glupteba | 8be6bf95b0faf13153d79974f9bee22107abffa51eae2d02bbf0b8e2c49485c1

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
08-12-2023 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

237KB
MD5

94f44206d911043f2d04a03000ee2280
SHA1

1d588b58c5b2eac5abf28ac4fc876c0fcf26a68e
SHA256

8be6bf95b0faf13153d79974f9bee22107abffa51eae2d02bbf0b8e2c49485c1
SHA512

6ab5ca31f731080a7962a2cf75f3ab582ddb9e1cdd5ba45d27180301ee3015370af97964b7a7bbebdc255c5f093354703f06212a532395fe5b10541401a93c2a
SSDEEP

3072:RG6Fo5y1GPPcBjGtPdyICWv9t7NyFQZM+nbiud/RVAD5Z5OeTC8L:K5bzFy0Vt8FCbiu1U3T

Score

10^/10

glupteba raccoon smokeloader pub1 backdoor collection discovery dropper evasion loader persistence rootkit spyware stealer themida trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/364-96-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/364-97-0x0000000002A90000-0x000000000337B000-memory.dmp	family_glupteba
behavioral1/memory/364-144-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1884-148-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1660-204-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1884-202-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1660-248-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1660-348-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1660-355-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1660-393-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1660-409-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2148-254-0x0000000000220000-0x0000000000236000-memory.dmp	family_raccoon_v2
behavioral1/memory/2148-255-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2
behavioral1/memory/2148-356-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2975.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	2975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	2975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	2975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\2975.exe = "0"	2975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	2975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	2975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	2975.exe

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

7872.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest\Performance	7872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse\Performance	7872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService\Performance	7872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF\Performance	7872.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo\Performance	7872.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

F20.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ F20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	F20.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2484	bcdedit.exe
2244	bcdedit.exe
2648	bcdedit.exe
2688	bcdedit.exe
2460	bcdedit.exe
2588	bcdedit.exe
320	bcdedit.exe
2536	bcdedit.exe
1528	bcdedit.exe
2676	bcdedit.exe
2864	bcdedit.exe
2728	bcdedit.exe
3012	bcdedit.exe
2080	bcdedit.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

896 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
896	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	F20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	F20.exe

Deletes itself 1 IoCs

Processes:

pid process

1244

pid	process
1244

Executes dropped EXE 17 IoCs

Processes:

6F4.exeF20.exe1AC4.exe2975.exe411B.exe411B.tmp2975.exe5AD3.exe5AD3.tmpcsrss.exepatch.exe7872.exeinjector.exe7CF5.exedsefix.exewindefender.exewindefender.exe

pid	process
2564	6F4.exe
2628	F20.exe
3008	1AC4.exe
364	2975.exe
2336	411B.exe
1160	411B.tmp
1884	2975.exe
1080	5AD3.exe
688	5AD3.tmp
1660	csrss.exe
2580	patch.exe
3028	7872.exe
3020	injector.exe
2148	7CF5.exe
2480	dsefix.exe
3052	windefender.exe
2028	windefender.exe

Loads dropped DLL 27 IoCs

Processes:

regsvr32.exeWerFault.exe411B.exe411B.tmp5AD3.exe5AD3.tmp2975.exepatch.execsrss.exe

pid	process
1528	regsvr32.exe
2568	WerFault.exe
2568	WerFault.exe
2568	WerFault.exe
2336	411B.exe
1160	411B.tmp
1160	411B.tmp
1160	411B.tmp
1160	411B.tmp
1080	5AD3.exe
688	5AD3.tmp
688	5AD3.tmp
688	5AD3.tmp
688	5AD3.tmp
1884	2975.exe
1884	2975.exe
840
2580	patch.exe
2580	patch.exe
2580	patch.exe
2580	patch.exe
2580	patch.exe
1660	csrss.exe
2580	patch.exe
2580	patch.exe
2580	patch.exe
1660	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\F20.exe	themida
behavioral1/memory/2628-57-0x0000000001000000-0x0000000001B40000-memory.dmp	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
behavioral1/memory/3052-405-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2975.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	2975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	2975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	2975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	2975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	2975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	2975.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\2975.exe = "0"	2975.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2975.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	2975.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

F20.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F20.exe
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

F20.exe

pid process

2628 F20.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

6F4.exe

description pid process target process

PID 2564 set thread context of 3064 2564 6F4.exe AppLaunch.exe
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

2975.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 2975.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	F20.exe

