glupteba | eff416f17b83327e6911308b2b9678f52fb4b4d20b99a96f43c2478e5dcc10f2

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01-12-2023 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

456KB
MD5

a8145015691ccb73460a69fa0a8b0304
SHA1

d1f61cd7ccf682868720dacfc91f50ce4e70412b
SHA256

eff416f17b83327e6911308b2b9678f52fb4b4d20b99a96f43c2478e5dcc10f2
SHA512

246c43e235fa7c5b4ec9575dd68448db19b28532f5bb51b3baa9b3637a990f25c3677b54fc40d47bd0ced5e97fb10dbe0a04e0df5516f9ca24a5bf47fb2a78f1
SSDEEP

6144:I1/tBaOZZfURQrLmwCn/2L04fiOFnZitWpqdc6WwjLC6a2HEZ+rG7tUW:mtbRURQ+wC+9KtWpqSNg+6RrqtUW

Score

10^/10

glupteba vidar b38cb04787049a109b9655c2379f5b97 discovery dropper evasion loader persistence rootkit stealer trojan upx

Malware Config

Extracted

Family

vidar

Version

6.7

Botnet

b38cb04787049a109b9655c2379f5b97

https://t.me/s4p0g

https://steamcommunity.com/profiles/76561199575355834

Attributes

profile_id_v2
b38cb04787049a109b9655c2379f5b97

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/memory/932-173-0x0000000002AF0000-0x00000000033DB000-memory.dmp	family_glupteba
behavioral1/memory/932-182-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/932-211-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/932-315-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/932-324-0x0000000002AF0000-0x00000000033DB000-memory.dmp	family_glupteba
behavioral1/memory/2520-361-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2520-372-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/828-379-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/828-406-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/828-440-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/828-675-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/828-677-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/828-710-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/828-723-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/828-730-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

file.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Windows security bypass 2 TTPs 9 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

6vGEgpFDI7kTw5cKxFzVda76.exefile.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0"	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\6vGEgpFDI7kTw5cKxFzVda76.exe = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1812	bcdedit.exe
1680	bcdedit.exe
952	bcdedit.exe
1612	bcdedit.exe
1572	bcdedit.exe
1568	bcdedit.exe
1380	bcdedit.exe
1620	bcdedit.exe
2820	bcdedit.exe
1068	bcdedit.exe
532	bcdedit.exe
1528	bcdedit.exe
1524	bcdedit.exe
2864	bcdedit.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

1976 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
1976	netsh.exe

Drops startup file 9 IoCs

Processes:

CasPol.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LvTuzFaiZ5VUNua6oYqcm0Kh.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrWWG5FgxKHZwO8TajiYmU13.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ptF0BrGSkvp9xQGkLii9RlUT.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kamr3k8zzsMQUzy0kyfsoHNs.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\or5bGCPHO9fQeIWMfEZVyiJU.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RARqi0KsHhFRpmbjUZnu9ARV.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7uTlfIi0OjMWW8UBXOn9mOmw.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7C7P2Z8IpAcAPsftFw2Kc6Ri.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GkgeBoFKHRAHoHaPkpSAVHAH.bat	CasPol.exe

Executes dropped EXE 15 IoCs

Processes:

eybFioyvJthYcJ4zTwTJxLOp.exe6vGEgpFDI7kTw5cKxFzVda76.exeyKxb6L80sk24eq7HXjrtU8VF.exeNS6frHrCjVhlPSJyxMALcGE7.exegTtdILQ2dPHc6pbnfX8viYnt.exeBroom.exeNS6frHrCjVhlPSJyxMALcGE7.tmpDSKTZGpxzV48bYWKoWWp71N3.exe6vGEgpFDI7kTw5cKxFzVda76.execsrss.exepatch.exeinjector.exedsefix.exewindefender.exewindefender.exe

pid	process
924	eybFioyvJthYcJ4zTwTJxLOp.exe
932	6vGEgpFDI7kTw5cKxFzVda76.exe
1328	yKxb6L80sk24eq7HXjrtU8VF.exe
1452	NS6frHrCjVhlPSJyxMALcGE7.exe
1876	gTtdILQ2dPHc6pbnfX8viYnt.exe
1440	Broom.exe
668	NS6frHrCjVhlPSJyxMALcGE7.tmp
1980	DSKTZGpxzV48bYWKoWWp71N3.exe
2520	6vGEgpFDI7kTw5cKxFzVda76.exe
828	csrss.exe
2264	patch.exe
1884	injector.exe
2492	dsefix.exe
2276	windefender.exe
2328	windefender.exe

Loads dropped DLL 32 IoCs

Processes:

CasPol.exeyKxb6L80sk24eq7HXjrtU8VF.exeeybFioyvJthYcJ4zTwTJxLOp.exeNS6frHrCjVhlPSJyxMALcGE7.exeNS6frHrCjVhlPSJyxMALcGE7.tmpDSKTZGpxzV48bYWKoWWp71N3.exe6vGEgpFDI7kTw5cKxFzVda76.exepatch.execsrss.exe

pid	process
2056	CasPol.exe
2056	CasPol.exe
2056	CasPol.exe
2056	CasPol.exe
1328	yKxb6L80sk24eq7HXjrtU8VF.exe
2056	CasPol.exe
2056	CasPol.exe
2056	CasPol.exe
924	eybFioyvJthYcJ4zTwTJxLOp.exe
1452	NS6frHrCjVhlPSJyxMALcGE7.exe
668	NS6frHrCjVhlPSJyxMALcGE7.tmp
668	NS6frHrCjVhlPSJyxMALcGE7.tmp
668	NS6frHrCjVhlPSJyxMALcGE7.tmp
668	NS6frHrCjVhlPSJyxMALcGE7.tmp
2056	CasPol.exe
1980	DSKTZGpxzV48bYWKoWWp71N3.exe
1980	DSKTZGpxzV48bYWKoWWp71N3.exe
1328	yKxb6L80sk24eq7HXjrtU8VF.exe
2520	6vGEgpFDI7kTw5cKxFzVda76.exe
2520	6vGEgpFDI7kTw5cKxFzVda76.exe
844
2264	patch.exe
2264	patch.exe
2264	patch.exe
2264	patch.exe
2264	patch.exe
828	csrss.exe
1980	DSKTZGpxzV48bYWKoWWp71N3.exe
2264	patch.exe
2264	patch.exe
2264	patch.exe
828	csrss.exe

