amadey | a3a6a9b6dd7ad5c8ed1edb4e8fb962634844c3e5df80ace2d02768927ba74c46

Analysis

max time kernel
151s
max time network
174s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03-11-2023 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0006000000022e0b-51.exe
Size

31KB
MD5

95748b64901ef1e533fc0fd339b93f2b
SHA1

4bbab24180e811cea57203a01cc7aaf9c3e9b817
SHA256

a3a6a9b6dd7ad5c8ed1edb4e8fb962634844c3e5df80ace2d02768927ba74c46
SHA512

7e54d5d6615a6454719b9bbeb55af04c7e0a5f8bfcf3a6b2b77acb6c64da912b92983804ce31e365a7e4a5b978e8a7c0e8f9119577de92df0d267a13a19e7039
SSDEEP

384:K9VD6tee+qUOTd2opQTLAdz1SvNmhpdvOjT7PbA6HBiTSnjxZMdP05ldpRMaYIBI:k6Qe+qUv8zcqdvOXA6XkPslJvGaVW

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

redline

Botnet

plost

77.91.124.86:19084

Extracted

Family

redline

Botnet

kedru

77.91.124.86:19084

Extracted

Family

redline

Botnet

pixelnew2.0

194.49.94.11:80

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 4 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		628	schtasks.exe
		2312	schtasks.exe
		2600	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI		0x0006000000022e0b-51.exe

Detected google phishing page
phishing google
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 14 IoCs

resource	yara_rule
behavioral1/memory/2212-435-0x0000000002A70000-0x000000000335B000-memory.dmp	family_glupteba
behavioral1/memory/2212-446-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2212-1013-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2212-1177-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2212-1186-0x0000000002A70000-0x000000000335B000-memory.dmp	family_glupteba
behavioral1/memory/2212-1196-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1512-1210-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1512-1375-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/1512-1670-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2768-1697-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2768-1703-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2768-1734-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2768-1740-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/2768-1743-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 13 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015c13-91.dat	family_redline
behavioral1/files/0x000a000000015c13-86.dat	family_redline
behavioral1/memory/2844-155-0x0000000000AE0000-0x0000000000B1C000-memory.dmp	family_redline
behavioral1/files/0x00060000000167f4-278.dat	family_redline
behavioral1/memory/3024-289-0x0000000000350000-0x000000000038C000-memory.dmp	family_redline
behavioral1/files/0x00060000000167f4-287.dat	family_redline
behavioral1/files/0x00060000000167f4-286.dat	family_redline
behavioral1/files/0x00060000000167f4-285.dat	family_redline
behavioral1/memory/1716-410-0x0000000000300000-0x000000000035A000-memory.dmp	family_redline
behavioral1/files/0x0007000000018b10-426.dat	family_redline
behavioral1/memory/2244-439-0x00000000001A0000-0x00000000001BE000-memory.dmp	family_redline
behavioral1/files/0x0007000000018b10-438.dat	family_redline
behavioral1/memory/1716-1076-0x0000000000400000-0x0000000000480000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018b10-426.dat	family_sectoprat
behavioral1/memory/2244-439-0x00000000001A0000-0x00000000001BE000-memory.dmp	family_sectoprat
behavioral1/files/0x0007000000018b10-438.dat	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 2880 created 1296	2880	latestX.exe	9
PID 2880 created 1296	2880	latestX.exe	9
PID 2880 created 1296	2880	latestX.exe	9
PID 2880 created 1296	2880	latestX.exe	9
PID 2880 created 1296	2880	latestX.exe	9
PID 2868 created 1296	2868	updater.exe	9

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
195	1372	rundll32.exe
208	1584	rundll32.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2544	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
1296	Explorer.EXE

Executes dropped EXE 27 IoCs

pid	Process
2800	F91E.exe
1936	FD54.exe
1104	to4xD9ej.exe
2844	FEDB.exe
1572	jz7Ey3Qk.exe
3056	Fu3JA8ZY.exe
1740	uC0Ux4Gf.exe
1760	1ya80mj3.exe
2720	22B1.exe
3024	2it919bS.exe
1492	InstallSetup5.exe
1064	toolspub2.exe
2212	31839b57a4f11171d6abc8bbc4451ee4.exe
900	kos4.exe
1716	3365.exe
2244	49A4.exe
1996	toolspub2.exe
2284	Broom.exe
2880	latestX.exe
1704	5B60.exe
2224	Utsysc.exe
1512	31839b57a4f11171d6abc8bbc4451ee4.exe
2768	csrss.exe
2868	updater.exe
1620	patch.exe
1488	injector.exe
1784	Utsysc.exe

Loads dropped DLL 51 IoCs

pid	Process
2800	F91E.exe
2800	F91E.exe
1104	to4xD9ej.exe
1104	to4xD9ej.exe
1572	jz7Ey3Qk.exe
1572	jz7Ey3Qk.exe
3056	Fu3JA8ZY.exe
3056	Fu3JA8ZY.exe
1740	uC0Ux4Gf.exe
1740	uC0Ux4Gf.exe
1740	uC0Ux4Gf.exe
1760	1ya80mj3.exe
1740	uC0Ux4Gf.exe
3024	2it919bS.exe
2720	22B1.exe
2720	22B1.exe
2720	22B1.exe
2720	22B1.exe
2720	22B1.exe
2720	22B1.exe
1064	toolspub2.exe
1716	3365.exe
1716	3365.exe
1492	InstallSetup5.exe
2720	22B1.exe
536	WerFault.exe
536	WerFault.exe
1704	5B60.exe
536	WerFault.exe
1372	rundll32.exe
1372	rundll32.exe
1372	rundll32.exe
1372	rundll32.exe
2144	rundll32.exe
2144	rundll32.exe
2144	rundll32.exe
2144	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1584	rundll32.exe
1512	31839b57a4f11171d6abc8bbc4451ee4.exe
1512	31839b57a4f11171d6abc8bbc4451ee4.exe
1420	taskeng.exe
856	Process not Found
2768	csrss.exe
1620	patch.exe
1620	patch.exe
1620	patch.exe
1620	patch.exe
1620	patch.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	to4xD9ej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	jz7Ey3Qk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Fu3JA8ZY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	uC0Ux4Gf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	F91E.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 1240	1760	1ya80mj3.exe	46
PID 1064 set thread context of 1996	1064	toolspub2.exe	57

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	latestX.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Logs\CBS\CbsPersist_20231103135323.cab	makecab.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2916	sc.exe
2104	sc.exe
1888	sc.exe
1620	sc.exe
2656	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3016	1240	WerFault.exe	46
536	1716	WerFault.exe	55

