download
memory/2896-168-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2896-332-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-205-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-689-0x0000000071DD0000-0x00000000724BE000-memory.dmp

Filesize
6.9MB

Download
memory/2896-167-0x00000000003A0000-0x00000000003FA000-memory.dmp

Filesize
360KB

Download
memory/2896-226-0x0000000006EE0000-0x0000000006F20000-memory.dmp

Filesize
256KB

Download
memory/2896-351-0x0000000006EE0000-0x0000000006F20000-memory.dmp

Filesize
256KB

Download
memory/3452-734-0x0000000004B40000-0x0000000004F38000-memory.dmp

Filesize
4.0MB

Download
memory/3452-1114-0x0000000004B40000-0x0000000004F38000-memory.dmp

Filesize
4.0MB

Download
memory/3452-1145-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/3452-732-0x0000000004B40000-0x0000000004F38000-memory.dmp

Filesize
4.0MB

Download
memory/3452-1088-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/3452-735-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/3924-1371-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/3924-1396-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/3924-1370-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/3924-1273-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/3924-1144-0x00000000048C0000-0x0000000004CB8000-memory.dmp

Filesize
4.0MB

Download
memory/3924-1250-0x00000000048C0000-0x0000000004CB8000-memory.dmp

Filesize
4.0MB

Download
memory/3924-1159-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/3924-1366-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/3924-1404-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/3924-1158-0x00000000048C0000-0x0000000004CB8000-memory.dmp

Filesize
4.0MB

Download
memory/3924-1311-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/3924-1402-0x0000000000400000-0x0000000002FB8000-memory.dmp

Filesize
43.7MB

Download
memory/4084-1401-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/4084-1399-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download