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

DSKTZGpxzV48bYWKoWWp71N3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32\ThreadingModel = "Apartment"	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\CLSID\{1F213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\CLSID\{2E213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32	DSKTZGpxzV48bYWKoWWp71N3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32\ThreadingModel = "Apartment"	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32	DSKTZGpxzV48bYWKoWWp71N3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32\ = "C:\\Windows\\Microsoft.NET\\authman\\atiacm.dll"	DSKTZGpxzV48bYWKoWWp71N3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32\ = "C:\\Windows\\Microsoft.NET\\authman\\atiacm.dll"	DSKTZGpxzV48bYWKoWWp71N3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32\ = "C:\\Windows\\Microsoft.NET\\authman\\atiacm.dll"	DSKTZGpxzV48bYWKoWWp71N3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32\ThreadingModel = "Apartment"	DSKTZGpxzV48bYWKoWWp71N3.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\Pictures\yKxb6L80sk24eq7HXjrtU8VF.exe	upx
C:\Users\Admin\Pictures\yKxb6L80sk24eq7HXjrtU8VF.exe	upx
C:\Users\Admin\Pictures\yKxb6L80sk24eq7HXjrtU8VF.exe	upx
behavioral1/memory/1328-114-0x0000000001020000-0x0000000001548000-memory.dmp	upx
behavioral1/memory/2056-100-0x0000000006990000-0x0000000006EB8000-memory.dmp	upx
behavioral1/memory/1328-373-0x0000000001020000-0x0000000001548000-memory.dmp	upx
C:\Windows\windefender.exe	upx
behavioral1/memory/2276-717-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
behavioral1/memory/2328-720-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2276-721-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2328-726-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

file.exe6vGEgpFDI7kTw5cKxFzVda76.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0"	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\6vGEgpFDI7kTw5cKxFzVda76.exe = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	6vGEgpFDI7kTw5cKxFzVda76.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6vGEgpFDI7kTw5cKxFzVda76.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 1768 set thread context of 2056 1768 file.exe CasPol.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

6vGEgpFDI7kTw5cKxFzVda76.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 6vGEgpFDI7kTw5cKxFzVda76.exe

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

description	pid	process	target process
PID 1768 set thread context of 2056	1768	file.exe	CasPol.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	6vGEgpFDI7kTw5cKxFzVda76.exe

Drops file in Program Files directory 64 IoCs

Processes:

DSKTZGpxzV48bYWKoWWp71N3.exeNS6frHrCjVhlPSJyxMALcGE7.tmp

description	ioc	process
File created	C:\Program Files (x86)\ClocX\Presets\Citizen.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\White_Apple_Clock.bmp	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\woodone\woodmin.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlackBallRoman.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\LongClock.bmp	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\Metalluhr.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\Neon.ini	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Lang\Svenska.lng	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\Aqua.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallOnlyDots.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\CloQ.ini	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\GroenneKugler.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Lang\Hebrew.lng	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.ini	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\Jaguar.bmp	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Lang\Romanian.lng	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\Kirchenuhr.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\iToolsClock2.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\romanblack\romanblackhour.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Lang\Hungarian.lng	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\BubbleClock.ini	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\ClocX.exe	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Lang\Indonesian.lng	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\domeclock\domemin.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman2\roman2hour.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Sounds\trumpet.mp3	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\Adler.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\BaiWeather.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlackAppleClock.bmp	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\alarme.ini	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\iToolsClock.bmp	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\DarkCrystalBall.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\earth.ini	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\CloQ.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\DSX4.BMP	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\uninst.exe	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\xrecode3\stuff\is-IERJJ.tmp	NS6frHrCjVhlPSJyxMALcGE7.tmp
File created	C:\Program Files (x86)\ClocX\Presets\AJ-CityHall-500-minute.hpng	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAmber.bmp	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\Cappuccino.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Lang\Brazilian Portuguese.lng	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\Comdex - Omega1.ini	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\MickeyMouse.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\DSX4.TXT	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Lang\Afrikaans.lng	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Sounds\beep-ClockChime.wav	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\AquaLarge.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueSphere.bmp	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\CarpeDiem.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\Holzuhr.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\earth.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\iToolsClock.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\romanold\romanoldmin.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\Violeta.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Sounds\clockbell.mp3	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Lang\Portuguese.lng	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\negro2.png	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\BaiWeather.ini	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\Citizen.ini	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\hallow2.ini	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Lang\English.lng	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallOnlyDots.ini	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\iToolsClock2.bmp	DSKTZGpxzV48bYWKoWWp71N3.exe
File created	C:\Program Files (x86)\ClocX\Presets\black and steel.ini	DSKTZGpxzV48bYWKoWWp71N3.exe

Drops file in Windows directory 6 IoCs

Processes:

6vGEgpFDI7kTw5cKxFzVda76.exemakecab.execsrss.exeDSKTZGpxzV48bYWKoWWp71N3.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	6vGEgpFDI7kTw5cKxFzVda76.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231201180932.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Microsoft.NET\authman\atiacm.dll	DSKTZGpxzV48bYWKoWWp71N3.exe
File opened for modification	C:\Windows\rss	6vGEgpFDI7kTw5cKxFzVda76.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1088 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1088	sc.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe	nsis_installer_1
C:\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe	nsis_installer_2
C:\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe	nsis_installer_1
C:\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe	nsis_installer_2
\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe	nsis_installer_1
\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe	nsis_installer_2
C:\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe	nsis_installer_1
C:\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1588 schtasks.exe
2668 schtasks.exe

pid	process
1588	schtasks.exe
2668	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

windefender.exe6vGEgpFDI7kTw5cKxFzVda76.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	6vGEgpFDI7kTw5cKxFzVda76.exe

Modifies registry class 22 IoCs

Processes:

DSKTZGpxzV48bYWKoWWp71N3.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\CLSID\{1F213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E213772-63CC-6C58-5CD4-545A369F55ED}	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A213772-63CC-6C58-5CD4-545A369F55ED}	DSKTZGpxzV48bYWKoWWp71N3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32\ = "C:\\Windows\\Microsoft.NET\\authman\\atiacm.dll"	DSKTZGpxzV48bYWKoWWp71N3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx\ = "{2E213772-63CC-6C58-5CD4-545A369F55ED}"	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\CLSID\{1F213772-63CC-6C58-5CD4-545A369F55ED}	DSKTZGpxzV48bYWKoWWp71N3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32\ = "C:\\Windows\\Microsoft.NET\\authman\\atiacm.dll"	DSKTZGpxzV48bYWKoWWp71N3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32\ThreadingModel = "Apartment"	DSKTZGpxzV48bYWKoWWp71N3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32\ThreadingModel = "Apartment"	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\CLSID	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\CLSID\{2E213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\CLSID\{2E213772-63CC-6C58-5CD4-545A369F55ED}	DSKTZGpxzV48bYWKoWWp71N3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1A213772-63CC-6C58-5CD4-545A369F55ED}"	DSKTZGpxzV48bYWKoWWp71N3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32\ = "C:\\Windows\\Microsoft.NET\\authman\\atiacm.dll"	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F213772-63CC-6C58-5CD4-545A369F55ED}	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	DSKTZGpxzV48bYWKoWWp71N3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F213772-63CC-6C58-5CD4-545A369F55ED}\InProcServer32\ThreadingModel = "Apartment"	DSKTZGpxzV48bYWKoWWp71N3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx	DSKTZGpxzV48bYWKoWWp71N3.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