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

pid	process
2628	F20.exe

description	pid	process	target process
PID 2564 set thread context of 3064	2564	6F4.exe	AppLaunch.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	2975.exe

Drops file in Program Files directory 5 IoCs

Processes:

411B.tmp

description	ioc	process
File created	C:\Program Files (x86)\DaisoLIB\uninstall\unins000.dat	411B.tmp
File created	C:\Program Files (x86)\DaisoLIB\uninstall\is-6JQ99.tmp	411B.tmp
File created	C:\Program Files (x86)\DaisoLIB\stuff\is-STCVB.tmp	411B.tmp
File created	C:\Program Files (x86)\DaisoLIB\stuff\is-77KPU.tmp	411B.tmp
File created	C:\Program Files (x86)\DaisoLIB\stuff\is-RINS3.tmp	411B.tmp

Drops file in Windows directory 5 IoCs

Processes:

2975.exemakecab.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	2975.exe
File created	C:\Windows\rss\csrss.exe	2975.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231208105110.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1596 sc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2568 2564 WerFault.exe 6F4.exe

pid	process
1596	sc.exe

pid	pid_target	process	target process
2568	2564	WerFault.exe	6F4.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe1AC4.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1AC4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1AC4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1AC4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1568 schtasks.exe
2024 schtasks.exe

pid	process
1568	schtasks.exe
2024	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

2975.exewindefender.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	2975.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	windefender.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

csrss.exepatch.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
2200	file.exe
2200	file.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1244
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

file.exe1AC4.exe

pid process

2200 file.exe
3008 1AC4.exe
1244
1244
1244
1244

pid	process
1244

pid	process
464

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

AppLaunch.exe2975.execsrss.exeF20.exe7872.exesc.exe

description	pid	process
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeDebugPrivilege	3064	AppLaunch.exe
Token: SeDebugPrivilege	364	2975.exe
Token: SeImpersonatePrivilege	364	2975.exe
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeSystemEnvironmentPrivilege	1660	csrss.exe
Token: SeDebugPrivilege	2628	F20.exe
Token: SeDebugPrivilege	3028	7872.exe
Token: SeShutdownPrivilege	1244
Token: SeSecurityPrivilege	1596	sc.exe
Token: SeSecurityPrivilege	1596	sc.exe
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe6F4.exe411B.exe

description	pid	process	target process
PID 1244 wrote to memory of 2712	1244		regsvr32.exe
PID 1244 wrote to memory of 2712	1244		regsvr32.exe
PID 1244 wrote to memory of 2712	1244		regsvr32.exe
PID 1244 wrote to memory of 2712	1244		regsvr32.exe
PID 1244 wrote to memory of 2712	1244		regsvr32.exe
PID 2712 wrote to memory of 1528	2712	regsvr32.exe	regsvr32.exe
PID 2712 wrote to memory of 1528	2712	regsvr32.exe	regsvr32.exe
PID 2712 wrote to memory of 1528	2712	regsvr32.exe	regsvr32.exe
PID 2712 wrote to memory of 1528	2712	regsvr32.exe	regsvr32.exe
PID 2712 wrote to memory of 1528	2712	regsvr32.exe	regsvr32.exe
PID 2712 wrote to memory of 1528	2712	regsvr32.exe	regsvr32.exe
PID 2712 wrote to memory of 1528	2712	regsvr32.exe	regsvr32.exe
PID 1244 wrote to memory of 2564	1244		6F4.exe
PID 1244 wrote to memory of 2564	1244		6F4.exe
PID 1244 wrote to memory of 2564	1244		6F4.exe
PID 1244 wrote to memory of 2564	1244		6F4.exe
PID 2564 wrote to memory of 2748	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 2748	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 2748	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 2748	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 2748	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 2748	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 2748	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 3064	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 3064	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 3064	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 3064	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 3064	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 3064	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 3064	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 3064	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 3064	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 3064	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 3064	2564	6F4.exe	AppLaunch.exe
PID 2564 wrote to memory of 3064	2564	6F4.exe	AppLaunch.exe
PID 1244 wrote to memory of 2628	1244		F20.exe
PID 1244 wrote to memory of 2628	1244		F20.exe
PID 1244 wrote to memory of 2628	1244		F20.exe
PID 1244 wrote to memory of 2628	1244		F20.exe
PID 2564 wrote to memory of 2568	2564	6F4.exe	WerFault.exe
PID 2564 wrote to memory of 2568	2564	6F4.exe	WerFault.exe
PID 2564 wrote to memory of 2568	2564	6F4.exe	WerFault.exe
PID 2564 wrote to memory of 2568	2564	6F4.exe	WerFault.exe
PID 1244 wrote to memory of 3008	1244		1AC4.exe
PID 1244 wrote to memory of 3008	1244		1AC4.exe
PID 1244 wrote to memory of 3008	1244		1AC4.exe
PID 1244 wrote to memory of 3008	1244		1AC4.exe
PID 1244 wrote to memory of 364	1244		2975.exe
PID 1244 wrote to memory of 364	1244		2975.exe
PID 1244 wrote to memory of 364	1244		2975.exe
PID 1244 wrote to memory of 364	1244		2975.exe
PID 1244 wrote to memory of 2336	1244		411B.exe
PID 1244 wrote to memory of 2336	1244		411B.exe
PID 1244 wrote to memory of 2336	1244		411B.exe
PID 1244 wrote to memory of 2336	1244		411B.exe
PID 1244 wrote to memory of 2336	1244		411B.exe
PID 1244 wrote to memory of 2336	1244		411B.exe
PID 1244 wrote to memory of 2336	1244		411B.exe
PID 2336 wrote to memory of 1160	2336	411B.exe	411B.tmp
PID 2336 wrote to memory of 1160	2336	411B.exe	411B.tmp
PID 2336 wrote to memory of 1160	2336	411B.exe	411B.tmp
PID 2336 wrote to memory of 1160	2336	411B.exe	411B.tmp
PID 2336 wrote to memory of 1160	2336	411B.exe	411B.tmp
PID 2336 wrote to memory of 1160	2336	411B.exe	411B.tmp