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x0006000000022e0b-51.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x0006000000022e0b-51.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0x0006000000022e0b-51.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
628	schtasks.exe
2312	schtasks.exe
2600	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "405181420"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e056a1215d0eda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39B8C9C1-7A50-11EE-AB73-565D0F0BCB21} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009159649b912a9140bf53d83809c5b2ac00000000020000000000106600000001000020000000a1c725793b0e3425fe01c87c64f8045f132983e78bfd75c4368c4ffd89b3aeb6000000000e8000000002000020000000058dfc4f23a23cf97b2cf2a901c0de773d3484528cacde29e343537ad2ec79ae90000000a3963979200cfa37247d75c37d8b2c641878f8876975ed43449b9946c40df35f5839a801889a0e99b6c970aabe54be6354aa7e1e998378b914d85ac7faa3871030651a86de0e626318f385d8ce4f90fb64d44fc2769bb2996cdeb1675eb553c289fb4b8046f398d89ee85f80f75ac62a8a919f76890098bfc86bd184bdf44ff91a9a399656d0ef6e5280b871ddc991ae40000000ac293426cfd4d9b01f96ca8bb0db0a6ca81e073039fabb6aa271bd3a2432d6dae8fdd23c43ba5f977cfb70eb2f3a7c36879843882e42fdfa84239ba0562b2c91	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39E86541-7A50-11EE-AB73-565D0F0BCB21} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009159649b912a9140bf53d83809c5b2ac00000000020000000000106600000001000020000000ff86878a3e4a31acfb5207a59e9b126f9198e1d4b1b20da5bc8dfc7d64234dd2000000000e80000000020000200000000cf34372055fa49b7984906afa0c7ceadc8e272e69e2efef1da889227527e1ea200000000ae270498af50be88cf707191b274b9559c2a55e863f95972cc07e903a20ea404000000033219ed6692d3e329b0800a4adde7dfdab5b0ef9de361f9e3b93ef12df7aca43990b6077acef0bccbd81af3e51fa0674e1aa9438d6047a63f7191c2099cefe97	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0d1d3405d0eda01	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
852	0x0006000000022e0b-51.exe
852	0x0006000000022e0b-51.exe
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1296	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
852	0x0006000000022e0b-51.exe
1996	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeDebugPrivilege	2244	49A4.exe
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeShutdownPrivilege	1296	Explorer.EXE
Token: SeDebugPrivilege	900	kos4.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2212	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	2212	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeShutdownPrivilege	1640	powercfg.exe
Token: SeShutdownPrivilege	1676	powercfg.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeShutdownPrivilege	320	powercfg.exe
Token: SeShutdownPrivilege	2164	powercfg.exe
Token: SeSystemEnvironmentPrivilege	2768	csrss.exe
Token: SeDebugPrivilege	2028	powershell.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1296	Explorer.EXE
1296	Explorer.EXE
2592	iexplore.exe
2940	iexplore.exe
1704	5B60.exe
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1296	Explorer.EXE
1296	Explorer.EXE
1296	Explorer.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2592	iexplore.exe
2592	iexplore.exe
688	IEXPLORE.EXE
688	IEXPLORE.EXE
2940	iexplore.exe
2940	iexplore.exe
1164	IEXPLORE.EXE
1164	IEXPLORE.EXE
2284	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 2800	1296	Explorer.EXE	30
PID 1296 wrote to memory of 2800	1296	Explorer.EXE	30
PID 1296 wrote to memory of 2800	1296	Explorer.EXE	30
PID 1296 wrote to memory of 2800	1296	Explorer.EXE	30
PID 1296 wrote to memory of 2800	1296	Explorer.EXE	30
PID 1296 wrote to memory of 2800	1296	Explorer.EXE	30
PID 1296 wrote to memory of 2800	1296	Explorer.EXE	30
PID 1296 wrote to memory of 2604	1296	Explorer.EXE	31
PID 1296 wrote to memory of 2604	1296	Explorer.EXE	31
PID 1296 wrote to memory of 2604	1296	Explorer.EXE	31
PID 2604 wrote to memory of 2592	2604	cmd.exe	33
PID 2604 wrote to memory of 2592	2604	cmd.exe	33
PID 2604 wrote to memory of 2592	2604	cmd.exe	33
PID 1296 wrote to memory of 1936	1296	Explorer.EXE	34
PID 1296 wrote to memory of 1936	1296	Explorer.EXE	34
PID 1296 wrote to memory of 1936	1296	Explorer.EXE	34
PID 1296 wrote to memory of 1936	1296	Explorer.EXE	34
PID 2604 wrote to memory of 2940	2604	cmd.exe	36
PID 2604 wrote to memory of 2940	2604	cmd.exe	36
PID 2604 wrote to memory of 2940	2604	cmd.exe	36
PID 2800 wrote to memory of 1104	2800	F91E.exe	38
PID 2800 wrote to memory of 1104	2800	F91E.exe	38
PID 2800 wrote to memory of 1104	2800	F91E.exe	38
PID 2800 wrote to memory of 1104	2800	F91E.exe	38
PID 2800 wrote to memory of 1104	2800	F91E.exe	38
PID 2800 wrote to memory of 1104	2800	F91E.exe	38
PID 2800 wrote to memory of 1104	2800	F91E.exe	38
PID 1296 wrote to memory of 2844	1296	Explorer.EXE	37
PID 1296 wrote to memory of 2844	1296	Explorer.EXE	37
PID 1296 wrote to memory of 2844	1296	Explorer.EXE	37
PID 1296 wrote to memory of 2844	1296	Explorer.EXE	37
PID 2592 wrote to memory of 688	2592	iexplore.exe	39
PID 2592 wrote to memory of 688	2592	iexplore.exe	39
PID 2592 wrote to memory of 688	2592	iexplore.exe	39
PID 2592 wrote to memory of 688	2592	iexplore.exe	39
PID 1104 wrote to memory of 1572	1104	to4xD9ej.exe	40
PID 1104 wrote to memory of 1572	1104	to4xD9ej.exe	40
PID 1104 wrote to memory of 1572	1104	to4xD9ej.exe	40
PID 1104 wrote to memory of 1572	1104	to4xD9ej.exe	40
PID 1104 wrote to memory of 1572	1104	to4xD9ej.exe	40
PID 1104 wrote to memory of 1572	1104	to4xD9ej.exe	40
PID 1104 wrote to memory of 1572	1104	to4xD9ej.exe	40
PID 1572 wrote to memory of 3056	1572	jz7Ey3Qk.exe	41
PID 1572 wrote to memory of 3056	1572	jz7Ey3Qk.exe	41
PID 1572 wrote to memory of 3056	1572	jz7Ey3Qk.exe	41
PID 1572 wrote to memory of 3056	1572	jz7Ey3Qk.exe	41
PID 1572 wrote to memory of 3056	1572	jz7Ey3Qk.exe	41
PID 1572 wrote to memory of 3056	1572	jz7Ey3Qk.exe	41
PID 1572 wrote to memory of 3056	1572	jz7Ey3Qk.exe	41
PID 3056 wrote to memory of 1740	3056	Fu3JA8ZY.exe	42
PID 3056 wrote to memory of 1740	3056	Fu3JA8ZY.exe	42
PID 3056 wrote to memory of 1740	3056	Fu3JA8ZY.exe	42
PID 3056 wrote to memory of 1740	3056	Fu3JA8ZY.exe	42
PID 3056 wrote to memory of 1740	3056	Fu3JA8ZY.exe	42
PID 3056 wrote to memory of 1740	3056	Fu3JA8ZY.exe	42
PID 3056 wrote to memory of 1740	3056	Fu3JA8ZY.exe	42
PID 2940 wrote to memory of 1164	2940	iexplore.exe	43
PID 2940 wrote to memory of 1164	2940	iexplore.exe	43
PID 2940 wrote to memory of 1164	2940	iexplore.exe	43
PID 2940 wrote to memory of 1164	2940	iexplore.exe	43
PID 1740 wrote to memory of 1760	1740	uC0Ux4Gf.exe	44
PID 1740 wrote to memory of 1760	1740	uC0Ux4Gf.exe	44
PID 1740 wrote to memory of 1760	1740	uC0Ux4Gf.exe	44
PID 1740 wrote to memory of 1760	1740	uC0Ux4Gf.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-51.exe
  "C:\Users\Admin\AppData\Local\Temp\0x0006000000022e0b-51.exe"
  2⤵
  - DcRat
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:852
- C:\Users\Admin\AppData\Local\Temp\F91E.exe
  C:\Users\Admin\AppData\Local\Temp\F91E.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\to4xD9ej.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\to4xD9ej.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jz7Ey3Qk.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jz7Ey3Qk.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fu3JA8ZY.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fu3JA8ZY.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uC0Ux4Gf.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uC0Ux4Gf.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ya80mj3.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ya80mj3.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 268
        9⤵
        Program crash
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2it919bS.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2it919bS.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3024
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\FBCD.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:340993 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:688
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2940 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1164
- C:\Users\Admin\AppData\Local\Temp\FD54.exe
  C:\Users\Admin\AppData\Local\Temp\FD54.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\FEDB.exe
  C:\Users\Admin\AppData\Local\Temp\FEDB.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Users\Admin\AppData\Local\Temp\22B1.exe
  C:\Users\Admin\AppData\Local\Temp\22B1.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2284
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:1996
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:1512
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1972
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:2544
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2600
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:2424
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1620
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        
        PID:1488
- - C:\Users\Admin\AppData\Local\Temp\kos4.exe
    "C:\Users\Admin\AppData\Local\Temp\kos4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2880
- C:\Users\Admin\AppData\Local\Temp\3365.exe
  C:\Users\Admin\AppData\Local\Temp\3365.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 544
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:536
- C:\Users\Admin\AppData\Local\Temp\49A4.exe
  C:\Users\Admin\AppData\Local\Temp\49A4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Users\Admin\AppData\Local\Temp\5B60.exe
  C:\Users\Admin\AppData\Local\Temp\5B60.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
    "C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe"
    3⤵
    - Executes dropped EXE
    PID:2224
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\e8b5234212" /P "Admin:N"&&CACLS "..\e8b5234212" /P "Admin:R" /E&&Exit
      4⤵
      PID:1644
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "Utsysc.exe" /P "Admin:N"
        5⤵
        