gTtdILQ2dPHc6pbnfX8viYnt.exepatch.execsrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	gTtdILQ2dPHc6pbnfX8viYnt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	gTtdILQ2dPHc6pbnfX8viYnt.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	gTtdILQ2dPHc6pbnfX8viYnt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeDSKTZGpxzV48bYWKoWWp71N3.exe6vGEgpFDI7kTw5cKxFzVda76.exe6vGEgpFDI7kTw5cKxFzVda76.exeinjector.execsrss.exe

pid	process
1720	powershell.exe
1980	DSKTZGpxzV48bYWKoWWp71N3.exe
1980	DSKTZGpxzV48bYWKoWWp71N3.exe
1980	DSKTZGpxzV48bYWKoWWp71N3.exe
1980	DSKTZGpxzV48bYWKoWWp71N3.exe
1980	DSKTZGpxzV48bYWKoWWp71N3.exe
1980	DSKTZGpxzV48bYWKoWWp71N3.exe
1980	DSKTZGpxzV48bYWKoWWp71N3.exe
1980	DSKTZGpxzV48bYWKoWWp71N3.exe
932	6vGEgpFDI7kTw5cKxFzVda76.exe
2520	6vGEgpFDI7kTw5cKxFzVda76.exe
2520	6vGEgpFDI7kTw5cKxFzVda76.exe
2520	6vGEgpFDI7kTw5cKxFzVda76.exe
2520	6vGEgpFDI7kTw5cKxFzVda76.exe
2520	6vGEgpFDI7kTw5cKxFzVda76.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
828	csrss.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
828	csrss.exe
828	csrss.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe
1884	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

CasPol.exepowershell.exe6vGEgpFDI7kTw5cKxFzVda76.execsrss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	2056	CasPol.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	932	6vGEgpFDI7kTw5cKxFzVda76.exe
Token: SeImpersonatePrivilege	932	6vGEgpFDI7kTw5cKxFzVda76.exe
Token: SeSystemEnvironmentPrivilege	828	csrss.exe
Token: SeSecurityPrivilege	1088	sc.exe
Token: SeSecurityPrivilege	1088	sc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Broom.exe

pid process

1440 Broom.exe

pid	process
1440	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exeCasPol.exeeybFioyvJthYcJ4zTwTJxLOp.exeNS6frHrCjVhlPSJyxMALcGE7.exe6vGEgpFDI7kTw5cKxFzVda76.execmd.exe

description	pid	process	target process
PID 1768 wrote to memory of 1720	1768	file.exe	powershell.exe
PID 1768 wrote to memory of 1720	1768	file.exe	powershell.exe
PID 1768 wrote to memory of 1720	1768	file.exe	powershell.exe
PID 1768 wrote to memory of 1720	1768	file.exe	powershell.exe
PID 1768 wrote to memory of 2056	1768	file.exe	CasPol.exe
PID 1768 wrote to memory of 2056	1768	file.exe	CasPol.exe
PID 1768 wrote to memory of 2056	1768	file.exe	CasPol.exe
PID 1768 wrote to memory of 2056	1768	file.exe	CasPol.exe
PID 1768 wrote to memory of 2056	1768	file.exe	CasPol.exe
PID 1768 wrote to memory of 2056	1768	file.exe	CasPol.exe
PID 1768 wrote to memory of 2056	1768	file.exe	CasPol.exe
PID 1768 wrote to memory of 2056	1768	file.exe	CasPol.exe
PID 1768 wrote to memory of 2056	1768	file.exe	CasPol.exe
PID 2056 wrote to memory of 924	2056	CasPol.exe	eybFioyvJthYcJ4zTwTJxLOp.exe
PID 2056 wrote to memory of 924	2056	CasPol.exe	eybFioyvJthYcJ4zTwTJxLOp.exe
PID 2056 wrote to memory of 924	2056	CasPol.exe	eybFioyvJthYcJ4zTwTJxLOp.exe
PID 2056 wrote to memory of 924	2056	CasPol.exe	eybFioyvJthYcJ4zTwTJxLOp.exe
PID 2056 wrote to memory of 924	2056	CasPol.exe	eybFioyvJthYcJ4zTwTJxLOp.exe
PID 2056 wrote to memory of 924	2056	CasPol.exe	eybFioyvJthYcJ4zTwTJxLOp.exe
PID 2056 wrote to memory of 924	2056	CasPol.exe	eybFioyvJthYcJ4zTwTJxLOp.exe
PID 2056 wrote to memory of 932	2056	CasPol.exe	6vGEgpFDI7kTw5cKxFzVda76.exe
PID 2056 wrote to memory of 932	2056	CasPol.exe	6vGEgpFDI7kTw5cKxFzVda76.exe
PID 2056 wrote to memory of 932	2056	CasPol.exe	6vGEgpFDI7kTw5cKxFzVda76.exe
PID 2056 wrote to memory of 932	2056	CasPol.exe	6vGEgpFDI7kTw5cKxFzVda76.exe
PID 2056 wrote to memory of 1328	2056	CasPol.exe	yKxb6L80sk24eq7HXjrtU8VF.exe
PID 2056 wrote to memory of 1328	2056	CasPol.exe	yKxb6L80sk24eq7HXjrtU8VF.exe
PID 2056 wrote to memory of 1328	2056	CasPol.exe	yKxb6L80sk24eq7HXjrtU8VF.exe
PID 2056 wrote to memory of 1328	2056	CasPol.exe	yKxb6L80sk24eq7HXjrtU8VF.exe
PID 2056 wrote to memory of 1328	2056	CasPol.exe	yKxb6L80sk24eq7HXjrtU8VF.exe
PID 2056 wrote to memory of 1328	2056	CasPol.exe	yKxb6L80sk24eq7HXjrtU8VF.exe
PID 2056 wrote to memory of 1328	2056	CasPol.exe	yKxb6L80sk24eq7HXjrtU8VF.exe
PID 2056 wrote to memory of 1452	2056	CasPol.exe	NS6frHrCjVhlPSJyxMALcGE7.exe
PID 2056 wrote to memory of 1452	2056	CasPol.exe	NS6frHrCjVhlPSJyxMALcGE7.exe
PID 2056 wrote to memory of 1452	2056	CasPol.exe	NS6frHrCjVhlPSJyxMALcGE7.exe
PID 2056 wrote to memory of 1452	2056	CasPol.exe	NS6frHrCjVhlPSJyxMALcGE7.exe
PID 2056 wrote to memory of 1452	2056	CasPol.exe	NS6frHrCjVhlPSJyxMALcGE7.exe
PID 2056 wrote to memory of 1452	2056	CasPol.exe	NS6frHrCjVhlPSJyxMALcGE7.exe
PID 2056 wrote to memory of 1452	2056	CasPol.exe	NS6frHrCjVhlPSJyxMALcGE7.exe
PID 2056 wrote to memory of 1876	2056	CasPol.exe	gTtdILQ2dPHc6pbnfX8viYnt.exe
PID 2056 wrote to memory of 1876	2056	CasPol.exe	gTtdILQ2dPHc6pbnfX8viYnt.exe
PID 2056 wrote to memory of 1876	2056	CasPol.exe	gTtdILQ2dPHc6pbnfX8viYnt.exe
PID 2056 wrote to memory of 1876	2056	CasPol.exe	gTtdILQ2dPHc6pbnfX8viYnt.exe
PID 924 wrote to memory of 1440	924	eybFioyvJthYcJ4zTwTJxLOp.exe	Broom.exe
PID 924 wrote to memory of 1440	924	eybFioyvJthYcJ4zTwTJxLOp.exe	Broom.exe
PID 924 wrote to memory of 1440	924	eybFioyvJthYcJ4zTwTJxLOp.exe	Broom.exe
PID 924 wrote to memory of 1440	924	eybFioyvJthYcJ4zTwTJxLOp.exe	Broom.exe
PID 1452 wrote to memory of 668	1452	NS6frHrCjVhlPSJyxMALcGE7.exe	NS6frHrCjVhlPSJyxMALcGE7.tmp
PID 1452 wrote to memory of 668	1452	NS6frHrCjVhlPSJyxMALcGE7.exe	NS6frHrCjVhlPSJyxMALcGE7.tmp
PID 1452 wrote to memory of 668	1452	NS6frHrCjVhlPSJyxMALcGE7.exe	NS6frHrCjVhlPSJyxMALcGE7.tmp
PID 1452 wrote to memory of 668	1452	NS6frHrCjVhlPSJyxMALcGE7.exe	NS6frHrCjVhlPSJyxMALcGE7.tmp
PID 1452 wrote to memory of 668	1452	NS6frHrCjVhlPSJyxMALcGE7.exe	NS6frHrCjVhlPSJyxMALcGE7.tmp
PID 1452 wrote to memory of 668	1452	NS6frHrCjVhlPSJyxMALcGE7.exe	NS6frHrCjVhlPSJyxMALcGE7.tmp
PID 1452 wrote to memory of 668	1452	NS6frHrCjVhlPSJyxMALcGE7.exe	NS6frHrCjVhlPSJyxMALcGE7.tmp
PID 2056 wrote to memory of 1980	2056	CasPol.exe	DSKTZGpxzV48bYWKoWWp71N3.exe
PID 2056 wrote to memory of 1980	2056	CasPol.exe	DSKTZGpxzV48bYWKoWWp71N3.exe
PID 2056 wrote to memory of 1980	2056	CasPol.exe	DSKTZGpxzV48bYWKoWWp71N3.exe
PID 2056 wrote to memory of 1980	2056	CasPol.exe	DSKTZGpxzV48bYWKoWWp71N3.exe
PID 2520 wrote to memory of 2392	2520	6vGEgpFDI7kTw5cKxFzVda76.exe	cmd.exe
PID 2520 wrote to memory of 2392	2520	6vGEgpFDI7kTw5cKxFzVda76.exe	cmd.exe
PID 2520 wrote to memory of 2392	2520	6vGEgpFDI7kTw5cKxFzVda76.exe	cmd.exe
PID 2520 wrote to memory of 2392	2520	6vGEgpFDI7kTw5cKxFzVda76.exe	cmd.exe
PID 2392 wrote to memory of 1976	2392	cmd.exe	netsh.exe
PID 2392 wrote to memory of 1976	2392	cmd.exe	netsh.exe
PID 2392 wrote to memory of 1976	2392	cmd.exe	netsh.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