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2200

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\57D.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\57D.dll
2⤵
- Loads dropped DLL
PID:1528

C:\Users\Admin\AppData\Local\Temp\6F4.exe
C:\Users\Admin\AppData\Local\Temp\6F4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 108
2⤵
- Loads dropped DLL
- Program crash
PID:2568

C:\Users\Admin\AppData\Local\Temp\F20.exe
C:\Users\Admin\AppData\Local\Temp\F20.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Users\Admin\AppData\Local\Temp\1AC4.exe
C:\Users\Admin\AppData\Local\Temp\1AC4.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3008

C:\Users\Admin\AppData\Local\Temp\2975.exe
C:\Users\Admin\AppData\Local\Temp\2975.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Users\Admin\AppData\Local\Temp\2975.exe
"C:\Users\Admin\AppData\Local\Temp\2975.exe"
2⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:1260

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:896

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2580

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
5⤵
- Modifies boot configuration data using bcdedit
PID:2484

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:2244

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:2648

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
5⤵
- Modifies boot configuration data using bcdedit
PID:2688

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:2460

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:2588

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
5⤵
- Modifies boot configuration data using bcdedit
PID:320

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
5⤵
- Modifies boot configuration data using bcdedit
PID:2536

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
5⤵
- Modifies boot configuration data using bcdedit
PID:1528

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
5⤵
- Modifies boot configuration data using bcdedit
PID:2676

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
5⤵
- Modifies boot configuration data using bcdedit
PID:2864

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
5⤵
- Modifies boot configuration data using bcdedit
PID:2728

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
5⤵
- Modifies boot configuration data using bcdedit
PID:3012

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:3020

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:2080

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
4⤵
- Executes dropped EXE
PID:2480

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2024

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
PID:3052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:2004

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231208105110.log C:\Windows\Logs\CBS\CbsPersist_20231208105110.cab
1⤵
- Drops file in Windows directory
PID:2012

C:\Users\Admin\AppData\Local\Temp\411B.exe
C:\Users\Admin\AppData\Local\Temp\411B.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\is-3K5GB.tmp\411B.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3K5GB.tmp\411B.tmp" /SL5="$801B6,7930751,54272,C:\Users\Admin\AppData\Local\Temp\411B.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1160

C:\Users\Admin\AppData\Local\Temp\5AD3.exe
C:\Users\Admin\AppData\Local\Temp\5AD3.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080

C:\Users\Admin\AppData\Local\Temp\is-9UFR3.tmp\5AD3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9UFR3.tmp\5AD3.tmp" /SL5="$2019C,7920261,54272,C:\Users\Admin\AppData\Local\Temp\5AD3.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688

C:\Users\Admin\AppData\Local\Temp\7872.exe
C:\Users\Admin\AppData\Local\Temp\7872.exe
1⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3028 -s 5756
2⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\7CF5.exe
C:\Users\Admin\AppData\Local\Temp\7CF5.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2872