        PID:1920
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "Utsysc.exe" /P "Admin:R" /E
        5⤵
        
        PID:1372
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1512
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\e8b5234212" /P "Admin:N"
        5⤵
        
        PID:2704
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\e8b5234212" /P "Admin:R" /E
        5⤵
        
        PID:2892
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
      4⤵
      Loads dropped DLL
      PID:2144
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:1584
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:2204
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2980
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1620
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2656
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2916
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2104
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:2312
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1324
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2028

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231103135323.log C:\Windows\Logs\CBS\CbsPersist_20231103135323.cab
1⤵
- Drops file in Windows directory
PID:2184

C:\Windows\system32\taskeng.exe
taskeng.exe {459F6D03-1378-4204-A2C2-A97992CBC203} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1420
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:2868

C:\Windows\system32\taskeng.exe
taskeng.exe {5236FE3D-C4AA-4603-8E72-CD3443A2948F} S-1-5-21-2952504676-3105837840-1406404655-1000:URUOZWGF\Admin:Interactive:[1]
1⤵
PID:2636
- C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe
  2⤵
  - Executes dropped EXE
  PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70DAE932E3BCB3C00656A27B544BA9CA

Filesize
11KB

MD5
3387a792c5e5b60811a9f761b782f3d7

SHA1
8fe5ca5edb59c3887a43c5284ccb8a275c2dd892

SHA256
3ecf5f5b90d1ca4bd3041a98e5fe20036f87063c1a43d47d84762058569af5df

SHA512
b7fee39122c2d9ea79af49fa9474234caf5f777bf271337e67642e0aa30ff56040aecaed98b44bc1342037eb827f487c92a9ddb0f975f63f850a75d4ba8ae379

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70DAE932E3BCB3C00656A27B544BA9CA

Filesize
204B

MD5
4bdfc58274ca4b0fee9c4c0ea8719ce1

SHA1
b2171606568a92a70e774013b17d486e5cb5bd1c

SHA256
24af8de3932a67eb5f5ced3da8604377f070a61dc96077c21dc390b48cc0068a

SHA512
49660481063446acfd3f0f624a388180bb7cc427889569939971eae004d34f04d621909e06657e934866d343db3e65ce4c639d62fd5d9be7830ea4359a749837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56c707b7f777fc32c1d339479dd78097

SHA1
a5e7811732099c56d200fabcc0d0771b36190efc

SHA256
2b3be137df700480ca58f7d7b095f56a54b78d6f7814a2b60580783196ccca66

SHA512
a747400cd309fb86d0c9b5c59962728b570df0590f02f56c9ba495ee870e3bda2c6ed962cc37349e626930f9f39ac0b67e8f90400dc292af851775382b57f616

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a68d1922ab3cd01dd3c8b081c2f9ef10

SHA1
ce42409fae60e55226738b9e757bd6e2bf88eaef

SHA256
8cc0fb9bb5f1dcb40bfbe6d07170c7ad483d8d97ae3e3205f93f8af46202114a

SHA512
2b1c1edcc644e425ef667f0dd8c80d10f6bfa8a6568f417b63739a8a27042641160431841b8962fcd558d02e39ab3d57cdbc606847af549932f12bae78939c84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
788a3b2644bdb53448795082c30cb7d4

SHA1
f503bd61fd3174d73d9e4df347c9de68f1e41820

SHA256
4e3ffc41305f6043ffd621377828daca2aa0ad9058d3ef70efbdeebcd80f7bd8

SHA512
46655f968ed14ea691d3a258e993759af26b6ed9c470dd5db81f03b994a0e113f01afbaae7e2c325ae3c1544446bb471a1ba233905ab59a8721924fb0996c643

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6465fff1da761eb127b6c14f6f231b20

SHA1
ff7dec3390e64389381ff842d6599f98e4586b0f

SHA256
f0a3113dee23daaab65368f7924f5efb79dd1855bf377b15f3dd2e12ef89849c

SHA512
36f9d131de63516949bc3becb7a8acc655fbd5f66102ef00098a13d86a8a8574d406fa3337e441bcf7d56ce6d540d4cc1d4ca6dff2e9e8d9528712a760562bee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5653264231e25172ccf984d4096268e9

SHA1
e0f9f653962c1a4bcfbe72c70791bee2966441dc

SHA256
7a5601e4c9356f47ddf6e0ebc4e09e8ab131fdcd81adc68ef13914918a3e7b01

SHA512
6cd9194539326c5f88704a0d64b63784e0a80a7f8ca732d11c43a72ebb60401fcc6ada6ba7f545dcef897d26653acd15d111a8a1f81040829f7985d8edd80097

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
463928f37092f9c403e929cb2270c651

SHA1
1e887f4a467bdb29ed8e38e9911af6b4aded96b4

SHA256
ca400327a513373f0e34a284a7f645ed26e80eade679923933882efb89f22a1c

SHA512
0c0b2643048d64782d5f86ccd382f3b70fad1cefd08bb76e484e717e0647c42907bbb6907854ef1cb3f583f99ad5109e28588a2af31a5cdf8536b7ff48b77ef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
648a97c07581176d1aff1e7152f45bc1

SHA1
ca663514ce34720197c4271c112989e35a70a2cd

SHA256
dcd55383f37dae27072bbc415b7cd2c0340e0594d5817d4452ea55c0189f8faa

SHA512
fa5ddbed11591354687c38d68015674cf841f0d856c816c0e11c0f76672d4f496554c336aa71aa5139872cc997f95c12d92ebb1755d1ba2462fe09cc295cf595

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e980f1aa1670f1ed766830ee9d7a12a9

SHA1
f0b702a65ee942c7d80e6bc87ee2dc992f943290

SHA256
f147a47b22a2f65d534267da3d9e9f83fec30e77525119e4b99329148cf2ab23

SHA512
9acaa8ecd250552ca83329ff9e9e49d3ed2c16380dce775efb894bf29fee83be6918964bd22fbee6cbbd97a6bded821976b7ece35b2c11e6f9c2e20c6d66fa9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a2c6319550191dd7fe58446ff5280c5

SHA1
c401599034b627a73736f437975aa31d9658a407

SHA256
e8ed4aab17f9a5dd787ba66d70a870c3e7be4357fbb9ce89bba231a11751575f

SHA512
15e57f836e72b769ce9322b2fd9d1c3482ac94becf19455ee267a4bb503f852aa34a57e2c5b450bcb4a54c79ee37a36ef4301dea8871601089e59cbf4615929e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d03e98a054c19f007ce7aa133b1c8ef2