file.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\Pictures\eybFioyvJthYcJ4zTwTJxLOp.exe
"C:\Users\Admin\Pictures\eybFioyvJthYcJ4zTwTJxLOp.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Users\Admin\Pictures\6vGEgpFDI7kTw5cKxFzVda76.exe
"C:\Users\Admin\Pictures\6vGEgpFDI7kTw5cKxFzVda76.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Users\Admin\Pictures\6vGEgpFDI7kTw5cKxFzVda76.exe
"C:\Users\Admin\Pictures\6vGEgpFDI7kTw5cKxFzVda76.exe"
4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1976

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2264

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
7⤵
- Modifies boot configuration data using bcdedit
PID:1812

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
7⤵
- Modifies boot configuration data using bcdedit
PID:1680

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
7⤵
- Modifies boot configuration data using bcdedit
PID:952

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
7⤵
- Modifies boot configuration data using bcdedit
PID:1612

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
7⤵
- Modifies boot configuration data using bcdedit
PID:1572

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
7⤵
- Modifies boot configuration data using bcdedit
PID:1568

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
7⤵
- Modifies boot configuration data using bcdedit
PID:1380

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
7⤵
- Modifies boot configuration data using bcdedit
PID:1620

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
7⤵
- Modifies boot configuration data using bcdedit
PID:2820

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
7⤵
- Modifies boot configuration data using bcdedit
PID:1068

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
7⤵
- Modifies boot configuration data using bcdedit
PID:532

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
7⤵
- Modifies boot configuration data using bcdedit
PID:1528

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
7⤵
- Modifies boot configuration data using bcdedit
PID:1524

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1884

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
6⤵
- Modifies boot configuration data using bcdedit
PID:2864

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
6⤵
- Executes dropped EXE
PID:2492

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:2668

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
- Executes dropped EXE
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:2252

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Users\Admin\Pictures\yKxb6L80sk24eq7HXjrtU8VF.exe
"C:\Users\Admin\Pictures\yKxb6L80sk24eq7HXjrtU8VF.exe" --silent --allusers=0
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328

C:\Users\Admin\Pictures\NS6frHrCjVhlPSJyxMALcGE7.exe
"C:\Users\Admin\Pictures\NS6frHrCjVhlPSJyxMALcGE7.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\is-HNAVB.tmp\NS6frHrCjVhlPSJyxMALcGE7.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HNAVB.tmp\NS6frHrCjVhlPSJyxMALcGE7.tmp" /SL5="$8011E,8409824,54272,C:\Users\Admin\Pictures\NS6frHrCjVhlPSJyxMALcGE7.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:668

C:\Users\Admin\Pictures\gTtdILQ2dPHc6pbnfX8viYnt.exe
"C:\Users\Admin\Pictures\gTtdILQ2dPHc6pbnfX8viYnt.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1876

C:\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe
"C:\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231201180932.log C:\Windows\Logs\CBS\CbsPersist_20231201180932.cab
1⤵
- Drops file in Windows directory
PID:2956

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
86dd38c724dbdfef0bbdbe23ce75f406