SHA1
f270eb9b8cf456b3a327466c1ed4ce9ffd1a7f90

SHA256
b0334566b5b99ce65ebf64c59a752e37ee0e11bf8fbc255988540aadceca8c28

SHA512
973c58d3075253897dd8b22ce061bc63d2a5347b62c46ecc36d02a0e824501d3a66b1e340a4b81f7a2b2363014e938b6db8823b8a857b2436be05ff2c2aff553

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5c26c41d8163d1127d2fb9944448c8b

SHA1
18d53fcfb3cd19dab9a7d58db7184ffa234ad32b

SHA256
07ca6bb8b33534c0f2c2cc26ebde0b4732a119dabc2817504a2dc113dcf11d43

SHA512
0241dfbe26efdf0ce622584e53978b5452f573ae5c69af3c80e24ed630f95725c9af674dc9f42dc7246626438afefcbbf659b1c545b74692099436fd257ae17e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bcd174655ca8d7ae2a5d8c4e53e61453

SHA1
58631a50d39fa3e9287ede4cd8805a7680b26b38

SHA256
729a04416bd0ff788a77c691d1d1761507a73a9bcc9202de603631291da71597

SHA512
d32dd62f06b2cd78a0ebc97a14a7b317acfe1b70dfe35d0cde33b686baed69bf0f4ac00a7542185b627836947a823c8adade3969ba5bfbbe2f7000aa2f7888c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9cb0972d5a9307847ba6a71b3f40a339

SHA1
88896649b5a4d56d7bada4799e0c032e66716d81

SHA256
e358b1b6014e6c49ae8d979cf887bd1d8362add4a425148cd6bfad4c18406297

SHA512
8f50e1e41ef59424e84ff0d3c58bb04eef9c737ce476c7ab4d51af2f0a75da6fe341c17092b665ca3a639e858b87d1f6957f17bc31be1701e3b62668e0595beb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
46828e486f37e3136858f9032e256c47

SHA1
c96637820ac9083f4f24fc21987dd28e5de5326e

SHA256
c7ebe0f6d5358c02f53825b39b06ff68f8eb5900a908404a717f786239b24596

SHA512
cdd31147351f5d1053a6fd1700265ec4754d385c2d5cc00d9e59315d796b9d0f60f2de3d4a9827b4950bb95d445dd3a2071f99e00f5ceb7e889f798a37aefa24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
19238deda7ae5a80154db8f5622fd0eb

SHA1
97cffa10ba26a7d48e8922ecca13f5cc46f74536

SHA256
1454634d6aa4a11fc488af455ff857fa99a912dff8cdd200f601359dbe082f53

SHA512
9037b40244e4eb1ecefdf1eeba0d8638f5da6ef80944a1d8099ab7f567e6d0c990d870be1f514bb87eb8e8b80b6da8eab13821e85ced3d9b0e2a28cf69ab0fb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b25427564a21b4772a48c5a41dc599be

SHA1
cf05bc73ddf69588edbad23da8240f10285cbd03

SHA256
0ba82e53f8f2485c417990a2bb06fbb00a0f0473f606e58463bafcc5f14a7a91

SHA512
02e75ec68e39ccb71e1ec50f61420740c0431f4342b288ecff4b92011a7758d46bb7e94939e3cac30446783738af3cb3130a57b846e3d021663b13791b3e6d74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a2c067c5676591b41177a0748b9b9dc

SHA1
1f52e365da0f001d4cb6bbc2545e9c06721fbef1

SHA256
c1e00790701907e1de5296fa4bdb54bb0be98335fe552a3932ac46deacb00c6c

SHA512
835a6774ceb415d532c0b021ac9f14ce6db86ebe776023a4b6cf0ecabc13a0523544015e681bd466b241d4b50e10911fca571ff3730bd865f12f00150d12b827

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ddf94a3591aab12b982a873c2bda4475

SHA1
b727de4fbdd6c32199a473ef44501cb7752b04af

SHA256
d15739327eb8dfc86fa473914c51002d98d6207cdc68528a14283048020a31b5

SHA512
3f9d1310c3cf2f975bf90c8c2689616874c58746071dfa4c296daa88a0fe9cc0e50e360a94630202a6f48d2f362a6ccf55728f2ec16cdf8dbbe854ce8fd20187

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08533c8c010721ecaf97184f0c53a314

SHA1
5f81b35b123ba331eb361ef1e66def679092d492

SHA256
af86c75f1336251d81d484d6c43acc428472eed0e80a56def2d8dd5a45f962ac

SHA512
3c6556cf926b4db8372b765ad2235329e12492949fd6854f749b4f266d1c2dc56105aa3afbdc4157762392e2164d4566df925adc6390774331945cde81568216

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
806c5dddf9704d09bf13a0850c4116e7

SHA1
467fa94c0074f415595405d7cb890db2832f7455

SHA256
d528dd21b756a896cad8161f495262820ad1f1c0756e4eafe134573e15b025d6

SHA512
fab40e7225ca7784419c0f60d173231ae875cc9a6529776fde784a35f458ea71452738e3c5ae7bcf62ff355b7d71ce3402af0199a6e48c9d969b8c3e36d6c065

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f633b082de54b8d124d6f7faa50d3d26

SHA1
00802f0839cc7cb854aa9ed25ca3cdb7acb0ed75

SHA256
1dbb29774b2ce414027b5f6fcf929e345bcc25db025be91bbaa03ab5b6ba5603

SHA512
051b90e1b2c79019aa7251b349f6868a55391a609f9505439a6aeba329a3e5094eb7c812567b972afdea4c42514f45a680f504864a583dee28c70458cc68b57e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3e35e27b5e3479bfc132319136d1899

SHA1
a5f3a5a4ead4f1ecb623fddfeb0d0e6e19298420

SHA256
6a98954614ad72cd50095f958641efcacebd7a321e0c4ad36fab7bb7a7c1855f

SHA512
232b256b9ffd626d9cb0b59f0419a20deebcfdc228c7cb3a92bac330ad773352a3c3921f2f3eaae4424e1c9fef17e543d2472b671663b88342a3dcccd9e02236

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d1542e747d5eb02bae00c2897e85623

SHA1
be425a2c23907d7e1a618c5e30062572f0bab351

SHA256
d60370a63aad14382d78e5fc060d3fc2a66343c9b2f837ce30a5f49359ec217b

SHA512
eb99d658039ef48827e88d3fa121e992a218037953c76b3169bef9ef30f523c65402c9f1a34657a0fb1b0ad311aca63896c2d860cf56ffb6050716b40ec00df0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6e850ff30f5b4e74709f7379afc15db

SHA1
042d0cc377d7917261c773691c21eab963f64bc8

SHA256
ddaf1abe1090bccf24b670cbec28f423cb638064320f30fa6f05565b814da8f3

SHA512
210c36a546c280732e34d4afcfc81985546cd72dd1d180bcb049766a49bc4a589d0ba02041faf5d2e2c85fc002b7a82cd4be1da2d5b3c5a03468a67b08a151fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{39B8C9C1-7A50-11EE-AB73-565D0F0BCB21}.dat

Filesize
5KB

MD5
3f910aec9b0ae05f411563b2805bd24a

SHA1
c49d8322055232cf03b656baacb5286143f322bc

SHA256
c34991181cbf8875f76499c14ca98327e903f7c5b5fae22bf9a0e9bf6f941068

SHA512
5dd96702aed2576bd9d4d78003ec6aa2ba5fdc51e78eeab2375597e5146aab2d59130b01a46592a382e2c428fdd99c91f240834f100e9e332c28b41027e35008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\h6i8x7q\imagestore.dat

Filesize
38KB

MD5
4afa66cad88b3b846025e6ae4fce1e91

SHA1
c4e7614b97cc1eb0bf83620e1c303692101705bc

SHA256
f359ea2642b56ea64a676176c30a9ed15da48df6bb8e864e15521863dc5bbe7d

SHA512
9287a0937ba8b30694a1cca2d27abb00d95e5410755f13681b46bbf92296e78b4e6eca52eb60a096b98505dd71061e115a2fc7cdd46e6a685413b8e83b89c534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\95D7W144\favicon[1].ico

Filesize
37KB

MD5
231913fdebabcbe65f4b0052372bde56

SHA1
553909d080e4f210b64dc73292f3a111d5a0781f

SHA256
9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad

SHA512
7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSQV6XDQ\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Temp\22B1.exe

Filesize
12.5MB

MD5
0bddfbdc76418c7fc877a5a11013dfee

SHA1
b9752934bfbd8101dcd94e3546d158bf538d1d02

SHA256
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc

SHA512
f488363e0a8c075e257bb93e8a2e8a49cd90f31ed808098058d81a78ca937358c822bc68a4a6159cdebeae78ff67d8dbb556ff6927565259cdfd8620cedbdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\22B1.exe

Filesize
12.5MB

MD5
0bddfbdc76418c7fc877a5a11013dfee

SHA1
b9752934bfbd8101dcd94e3546d158bf538d1d02

SHA256
54349953542084ceceb6de40c4edc6124bf69ccad39051a62d8e2be651acb9dc

SHA512
f488363e0a8c075e257bb93e8a2e8a49cd90f31ed808098058d81a78ca937358c822bc68a4a6159cdebeae78ff67d8dbb556ff6927565259cdfd8620cedbdb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
89ecc6e0f4f435c613bce8b5f59c2a0a

SHA1
6ecae8292b1ad3aa55f6ac04c01a518d9edade12

SHA256
567660410d0103eb3b704426be08e1b90b24d3c2a047fc9b232bf7cb9e72eb53

SHA512
fe0638c8635cdd98f8f6c166c93ea8f6607e0145516636356a3af0f57db542ff05226bba14460721785782ecb610eac69d73ad026e8057a140c47d57c581b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
89ecc6e0f4f435c613bce8b5f59c2a0a

SHA1
6ecae8292b1ad3aa55f6ac04c01a518d9edade12

SHA256
567660410d0103eb3b704426be08e1b90b24d3c2a047fc9b232bf7cb9e72eb53

SHA512
fe0638c8635cdd98f8f6c166c93ea8f6607e0145516636356a3af0f57db542ff05226bba14460721785782ecb610eac69d73ad026e8057a140c47d57c581b82a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3365.exe

Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\3365.exe

Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\3365.exe

Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\49A4.exe

Filesize
95KB

MD5
0592c6d7674c77b053080c5b6e79fdcb

SHA1
693339ede19093e2b4593fda93be0b140be69141

SHA256
fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14

SHA512
37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\49A4.exe

Filesize
95KB

MD5
0592c6d7674c77b053080c5b6e79fdcb

SHA1
693339ede19093e2b4593fda93be0b140be69141

SHA256
fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14

SHA512
37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B60.exe

Filesize
306KB

MD5
5d0310efbb0ea7ead8624b0335b21b7b

SHA1
88f26343350d7b156e462d6d5c50697ed9d3911c

SHA256
a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a

SHA512
ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\952504676310

Filesize
55KB

MD5
d0bf5c0b82e4870ce3f151dab1ce3e8e

SHA1
ec4687bc8a4688d20a4c22d2b21343394471537b

SHA256
03c56fffe441bc7418a658f8d8f3a4348dfbe507ce04f50c86f23cc47a40ade5

SHA512
4a5e173168ba7a28f27a4234fb028abe70ce98a7907da8ce3e354874cb76e85707cc64a6fcfb43e7ddf3fe75200301cbfb2d5f72f8333d306de2093b985bf995

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab10D4.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F91E.exe

Filesize
1.7MB

MD5
1201f0620c57315bf1924240fe725586

SHA1
54b9cd889295a2a52407d7e53d5568cc4bf6623b

SHA256
9bbca0daa4a41a6ded6a8e8cc10236ae3aff60a25a05581b6b77bd5709e82df3

SHA512
92c1371a2fe0c14892bd9edd7d74dab6d0b551dff8dda5cccb226002d70d968331c9f70d82a9992651a584987ed3b11c9f46ba67c1ca2ff37a21da0cfb73f16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\F91E.exe

Filesize
1.7MB

MD5
1201f0620c57315bf1924240fe725586

SHA1
54b9cd889295a2a52407d7e53d5568cc4bf6623b

SHA256
9bbca0daa4a41a6ded6a8e8cc10236ae3aff60a25a05581b6b77bd5709e82df3

SHA512
92c1371a2fe0c14892bd9edd7d74dab6d0b551dff8dda5cccb226002d70d968331c9f70d82a9992651a584987ed3b11c9f46ba67c1ca2ff37a21da0cfb73f16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBCD.bat

Filesize
342B

MD5
e79bae3b03e1bff746f952a0366e73ba

SHA1
5f547786c869ce7abc049869182283fa09f38b1d

SHA256
900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63

SHA512
c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBCD.bat

Filesize
342B

MD5
e79bae3b03e1bff746f952a0366e73ba

SHA1
5f547786c869ce7abc049869182283fa09f38b1d

SHA256
900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63

SHA512
c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD54.exe

Filesize
180KB

MD5
286aba392f51f92a8ed50499f25a03df

SHA1
ee11fb0150309ec2923ce3ab2faa4e118c960d46

SHA256
ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22

SHA512
84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEDB.exe

Filesize
219KB

MD5
1aba285cb98a366dc4be21585eecd62a

SHA1
c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b

SHA256
ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8

SHA512
9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEDB.exe

Filesize
219KB

MD5
1aba285cb98a366dc4be21585eecd62a

SHA1
c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b

SHA256
ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8

SHA512
9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\to4xD9ej.exe

Filesize
1.6MB

MD5
e57a67cd8d906d51dff7f3b7a9693abc

SHA1
c43d692cef06c2c9a88531f21a64cbdd21392ea1

SHA256
f6dbfb9fbb625c5b4a17bd86cd6784f39dfc6e51d1d0b0f3c534d4af68400940

SHA512
bc1bb7852576f3e317e32fec6f9dc10b21c601b5c3702d1a3350f996a9be594dab33a0319910a48e60d7c3add1fa8e6fa30b4f0682ad1289fe05b483d0a489cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\to4xD9ej.exe

Filesize
1.6MB

MD5
e57a67cd8d906d51dff7f3b7a9693abc

SHA1
c43d692cef06c2c9a88531f21a64cbdd21392ea1

SHA256
f6dbfb9fbb625c5b4a17bd86cd6784f39dfc6e51d1d0b0f3c534d4af68400940

SHA512
bc1bb7852576f3e317e32fec6f9dc10b21c601b5c3702d1a3350f996a9be594dab33a0319910a48e60d7c3add1fa8e6fa30b4f0682ad1289fe05b483d0a489cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jz7Ey3Qk.exe

Filesize
1.4MB

MD5
cd8d3b7686c8c595e2d5ff715e954343

SHA1
6cabe2baf49de53515c056e1ae27076eef6c8fb9

SHA256
06fefa939c9cc60110db11fd7732b1a13129c4b6bbce27f467fb63c086dfb94c

SHA512
ce0ada6dc5f200e66aaffe4a28e96a86f6a65a23331ba86133fd759d029885ca09fd710d454b1b7c23aa05fbcdaab30e167bd16faef7d40a8ae7c63d814ee742

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jz7Ey3Qk.exe

Filesize
1.4MB

MD5
cd8d3b7686c8c595e2d5ff715e954343

SHA1
6cabe2baf49de53515c056e1ae27076eef6c8fb9

SHA256
06fefa939c9cc60110db11fd7732b1a13129c4b6bbce27f467fb63c086dfb94c

SHA512
ce0ada6dc5f200e66aaffe4a28e96a86f6a65a23331ba86133fd759d029885ca09fd710d454b1b7c23aa05fbcdaab30e167bd16faef7d40a8ae7c63d814ee742