SHA1
ef929e6506852e227ee9b54e18dea36725580681

SHA256
7ef572313b2ce27ce944109321589033c6045378f4a829f88a7b286f198c1e88

SHA512
ca17fa0fae69130c5e9e592bd40d2bae33222cdd6f38404ba0b1295ca35b0f436aaffbab0ee2f5bd973a258ece9285c24e81a524adb3d87004691096ed15e5ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cf0eb47761817f76c9c8b98b86688252

SHA1
06398ce5e99dacb2f85931e3a14cd50434442286

SHA256
13cd1cdfe05d35e7b6215b3878a5af8bcb8409e9d3ae4ccafb87319ac325ce8b

SHA512
466b38322d45f6c5737c4ef795c257d6712c204e58d6457caa07c7cd4f3f2c8d1894a1c5f69277fc60f9da09b071351acc2f4f36d1352ffa382b357c4b8cdc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC549.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HNAVB.tmp\NS6frHrCjVhlPSJyxMALcGE7.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HNAVB.tmp\NS6frHrCjVhlPSJyxMALcGE7.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseEDE9.tmp\Checker.dll

Filesize
41KB

MD5
1c708a87005868d050caa1d3547a0776

SHA1
b98ede6170553e2a776636326b7b8d7ad090fde9

SHA256
268ed303a26dc229a19d2c3f4c7238129e9e24bf3ef96cb5ad493cef9f9e3fb6

SHA512
be542fd70edc854c154342e2d2df055c4833859bbc2df7a347e670b7e7edbf625a9a65f4deb0bd9d54d55f83027784ea0554e61bb1547bc53ce4ac8b535db0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseEDE9.tmp\Zip.dll

Filesize
76KB

MD5
83577ff5aeb8e89d3761e83c6292360f

SHA1
e89c212c4f74698cda36c98cfe84d4706f17ab28

SHA256
634ce5d099ab1abe60d463b90158be7aa5fbc415585175985f1b6a89fdc064c7

SHA512
29136ffea481a826690ec2132ddb8b08f2c4ec14af362887feeb737c228cb8838144f4087533ac8a959cccd14cbe89b17e534f00051d729920cde0b4ae50bb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\Pictures\6vGEgpFDI7kTw5cKxFzVda76.exe

Filesize
4.2MB

MD5
e2b1e2fa297a49b625d88de19b5a6a7e

SHA1
b9edbd421c149cd2a764fd5fea585a7e4e673faa

SHA256
36bdbca0fef9a1dc7feb7b21d54ae3cb3c36cf43c7ed588bc7c2548ffc05317d

SHA512
95df62b3a8b2aebed20052efe4f36d903869bc2e4f429a4baf447a3a6a136671fdf5fcbdb8dbc2dd04f2b1dde4e1311eb38277891bd3ab10c8c35ea8d599d077

Download Submit
C:\Users\Admin\Pictures\6vGEgpFDI7kTw5cKxFzVda76.exe

Filesize
4.2MB

MD5
e2b1e2fa297a49b625d88de19b5a6a7e

SHA1
b9edbd421c149cd2a764fd5fea585a7e4e673faa

SHA256
36bdbca0fef9a1dc7feb7b21d54ae3cb3c36cf43c7ed588bc7c2548ffc05317d

SHA512
95df62b3a8b2aebed20052efe4f36d903869bc2e4f429a4baf447a3a6a136671fdf5fcbdb8dbc2dd04f2b1dde4e1311eb38277891bd3ab10c8c35ea8d599d077

Download Submit
C:\Users\Admin\Pictures\6vGEgpFDI7kTw5cKxFzVda76.exe

Filesize
4.2MB

MD5
e2b1e2fa297a49b625d88de19b5a6a7e

SHA1
b9edbd421c149cd2a764fd5fea585a7e4e673faa

SHA256
36bdbca0fef9a1dc7feb7b21d54ae3cb3c36cf43c7ed588bc7c2548ffc05317d

SHA512
95df62b3a8b2aebed20052efe4f36d903869bc2e4f429a4baf447a3a6a136671fdf5fcbdb8dbc2dd04f2b1dde4e1311eb38277891bd3ab10c8c35ea8d599d077

Download Submit
C:\Users\Admin\Pictures\6vGEgpFDI7kTw5cKxFzVda76.exe

Filesize
4.2MB

MD5
e2b1e2fa297a49b625d88de19b5a6a7e

SHA1
b9edbd421c149cd2a764fd5fea585a7e4e673faa

SHA256
36bdbca0fef9a1dc7feb7b21d54ae3cb3c36cf43c7ed588bc7c2548ffc05317d

SHA512
95df62b3a8b2aebed20052efe4f36d903869bc2e4f429a4baf447a3a6a136671fdf5fcbdb8dbc2dd04f2b1dde4e1311eb38277891bd3ab10c8c35ea8d599d077

Download Submit
C:\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe

Filesize
4.4MB

MD5
3bd6e4cf4909d288c1593e4a6476cb5c

SHA1
676a31fc52a049044ed428ff64d64d51a6f27e6f

SHA256
65464e44b3e5c9f30569ce3b865891829b55ccaafb01807ca623a1fa0dfdbac9

SHA512
1e36f555c512f6325e0165a4d16677c0daa8f407f36750f7ee13b70027ce981e47e5d84ffd0de35cf5d8966065f1496c125c26824030621c0333abd7f23c2213

Download Submit
C:\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe

Filesize
4.4MB

MD5
3bd6e4cf4909d288c1593e4a6476cb5c

SHA1
676a31fc52a049044ed428ff64d64d51a6f27e6f

SHA256
65464e44b3e5c9f30569ce3b865891829b55ccaafb01807ca623a1fa0dfdbac9

SHA512
1e36f555c512f6325e0165a4d16677c0daa8f407f36750f7ee13b70027ce981e47e5d84ffd0de35cf5d8966065f1496c125c26824030621c0333abd7f23c2213

Download Submit
C:\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe

Filesize
4.4MB

MD5
3bd6e4cf4909d288c1593e4a6476cb5c

SHA1
676a31fc52a049044ed428ff64d64d51a6f27e6f

SHA256
65464e44b3e5c9f30569ce3b865891829b55ccaafb01807ca623a1fa0dfdbac9

SHA512
1e36f555c512f6325e0165a4d16677c0daa8f407f36750f7ee13b70027ce981e47e5d84ffd0de35cf5d8966065f1496c125c26824030621c0333abd7f23c2213

Download Submit
C:\Users\Admin\Pictures\NS6frHrCjVhlPSJyxMALcGE7.exe

Filesize
8.3MB

MD5
835eeb4e83f3d5f2c3cf64d108353911

SHA1
076a846e5e1cf59a963610225a6c03d2855d3c43

SHA256
c54e3cba439a74f84ca8ac0515457316777175ad3e34fd66d5485e3810fb878d

SHA512
3d2c774d6b87d9cd75994936691a2de4b6ff5a2028301021628e48bd35bc734e1827cd678d62d5addf24f9ecc2fd8364329fb40859753dd5ef3cfd131fafca6c