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fu3JA8ZY.exe

Filesize
882KB

MD5
ccf8bb6a358f0e635323262c8a082968

SHA1
f839f34b31132e55e36b8f91afa7d3a4230065b9

SHA256
432dcbfc66a2cf267f3fdbdceabff264227205cc5cbf7ffe06ce3458f14437a7

SHA512
7c1ce1356c677d59f6ee974743ce2ef16f1a23cb3aad6c1449062549b04940fbdd2fb536cdea9df32acfdb3af29253b0df7d07ef02630bd25b933d1b9690e4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fu3JA8ZY.exe

Filesize
882KB

MD5
ccf8bb6a358f0e635323262c8a082968

SHA1
f839f34b31132e55e36b8f91afa7d3a4230065b9

SHA256
432dcbfc66a2cf267f3fdbdceabff264227205cc5cbf7ffe06ce3458f14437a7

SHA512
7c1ce1356c677d59f6ee974743ce2ef16f1a23cb3aad6c1449062549b04940fbdd2fb536cdea9df32acfdb3af29253b0df7d07ef02630bd25b933d1b9690e4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3WL0YQ32.exe

Filesize
181KB

MD5
4980f0d50a2c25747de55c4319e1ca9a

SHA1
697b68520139e5b8fca79a4be46cd0055a6c3953

SHA256
9853a9e5fa0375dd0b0fe41f357ef26615c42b4b3b025c36510b3c549aa7ad13

SHA512
59fb4fb6f2fe830e22c63402d3d12328c9020f3fc2bfbba772640e048bb5674b56e183615baf023a32b0c8cb719279fba61faae7c5ddc071fffd3f306bcf98dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uC0Ux4Gf.exe

Filesize
687KB

MD5
2c497fd1e1d06b886c9f6f3bd775f63e

SHA1
ed937959a98a895374fb0ae32b64963fb92263e3

SHA256
4c45ebe8014a7b034201f5b132f7490ce5504e5ffca17ad8e368de3378d89fed

SHA512
86fcfbf86a7c95c53e7944b381efeb9053a4da08a8f07a88ae9d05a82c9ab9d3cc4be27e4feb9a3bb833b638a828b1648612c607c8dc699eba95540ee7ccbfd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\uC0Ux4Gf.exe

Filesize
687KB

MD5
2c497fd1e1d06b886c9f6f3bd775f63e

SHA1
ed937959a98a895374fb0ae32b64963fb92263e3

SHA256
4c45ebe8014a7b034201f5b132f7490ce5504e5ffca17ad8e368de3378d89fed

SHA512
86fcfbf86a7c95c53e7944b381efeb9053a4da08a8f07a88ae9d05a82c9ab9d3cc4be27e4feb9a3bb833b638a828b1648612c607c8dc699eba95540ee7ccbfd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ya80mj3.exe

Filesize
1.8MB

MD5
a9712e8ef40d2380107972bbfead5478

SHA1
9fcd9de49ba5ea3b743db1d470e5b26ed4cd3354

SHA256
229fd90c0f3e8816d38330c46068d6438d7556929ff09bc5b260d4712e96cf50

SHA512
fadd1bf444d78153d7336d263d328d2b7a42451e5c12daecccf1a9c861b4d90f50d0364880338cf441d794b8d46fbf75fb46c8dcbbd8da1f75c669f0f557d138

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ya80mj3.exe

Filesize
1.8MB

MD5
a9712e8ef40d2380107972bbfead5478

SHA1
9fcd9de49ba5ea3b743db1d470e5b26ed4cd3354

SHA256
229fd90c0f3e8816d38330c46068d6438d7556929ff09bc5b260d4712e96cf50

SHA512
fadd1bf444d78153d7336d263d328d2b7a42451e5c12daecccf1a9c861b4d90f50d0364880338cf441d794b8d46fbf75fb46c8dcbbd8da1f75c669f0f557d138

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ya80mj3.exe

Filesize
1.8MB

MD5
a9712e8ef40d2380107972bbfead5478

SHA1
9fcd9de49ba5ea3b743db1d470e5b26ed4cd3354

SHA256
229fd90c0f3e8816d38330c46068d6438d7556929ff09bc5b260d4712e96cf50

SHA512
fadd1bf444d78153d7336d263d328d2b7a42451e5c12daecccf1a9c861b4d90f50d0364880338cf441d794b8d46fbf75fb46c8dcbbd8da1f75c669f0f557d138

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2it919bS.exe

Filesize
219KB

MD5
1bca258fea7da406cbecf971afad046f

SHA1
b1172097d480f7b5e96a80cef8da12f237d17c1b

SHA256
daaf392ef9a11e95ce2d0b24befd315ffa1d6f951354632cf2b7db0fc4d91a89

SHA512
b9519a5f3acce2db860355724e1bcf908cd4e1d896911638bca36ae0937b929528b7fb7154c6f76e5fdb79bddd78ec81e9ec88f620febccbb02866e1cf4a62ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2it919bS.exe

Filesize
219KB

MD5
1bca258fea7da406cbecf971afad046f

SHA1
b1172097d480f7b5e96a80cef8da12f237d17c1b

SHA256
daaf392ef9a11e95ce2d0b24befd315ffa1d6f951354632cf2b7db0fc4d91a89

SHA512
b9519a5f3acce2db860355724e1bcf908cd4e1d896911638bca36ae0937b929528b7fb7154c6f76e5fdb79bddd78ec81e9ec88f620febccbb02866e1cf4a62ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
032a919dff4e6ba21c24d11a423b112c

SHA1
cbaa859c0afa6b4c0d2a288728e653e324e80e90

SHA256
12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553

SHA512
0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
032a919dff4e6ba21c24d11a423b112c

SHA1
cbaa859c0afa6b4c0d2a288728e653e324e80e90

SHA256
12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553

SHA512
0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1319.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe

Filesize
306KB

MD5
5d0310efbb0ea7ead8624b0335b21b7b

SHA1
88f26343350d7b156e462d6d5c50697ed9d3911c

SHA256
a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a

SHA512
ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe

Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe

Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE80.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE95.tmp

Filesize
92KB

MD5
3f2000742dfce009334f21df6014ebe2

SHA1
a3d63a0770c7c4b197e00b4a604fb9315711aae8

SHA256
43ac1f4879a3e46340214841cb30fe4a62575173f4b0bd731935ad24c369f301

SHA512
c8f9c2b333f9bef73350ae002eb9442c9c9b8b50712408c74ac27b4ef80637750ddfbf03c91162ab3561d9f78ba96202c50c58b58256d9e74f2017c6f2c8093c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z3R2JQSDD9OQA4SYYC8Y.temp

Filesize
7KB

MD5
dbb4e760ab2f367a18e90ade7bdd9197

SHA1
714358402e647227a8a1ba46f4575aedbd0bbf07

SHA256
b82dffe2a6293beb2063785c3cb022a7483dfe08bfa813059fc8ea7c7d3298d1

SHA512
4f186c0877b9cb2e694cc91c730bef78db37f71c2359472b845b95ceda7965aefd7b7d0c4f5ab727a3a42a3210544a99aecdcd42e5234baa024dd83bf87c4612

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll

Filesize
102KB

MD5
8da053f9830880089891b615436ae761

SHA1
47d5ed85d9522a08d5df606a8d3c45cb7ddd01f4

SHA256
d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374

SHA512
69d49817607eced2a16a640eaac5d124aa10f9eeee49c30777c0bc18c9001cd6537c5b675f3a8b40d07e76ec2a0a96e16d1273bfebdce1bf20f80fbd68721b39

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll

Filesize
1.2MB

MD5
0111e5a2a49918b9c34cbfbf6380f3f3

SHA1
81fc519232c0286f5319b35078ac3bb381311bd4

SHA256
4643d18bb8be79c2e3178bc3978d201c596ab70a347e8cf1e8fdbe3028d69d7c

SHA512
a2aac32a2c5146dd7287d245bfa9424287bfd12a40825f4da7d18204837242c99d4406428f2361e13c2e4f4d68c385de12e98243cf48bf4c6c5a82273c4467a5