Download Submit
C:\Users\Admin\Pictures\NS6frHrCjVhlPSJyxMALcGE7.exe

Filesize
8.3MB

MD5
835eeb4e83f3d5f2c3cf64d108353911

SHA1
076a846e5e1cf59a963610225a6c03d2855d3c43

SHA256
c54e3cba439a74f84ca8ac0515457316777175ad3e34fd66d5485e3810fb878d

SHA512
3d2c774d6b87d9cd75994936691a2de4b6ff5a2028301021628e48bd35bc734e1827cd678d62d5addf24f9ecc2fd8364329fb40859753dd5ef3cfd131fafca6c

Download Submit
C:\Users\Admin\Pictures\NS6frHrCjVhlPSJyxMALcGE7.exe

Filesize
8.3MB

MD5
835eeb4e83f3d5f2c3cf64d108353911

SHA1
076a846e5e1cf59a963610225a6c03d2855d3c43

SHA256
c54e3cba439a74f84ca8ac0515457316777175ad3e34fd66d5485e3810fb878d

SHA512
3d2c774d6b87d9cd75994936691a2de4b6ff5a2028301021628e48bd35bc734e1827cd678d62d5addf24f9ecc2fd8364329fb40859753dd5ef3cfd131fafca6c

Download Submit
C:\Users\Admin\Pictures\eybFioyvJthYcJ4zTwTJxLOp.exe

Filesize
2.3MB

MD5
edb1c0127ff571a5fdf1fc391377d7b5

SHA1
55b19cadd7236b2026325feb85f5dcdcead35ffe

SHA256
4df024b55828b1614430476702b416d108d9a12b36ad1c9b2c88e1f9eefc16c0

SHA512
59a7b9c47f70b77447eb42a25735f40564cd7862fb4453e6de35bf5b98e21556370ec9468bbba8ef44a899ecffde5bd6a192d094f3a6b6bc2253a8d015dad5a9

Download Submit
C:\Users\Admin\Pictures\eybFioyvJthYcJ4zTwTJxLOp.exe

Filesize
2.3MB

MD5
edb1c0127ff571a5fdf1fc391377d7b5

SHA1
55b19cadd7236b2026325feb85f5dcdcead35ffe

SHA256
4df024b55828b1614430476702b416d108d9a12b36ad1c9b2c88e1f9eefc16c0

SHA512
59a7b9c47f70b77447eb42a25735f40564cd7862fb4453e6de35bf5b98e21556370ec9468bbba8ef44a899ecffde5bd6a192d094f3a6b6bc2253a8d015dad5a9

Download Submit
C:\Users\Admin\Pictures\eybFioyvJthYcJ4zTwTJxLOp.exe

Filesize
2.3MB

MD5
edb1c0127ff571a5fdf1fc391377d7b5

SHA1
55b19cadd7236b2026325feb85f5dcdcead35ffe

SHA256
4df024b55828b1614430476702b416d108d9a12b36ad1c9b2c88e1f9eefc16c0

SHA512
59a7b9c47f70b77447eb42a25735f40564cd7862fb4453e6de35bf5b98e21556370ec9468bbba8ef44a899ecffde5bd6a192d094f3a6b6bc2253a8d015dad5a9

Download Submit
C:\Users\Admin\Pictures\gTtdILQ2dPHc6pbnfX8viYnt.exe

Filesize
294KB

MD5
4e93f92509a0e5b7d11d2adb48dd1adb

SHA1
22c7bc05bb31d9f7657fd9d17ffc7486232222d3

SHA256
f588fb0d22eb7e81736deb57a487fa494e7b7d970dd00e521e95fdc80eb12d53

SHA512
7cbbe10bc00c3a61b93c8be47c1d669605834a64f93df784372685c1ab3436940179cb093ecdd520cf659f1fe454c6f0308837c97055e136c569949008b06d3a

Download Submit
C:\Users\Admin\Pictures\gTtdILQ2dPHc6pbnfX8viYnt.exe

Filesize
294KB

MD5
4e93f92509a0e5b7d11d2adb48dd1adb

SHA1
22c7bc05bb31d9f7657fd9d17ffc7486232222d3

SHA256
f588fb0d22eb7e81736deb57a487fa494e7b7d970dd00e521e95fdc80eb12d53

SHA512
7cbbe10bc00c3a61b93c8be47c1d669605834a64f93df784372685c1ab3436940179cb093ecdd520cf659f1fe454c6f0308837c97055e136c569949008b06d3a

Download Submit
C:\Users\Admin\Pictures\uLJQ9PDoMEpYXiN2bPLM5MwN.exe

Filesize
212B

MD5
963da09532e9758adedf9745c76ec700

SHA1
bc976476358cffdbc3f22b6e491f94ccbf15308d

SHA256
8720b9487cee7dae6db3f8f73273bcbbc56377400b830ca0f089473ebc9603f2

SHA512
2da299bd10de6d425ee84fc2d17f514d003995f489946cdebafa0dcea4058419bcc38beabc2cbbd4546c2117fcf502292b97edffd57da555017762c4f05122f6

Download Submit
C:\Users\Admin\Pictures\yKxb6L80sk24eq7HXjrtU8VF.exe

Filesize
2.8MB

MD5
0621a0283a32a053525f2144578c8fa5

SHA1
611a969d41de80a64f4f5691c8e398e1e21c94f0

SHA256
d84c692b4156a38120b0596cc54ac7b824d75f329d86737ea6df864498745413

SHA512
c79c024d62db4a7ac20d24cf54a36eb1e4e1ee1c9d6c130f76e3003141742dad5a0243cc267232ebe6ead5ea8356e4e15cc6b58107a6373fcea65579eb12edc0

Download Submit
C:\Users\Admin\Pictures\yKxb6L80sk24eq7HXjrtU8VF.exe

Filesize
2.8MB

MD5
0621a0283a32a053525f2144578c8fa5

SHA1
611a969d41de80a64f4f5691c8e398e1e21c94f0

SHA256
d84c692b4156a38120b0596cc54ac7b824d75f329d86737ea6df864498745413

SHA512
c79c024d62db4a7ac20d24cf54a36eb1e4e1ee1c9d6c130f76e3003141742dad5a0243cc267232ebe6ead5ea8356e4e15cc6b58107a6373fcea65579eb12edc0

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
e2b1e2fa297a49b625d88de19b5a6a7e

SHA1
b9edbd421c149cd2a764fd5fea585a7e4e673faa

SHA256
36bdbca0fef9a1dc7feb7b21d54ae3cb3c36cf43c7ed588bc7c2548ffc05317d

SHA512
95df62b3a8b2aebed20052efe4f36d903869bc2e4f429a4baf447a3a6a136671fdf5fcbdb8dbc2dd04f2b1dde4e1311eb38277891bd3ab10c8c35ea8d599d077

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
e2b1e2fa297a49b625d88de19b5a6a7e

SHA1
b9edbd421c149cd2a764fd5fea585a7e4e673faa

SHA256
36bdbca0fef9a1dc7feb7b21d54ae3cb3c36cf43c7ed588bc7c2548ffc05317d

SHA512
95df62b3a8b2aebed20052efe4f36d903869bc2e4f429a4baf447a3a6a136671fdf5fcbdb8dbc2dd04f2b1dde4e1311eb38277891bd3ab10c8c35ea8d599d077

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\Program Files (x86)\ClocX\ClocX.exe

Filesize
2.0MB

MD5
2943a5a31664a8183e993d480b8709bc

SHA1
e7c28c1692073cf3769b61a8b298d09497d2a635

SHA256
282397f5efc6b5a517881350736901620649c3cf0a692423cf77b9093f933e8b

SHA512
f6dfa47d02dc9d1d874b5618c354961ea70e7c5223c27efeb530dbcead610aa8255dfeefe3a68325db9b00ac9df6a5519c885f91ecb82e582bbfa34364cd3518

Download Submit
\Users\Admin\AppData\Local\Temp\Broom.exe

Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2312011809200531328.dll

Filesize
4.6MB

MD5
72989b62a65600350a6e0a211f788bd6

SHA1
b44a04a56f1314b812513058eab1e31a8b3b15b2

SHA256
ae53da82c36b183cd74f11cb1eb4184fc1825400ad34b2a1b8fe253b1fd4a9c2

SHA512
f66ed7c4f3cf555e1eb74ec4481fff2961ea5bb7598fcc74f86394cf4d148b7a6ac2bbb1785a166e6628abdc2ee540a40932f0b072e0a0c9dca61e204ff283da

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\is-6VGSS.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-6VGSS.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-6VGSS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-6VGSS.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-HNAVB.tmp\NS6frHrCjVhlPSJyxMALcGE7.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Users\Admin\AppData\Local\Temp\nseEDE9.tmp\Checker.dll

Filesize
41KB

MD5
1c708a87005868d050caa1d3547a0776

SHA1
b98ede6170553e2a776636326b7b8d7ad090fde9

SHA256
268ed303a26dc229a19d2c3f4c7238129e9e24bf3ef96cb5ad493cef9f9e3fb6

SHA512
be542fd70edc854c154342e2d2df055c4833859bbc2df7a347e670b7e7edbf625a9a65f4deb0bd9d54d55f83027784ea0554e61bb1547bc53ce4ac8b535db0e3

Download Submit
\Users\Admin\AppData\Local\Temp\nseEDE9.tmp\Zip.dll

Filesize
76KB

MD5
83577ff5aeb8e89d3761e83c6292360f

SHA1
e89c212c4f74698cda36c98cfe84d4706f17ab28

SHA256
634ce5d099ab1abe60d463b90158be7aa5fbc415585175985f1b6a89fdc064c7

SHA512
29136ffea481a826690ec2132ddb8b08f2c4ec14af362887feeb737c228cb8838144f4087533ac8a959cccd14cbe89b17e534f00051d729920cde0b4ae50bb16

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Users\Admin\Pictures\6vGEgpFDI7kTw5cKxFzVda76.exe

Filesize
4.2MB

MD5
e2b1e2fa297a49b625d88de19b5a6a7e

SHA1
b9edbd421c149cd2a764fd5fea585a7e4e673faa

SHA256
36bdbca0fef9a1dc7feb7b21d54ae3cb3c36cf43c7ed588bc7c2548ffc05317d

SHA512
95df62b3a8b2aebed20052efe4f36d903869bc2e4f429a4baf447a3a6a136671fdf5fcbdb8dbc2dd04f2b1dde4e1311eb38277891bd3ab10c8c35ea8d599d077

Download Submit
\Users\Admin\Pictures\6vGEgpFDI7kTw5cKxFzVda76.exe

Filesize
4.2MB

MD5
e2b1e2fa297a49b625d88de19b5a6a7e

SHA1
b9edbd421c149cd2a764fd5fea585a7e4e673faa

SHA256
36bdbca0fef9a1dc7feb7b21d54ae3cb3c36cf43c7ed588bc7c2548ffc05317d

SHA512
95df62b3a8b2aebed20052efe4f36d903869bc2e4f429a4baf447a3a6a136671fdf5fcbdb8dbc2dd04f2b1dde4e1311eb38277891bd3ab10c8c35ea8d599d077

Download Submit
\Users\Admin\Pictures\DSKTZGpxzV48bYWKoWWp71N3.exe

Filesize
4.4MB

MD5
3bd6e4cf4909d288c1593e4a6476cb5c

SHA1
676a31fc52a049044ed428ff64d64d51a6f27e6f

SHA256
65464e44b3e5c9f30569ce3b865891829b55ccaafb01807ca623a1fa0dfdbac9

SHA512
1e36f555c512f6325e0165a4d16677c0daa8f407f36750f7ee13b70027ce981e47e5d84ffd0de35cf5d8966065f1496c125c26824030621c0333abd7f23c2213

Download Submit
\Users\Admin\Pictures\NS6frHrCjVhlPSJyxMALcGE7.exe

Filesize
8.3MB

MD5
835eeb4e83f3d5f2c3cf64d108353911

SHA1
076a846e5e1cf59a963610225a6c03d2855d3c43

SHA256
c54e3cba439a74f84ca8ac0515457316777175ad3e34fd66d5485e3810fb878d

SHA512
3d2c774d6b87d9cd75994936691a2de4b6ff5a2028301021628e48bd35bc734e1827cd678d62d5addf24f9ecc2fd8364329fb40859753dd5ef3cfd131fafca6c

Download Submit
\Users\Admin\Pictures\Opera_installer_2312011809291651328.dll

Filesize
4.6MB

MD5
72989b62a65600350a6e0a211f788bd6

SHA1
b44a04a56f1314b812513058eab1e31a8b3b15b2

SHA256
ae53da82c36b183cd74f11cb1eb4184fc1825400ad34b2a1b8fe253b1fd4a9c2

SHA512
f66ed7c4f3cf555e1eb74ec4481fff2961ea5bb7598fcc74f86394cf4d148b7a6ac2bbb1785a166e6628abdc2ee540a40932f0b072e0a0c9dca61e204ff283da

Download Submit
\Users\Admin\Pictures\eybFioyvJthYcJ4zTwTJxLOp.exe

Filesize
2.3MB

MD5
edb1c0127ff571a5fdf1fc391377d7b5

SHA1
55b19cadd7236b2026325feb85f5dcdcead35ffe

SHA256
4df024b55828b1614430476702b416d108d9a12b36ad1c9b2c88e1f9eefc16c0

SHA512
59a7b9c47f70b77447eb42a25735f40564cd7862fb4453e6de35bf5b98e21556370ec9468bbba8ef44a899ecffde5bd6a192d094f3a6b6bc2253a8d015dad5a9