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
89ecc6e0f4f435c613bce8b5f59c2a0a

SHA1
6ecae8292b1ad3aa55f6ac04c01a518d9edade12

SHA256
567660410d0103eb3b704426be08e1b90b24d3c2a047fc9b232bf7cb9e72eb53

SHA512
fe0638c8635cdd98f8f6c166c93ea8f6607e0145516636356a3af0f57db542ff05226bba14460721785782ecb610eac69d73ad026e8057a140c47d57c581b82a

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.1MB

MD5
89ecc6e0f4f435c613bce8b5f59c2a0a

SHA1
6ecae8292b1ad3aa55f6ac04c01a518d9edade12

SHA256
567660410d0103eb3b704426be08e1b90b24d3c2a047fc9b232bf7cb9e72eb53

SHA512
fe0638c8635cdd98f8f6c166c93ea8f6607e0145516636356a3af0f57db542ff05226bba14460721785782ecb610eac69d73ad026e8057a140c47d57c581b82a

Download Submit
\Users\Admin\AppData\Local\Temp\3365.exe

Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
\Users\Admin\AppData\Local\Temp\3365.exe

Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
\Users\Admin\AppData\Local\Temp\3365.exe

Filesize
499KB

MD5
ed1e95debacead7bec24779f6549744a

SHA1
d1becd6ca86765f9e82c40d8f698c07854b32a45

SHA256
e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651

SHA512
32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

Download Submit
\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
\Users\Admin\AppData\Local\Temp\F91E.exe

Filesize
1.7MB

MD5
1201f0620c57315bf1924240fe725586

SHA1
54b9cd889295a2a52407d7e53d5568cc4bf6623b

SHA256
9bbca0daa4a41a6ded6a8e8cc10236ae3aff60a25a05581b6b77bd5709e82df3

SHA512
92c1371a2fe0c14892bd9edd7d74dab6d0b551dff8dda5cccb226002d70d968331c9f70d82a9992651a584987ed3b11c9f46ba67c1ca2ff37a21da0cfb73f16c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\to4xD9ej.exe

Filesize
1.6MB

MD5
e57a67cd8d906d51dff7f3b7a9693abc

SHA1
c43d692cef06c2c9a88531f21a64cbdd21392ea1

SHA256
f6dbfb9fbb625c5b4a17bd86cd6784f39dfc6e51d1d0b0f3c534d4af68400940

SHA512
bc1bb7852576f3e317e32fec6f9dc10b21c601b5c3702d1a3350f996a9be594dab33a0319910a48e60d7c3add1fa8e6fa30b4f0682ad1289fe05b483d0a489cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\to4xD9ej.exe

Filesize
1.6MB

MD5
e57a67cd8d906d51dff7f3b7a9693abc

SHA1
c43d692cef06c2c9a88531f21a64cbdd21392ea1

SHA256
f6dbfb9fbb625c5b4a17bd86cd6784f39dfc6e51d1d0b0f3c534d4af68400940

SHA512
bc1bb7852576f3e317e32fec6f9dc10b21c601b5c3702d1a3350f996a9be594dab33a0319910a48e60d7c3add1fa8e6fa30b4f0682ad1289fe05b483d0a489cd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\jz7Ey3Qk.exe

Filesize
1.4MB

MD5
cd8d3b7686c8c595e2d5ff715e954343

SHA1
6cabe2baf49de53515c056e1ae27076eef6c8fb9

SHA256
06fefa939c9cc60110db11fd7732b1a13129c4b6bbce27f467fb63c086dfb94c

SHA512
ce0ada6dc5f200e66aaffe4a28e96a86f6a65a23331ba86133fd759d029885ca09fd710d454b1b7c23aa05fbcdaab30e167bd16faef7d40a8ae7c63d814ee742

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\jz7Ey3Qk.exe

Filesize
1.4MB

MD5
cd8d3b7686c8c595e2d5ff715e954343

SHA1
6cabe2baf49de53515c056e1ae27076eef6c8fb9

SHA256
06fefa939c9cc60110db11fd7732b1a13129c4b6bbce27f467fb63c086dfb94c

SHA512
ce0ada6dc5f200e66aaffe4a28e96a86f6a65a23331ba86133fd759d029885ca09fd710d454b1b7c23aa05fbcdaab30e167bd16faef7d40a8ae7c63d814ee742

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fu3JA8ZY.exe

Filesize
882KB

MD5
ccf8bb6a358f0e635323262c8a082968

SHA1
f839f34b31132e55e36b8f91afa7d3a4230065b9

SHA256
432dcbfc66a2cf267f3fdbdceabff264227205cc5cbf7ffe06ce3458f14437a7

SHA512
7c1ce1356c677d59f6ee974743ce2ef16f1a23cb3aad6c1449062549b04940fbdd2fb536cdea9df32acfdb3af29253b0df7d07ef02630bd25b933d1b9690e4bf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\Fu3JA8ZY.exe

Filesize
882KB

MD5
ccf8bb6a358f0e635323262c8a082968

SHA1
f839f34b31132e55e36b8f91afa7d3a4230065b9

SHA256
432dcbfc66a2cf267f3fdbdceabff264227205cc5cbf7ffe06ce3458f14437a7

SHA512
7c1ce1356c677d59f6ee974743ce2ef16f1a23cb3aad6c1449062549b04940fbdd2fb536cdea9df32acfdb3af29253b0df7d07ef02630bd25b933d1b9690e4bf

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\uC0Ux4Gf.exe

Filesize
687KB

MD5
2c497fd1e1d06b886c9f6f3bd775f63e

SHA1
ed937959a98a895374fb0ae32b64963fb92263e3

SHA256
4c45ebe8014a7b034201f5b132f7490ce5504e5ffca17ad8e368de3378d89fed

SHA512
86fcfbf86a7c95c53e7944b381efeb9053a4da08a8f07a88ae9d05a82c9ab9d3cc4be27e4feb9a3bb833b638a828b1648612c607c8dc699eba95540ee7ccbfd1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\uC0Ux4Gf.exe

Filesize
687KB

MD5
2c497fd1e1d06b886c9f6f3bd775f63e

SHA1
ed937959a98a895374fb0ae32b64963fb92263e3

SHA256
4c45ebe8014a7b034201f5b132f7490ce5504e5ffca17ad8e368de3378d89fed

SHA512
86fcfbf86a7c95c53e7944b381efeb9053a4da08a8f07a88ae9d05a82c9ab9d3cc4be27e4feb9a3bb833b638a828b1648612c607c8dc699eba95540ee7ccbfd1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ya80mj3.exe

Filesize
1.8MB

MD5
a9712e8ef40d2380107972bbfead5478

SHA1
9fcd9de49ba5ea3b743db1d470e5b26ed4cd3354

SHA256
229fd90c0f3e8816d38330c46068d6438d7556929ff09bc5b260d4712e96cf50

SHA512
fadd1bf444d78153d7336d263d328d2b7a42451e5c12daecccf1a9c861b4d90f50d0364880338cf441d794b8d46fbf75fb46c8dcbbd8da1f75c669f0f557d138

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ya80mj3.exe

Filesize
1.8MB

MD5
a9712e8ef40d2380107972bbfead5478

SHA1
9fcd9de49ba5ea3b743db1d470e5b26ed4cd3354

SHA256
229fd90c0f3e8816d38330c46068d6438d7556929ff09bc5b260d4712e96cf50

SHA512
fadd1bf444d78153d7336d263d328d2b7a42451e5c12daecccf1a9c861b4d90f50d0364880338cf441d794b8d46fbf75fb46c8dcbbd8da1f75c669f0f557d138