Download Submit
\Users\Admin\Pictures\gTtdILQ2dPHc6pbnfX8viYnt.exe

Filesize
294KB

MD5
4e93f92509a0e5b7d11d2adb48dd1adb

SHA1
22c7bc05bb31d9f7657fd9d17ffc7486232222d3

SHA256
f588fb0d22eb7e81736deb57a487fa494e7b7d970dd00e521e95fdc80eb12d53

SHA512
7cbbe10bc00c3a61b93c8be47c1d669605834a64f93df784372685c1ab3436940179cb093ecdd520cf659f1fe454c6f0308837c97055e136c569949008b06d3a

Download Submit
\Users\Admin\Pictures\gTtdILQ2dPHc6pbnfX8viYnt.exe

Filesize
294KB

MD5
4e93f92509a0e5b7d11d2adb48dd1adb

SHA1
22c7bc05bb31d9f7657fd9d17ffc7486232222d3

SHA256
f588fb0d22eb7e81736deb57a487fa494e7b7d970dd00e521e95fdc80eb12d53

SHA512
7cbbe10bc00c3a61b93c8be47c1d669605834a64f93df784372685c1ab3436940179cb093ecdd520cf659f1fe454c6f0308837c97055e136c569949008b06d3a

Download Submit
\Users\Admin\Pictures\yKxb6L80sk24eq7HXjrtU8VF.exe

Filesize
2.8MB

MD5
0621a0283a32a053525f2144578c8fa5

SHA1
611a969d41de80a64f4f5691c8e398e1e21c94f0

SHA256
d84c692b4156a38120b0596cc54ac7b824d75f329d86737ea6df864498745413

SHA512
c79c024d62db4a7ac20d24cf54a36eb1e4e1ee1c9d6c130f76e3003141742dad5a0243cc267232ebe6ead5ea8356e4e15cc6b58107a6373fcea65579eb12edc0

Download Submit
\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
e2b1e2fa297a49b625d88de19b5a6a7e

SHA1
b9edbd421c149cd2a764fd5fea585a7e4e673faa

SHA256
36bdbca0fef9a1dc7feb7b21d54ae3cb3c36cf43c7ed588bc7c2548ffc05317d

SHA512
95df62b3a8b2aebed20052efe4f36d903869bc2e4f429a4baf447a3a6a136671fdf5fcbdb8dbc2dd04f2b1dde4e1311eb38277891bd3ab10c8c35ea8d599d077

Download Submit
\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
e2b1e2fa297a49b625d88de19b5a6a7e

SHA1
b9edbd421c149cd2a764fd5fea585a7e4e673faa

SHA256
36bdbca0fef9a1dc7feb7b21d54ae3cb3c36cf43c7ed588bc7c2548ffc05317d

SHA512
95df62b3a8b2aebed20052efe4f36d903869bc2e4f429a4baf447a3a6a136671fdf5fcbdb8dbc2dd04f2b1dde4e1311eb38277891bd3ab10c8c35ea8d599d077

Download Submit
memory/668-359-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/668-295-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/668-152-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/828-677-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/828-710-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/828-730-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/828-376-0x0000000002780000-0x0000000002B78000-memory.dmp

Filesize
4.0MB

Download
memory/828-675-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/828-674-0x0000000002780000-0x0000000002B78000-memory.dmp

Filesize
4.0MB

Download
memory/828-440-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/828-406-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/828-723-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/828-377-0x0000000002780000-0x0000000002B78000-memory.dmp

Filesize
4.0MB

Download
memory/828-379-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/932-315-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/932-324-0x0000000002AF0000-0x00000000033DB000-memory.dmp

Filesize
8.9MB

Download
memory/932-172-0x00000000026F0000-0x0000000002AE8000-memory.dmp

Filesize
4.0MB

Download
memory/932-182-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/932-173-0x0000000002AF0000-0x00000000033DB000-memory.dmp

Filesize
8.9MB

Download
memory/932-153-0x00000000026F0000-0x0000000002AE8000-memory.dmp

Filesize
4.0MB

Download
memory/932-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1328-114-0x0000000001020000-0x0000000001548000-memory.dmp

Filesize
5.2MB

Download
memory/1328-373-0x0000000001020000-0x0000000001548000-memory.dmp

Filesize
5.2MB

Download
memory/1440-712-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1440-374-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1440-728-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1440-363-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1440-294-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1440-165-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1452-292-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1452-128-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1452-124-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1720-19-0x0000000070E90000-0x000000007143B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-16-0x0000000070E90000-0x000000007143B000-memory.dmp

Filesize
5.7MB

Download
memory/1720-17-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/1720-18-0x00000000023E0000-0x0000000002420000-memory.dmp

Filesize
256KB

Download
memory/1720-15-0x0000000070E90000-0x000000007143B000-memory.dmp

Filesize
5.7MB

Download
memory/1768-1-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/1768-10-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/1768-0-0x0000000000270000-0x00000000002E8000-memory.dmp

Filesize
480KB

Download
memory/1768-4-0x0000000001EB0000-0x0000000001ED6000-memory.dmp

Filesize
152KB

Download
memory/1768-3-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/1768-2-0x0000000000300000-0x000000000031A000-memory.dmp

Filesize
104KB

Download
memory/1876-293-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/1876-178-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/1876-180-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/1876-354-0x0000000000400000-0x00000000007D3000-memory.dmp

Filesize
3.8MB

Download
memory/1876-355-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/1876-356-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/1876-179-0x0000000000970000-0x0000000000A70000-memory.dmp

Filesize
1024KB

Download
memory/1980-200-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1980-201-0x0000000003C90000-0x00000000048B7000-memory.dmp

Filesize
12.2MB

Download
memory/1980-208-0x0000000002D20000-0x0000000002D5A000-memory.dmp

Filesize
232KB

Download
memory/1980-196-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2056-12-0x0000000001060000-0x00000000010A0000-memory.dmp

Filesize
256KB

Download
memory/2056-171-0x0000000001060000-0x00000000010A0000-memory.dmp

Filesize
256KB

Download
memory/2056-215-0x0000000006990000-0x0000000006EB8000-memory.dmp

Filesize
5.2MB

Download
memory/2056-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2056-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2056-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2056-164-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2056-100-0x0000000006990000-0x0000000006EB8000-memory.dmp

Filesize
5.2MB

Download
memory/2056-11-0x0000000074C10000-0x00000000752FE000-memory.dmp

Filesize
6.9MB

Download
memory/2264-390-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2264-405-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2276-717-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2276-721-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2328-720-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2328-726-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2520-372-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2520-361-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2520-360-0x0000000002600000-0x00000000029F8000-memory.dmp

Filesize
4.0MB

Download
memory/2520-357-0x0000000002600000-0x00000000029F8000-memory.dmp

Filesize
4.0MB

Download