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ya80mj3.exe

Filesize
1.8MB

MD5
a9712e8ef40d2380107972bbfead5478

SHA1
9fcd9de49ba5ea3b743db1d470e5b26ed4cd3354

SHA256
229fd90c0f3e8816d38330c46068d6438d7556929ff09bc5b260d4712e96cf50

SHA512
fadd1bf444d78153d7336d263d328d2b7a42451e5c12daecccf1a9c861b4d90f50d0364880338cf441d794b8d46fbf75fb46c8dcbbd8da1f75c669f0f557d138

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\2it919bS.exe

Filesize
219KB

MD5
1bca258fea7da406cbecf971afad046f

SHA1
b1172097d480f7b5e96a80cef8da12f237d17c1b

SHA256
daaf392ef9a11e95ce2d0b24befd315ffa1d6f951354632cf2b7db0fc4d91a89

SHA512
b9519a5f3acce2db860355724e1bcf908cd4e1d896911638bca36ae0937b929528b7fb7154c6f76e5fdb79bddd78ec81e9ec88f620febccbb02866e1cf4a62ae

Download Submit
\Users\Admin\AppData\Local\Temp\IXP004.TMP\2it919bS.exe

Filesize
219KB

MD5
1bca258fea7da406cbecf971afad046f

SHA1
b1172097d480f7b5e96a80cef8da12f237d17c1b

SHA256
daaf392ef9a11e95ce2d0b24befd315ffa1d6f951354632cf2b7db0fc4d91a89

SHA512
b9519a5f3acce2db860355724e1bcf908cd4e1d896911638bca36ae0937b929528b7fb7154c6f76e5fdb79bddd78ec81e9ec88f620febccbb02866e1cf4a62ae

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

Filesize
2.5MB

MD5
032a919dff4e6ba21c24d11a423b112c

SHA1
cbaa859c0afa6b4c0d2a288728e653e324e80e90

SHA256
12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553

SHA512
0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

Download Submit
\Users\Admin\AppData\Local\Temp\kos4.exe

Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
239KB

MD5
cbc7a8ce71264b2c2c8568fd6ff6d93d

SHA1
16e53a3a1789b42dce33e1fb9d5b6476cc76dcf5

SHA256
10b9e6d04ea861b41718bc6ec5822e33500c7008c9f00c8c75d429d340068fc0

SHA512
c1a7040de751719d8dc335cca8d7c34411898d5b0c321668abdd059862dd566b4b58bdb9f997407d09dd7f7fb3a21a5061b4c1e4e45b57e7dccde6a7cc29759e

Download Submit
memory/852-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/852-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/900-1012-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/900-1206-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/900-1207-0x000000001B3C0000-0x000000001B440000-memory.dmp

Filesize
512KB

Download
memory/900-526-0x0000000001380000-0x0000000001388000-memory.dmp

Filesize
32KB

Download
memory/1064-417-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1064-416-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/1240-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1240-270-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1240-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-1-0x0000000002A80000-0x0000000002A96000-memory.dmp

Filesize
88KB

Download
memory/1296-447-0x0000000003F80000-0x0000000003F96000-memory.dmp

Filesize
88KB

Download
memory/1488-1181-0x0000000002924000-0x0000000002927000-memory.dmp

Filesize
12KB

Download
memory/1488-1185-0x000007FEED9B0000-0x000007FEEE34D000-memory.dmp

Filesize
9.6MB

Download
memory/1488-1179-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/1488-1184-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1488-1183-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/1488-1182-0x000007FEED9B0000-0x000007FEEE34D000-memory.dmp

Filesize
9.6MB

Download
memory/1488-1180-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1512-1209-0x0000000002720000-0x0000000002B18000-memory.dmp

Filesize
4.0MB

Download
memory/1512-1670-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1512-1375-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1512-1671-0x0000000002720000-0x0000000002B18000-memory.dmp

Filesize
4.0MB

Download
memory/1512-1210-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1512-1208-0x0000000002720000-0x0000000002B18000-memory.dmp

Filesize
4.0MB

Download
memory/1620-1716-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1620-1705-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1704-461-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1716-437-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-1076-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1716-409-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1716-1178-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-410-0x0000000000300000-0x000000000035A000-memory.dmp

Filesize
360KB

Download
memory/1996-420-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1996-427-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-440-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1996-448-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2028-1746-0x0000000019CD0000-0x0000000019FB2000-memory.dmp

Filesize
2.9MB

Download
memory/2028-1747-0x000007FEED9B0000-0x000007FEEE34D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-421-0x0000000002670000-0x0000000002A68000-memory.dmp

Filesize
4.0MB

Download
memory/2212-1186-0x0000000002A70000-0x000000000335B000-memory.dmp

Filesize
8.9MB

Download
memory/2212-1177-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2212-446-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2212-435-0x0000000002A70000-0x000000000335B000-memory.dmp

Filesize
8.9MB

Download
memory/2212-1196-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2212-1013-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2212-392-0x0000000002670000-0x0000000002A68000-memory.dmp

Filesize
4.0MB

Download
memory/2244-1189-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2244-1203-0x00000000045C0000-0x0000000004600000-memory.dmp

Filesize
256KB

Download
memory/2244-439-0x00000000001A0000-0x00000000001BE000-memory.dmp

Filesize
120KB

Download
memory/2244-445-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2244-460-0x00000000045C0000-0x0000000004600000-memory.dmp

Filesize
256KB

Download
memory/2244-1704-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2284-1202-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2284-1014-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2284-1733-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2284-1029-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2284-1739-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/2652-1200-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2652-1199-0x000007FEED010000-0x000007FEED9AD000-memory.dmp

Filesize
9.6MB

Download
memory/2652-1356-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2652-1228-0x000007FEED010000-0x000007FEED9AD000-memory.dmp

Filesize
9.6MB

Download
memory/2652-1384-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2652-1194-0x000000001B250000-0x000000001B532000-memory.dmp

Filesize
2.9MB

Download
memory/2652-1197-0x000007FEED010000-0x000007FEED9AD000-memory.dmp

Filesize
9.6MB

Download
memory/2652-1204-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2652-1201-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2652-1494-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2652-1198-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2652-1195-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2652-1661-0x0000000002290000-0x0000000002310000-memory.dmp

Filesize
512KB

Download
memory/2652-1663-0x000007FEED010000-0x000007FEED9AD000-memory.dmp

Filesize
9.6MB

Download
memory/2720-283-0x0000000000EF0000-0x0000000001B80000-memory.dmp

Filesize
12.6MB

Download
memory/2720-282-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2720-443-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2768-1672-0x0000000002890000-0x0000000002C88000-memory.dmp

Filesize
4.0MB

Download
memory/2768-1673-0x0000000002890000-0x0000000002C88000-memory.dmp

Filesize
4.0MB

Download
memory/2768-1743-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2768-1697-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2768-1701-0x0000000002890000-0x0000000002C88000-memory.dmp

Filesize
4.0MB

Download
memory/2768-1703-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2768-1740-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2768-1734-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/2844-408-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-262-0x00000000004C0000-0x0000000000500000-memory.dmp

Filesize
256KB

Download
memory/2844-184-0x0000000073BB0000-0x000000007429E000-memory.dmp

Filesize
6.9MB

Download
memory/2844-425-0x00000000004C0000-0x0000000000500000-memory.dmp

Filesize
256KB

Download
memory/2844-155-0x0000000000AE0000-0x0000000000B1C000-memory.dmp

Filesize
240KB

Download
memory/2868-1735-0x000000013FC70000-0x0000000140211000-memory.dmp

Filesize
5.6MB

Download
memory/2880-1023-0x000000013F2B0000-0x000000013F851000-memory.dmp

Filesize
5.6MB

Download
memory/2880-1205-0x000000013F2B0000-0x000000013F851000-memory.dmp

Filesize
5.6MB

Download
memory/2880-1665-0x000000013F2B0000-0x000000013F851000-memory.dmp

Filesize
5.6MB

Download
memory/3024-289-0x0000000000350000-0x000000000038C000-memory.dmp

Filesize
240KB

Download