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1952

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1760

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AC4.exe
Filesize
238KB

MD5
83490772df4c5c1867cb7d0d1cae2fb1

SHA1
abd0a91752c928d91a34d3c0a79e4ce5c9363c4d

SHA256
07e0d30e8be5182f9607f029d1d19d09c44c36f1835f2aa9aba1c15264482b9b

SHA512
fbe979460a6eb9d0300259e01da88eceeffe6f42aae158e899f0f2c3e7cbfd74c0a1e2f98eb1a0e4473d0587dc4ac64e298beaff6d5fe1919fb01a558298ec84

Download Submit
C:\Users\Admin\AppData\Local\Temp\1AC4.exe
Filesize
238KB

MD5
83490772df4c5c1867cb7d0d1cae2fb1

SHA1
abd0a91752c928d91a34d3c0a79e4ce5c9363c4d

SHA256
07e0d30e8be5182f9607f029d1d19d09c44c36f1835f2aa9aba1c15264482b9b

SHA512
fbe979460a6eb9d0300259e01da88eceeffe6f42aae158e899f0f2c3e7cbfd74c0a1e2f98eb1a0e4473d0587dc4ac64e298beaff6d5fe1919fb01a558298ec84

Download Submit
C:\Users\Admin\AppData\Local\Temp\2975.exe
Filesize
4.1MB

MD5
20ef67d27729a102f1d7eb78a1d096b7

SHA1
72e0000abca7dafa74b7d9ea08aa1cef818c7060

SHA256
a44c86d66d73625631213ade970c34ae88a53035c1b8ccad151cc620f4e72083

SHA512
511f23c3be99574c6a28c07a3858bcfa3e0c802502dc158f2301ef2cc5171fb59917859a920cff30cc410fe24b55e8bded10868bac9ba1d069906a35b72448f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2975.exe
Filesize
4.1MB

MD5
20ef67d27729a102f1d7eb78a1d096b7

SHA1
72e0000abca7dafa74b7d9ea08aa1cef818c7060

SHA256
a44c86d66d73625631213ade970c34ae88a53035c1b8ccad151cc620f4e72083

SHA512
511f23c3be99574c6a28c07a3858bcfa3e0c802502dc158f2301ef2cc5171fb59917859a920cff30cc410fe24b55e8bded10868bac9ba1d069906a35b72448f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2975.exe
Filesize
4.1MB

MD5
20ef67d27729a102f1d7eb78a1d096b7

SHA1
72e0000abca7dafa74b7d9ea08aa1cef818c7060

SHA256
a44c86d66d73625631213ade970c34ae88a53035c1b8ccad151cc620f4e72083

SHA512
511f23c3be99574c6a28c07a3858bcfa3e0c802502dc158f2301ef2cc5171fb59917859a920cff30cc410fe24b55e8bded10868bac9ba1d069906a35b72448f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\2975.exe
Filesize
4.1MB

MD5
20ef67d27729a102f1d7eb78a1d096b7

SHA1
72e0000abca7dafa74b7d9ea08aa1cef818c7060

SHA256
a44c86d66d73625631213ade970c34ae88a53035c1b8ccad151cc620f4e72083

SHA512
511f23c3be99574c6a28c07a3858bcfa3e0c802502dc158f2301ef2cc5171fb59917859a920cff30cc410fe24b55e8bded10868bac9ba1d069906a35b72448f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\411B.exe
Filesize
7.8MB

MD5
7587ce3f4d3f5a7c8c7e3e46b542256f

SHA1
9c659ec3576ef95240fd28d204ce10a0d09799c9

SHA256
793b6e20b9aca4c2eeca3b7596220e999b58707afb52441ffd2b870be8eb8273

SHA512
3ab49f57961f0c81a31bd75f4892f364dbddd2c43d57eaebbdebc8185d8c97fbff745f94d1d663f7e5042c87d03c1a4d57720d92b23ba5d8a779d615449fab96

Download Submit
C:\Users\Admin\AppData\Local\Temp\411B.exe
Filesize
7.8MB

MD5
7587ce3f4d3f5a7c8c7e3e46b542256f

SHA1
9c659ec3576ef95240fd28d204ce10a0d09799c9

SHA256
793b6e20b9aca4c2eeca3b7596220e999b58707afb52441ffd2b870be8eb8273

SHA512
3ab49f57961f0c81a31bd75f4892f364dbddd2c43d57eaebbdebc8185d8c97fbff745f94d1d663f7e5042c87d03c1a4d57720d92b23ba5d8a779d615449fab96

Download Submit
C:\Users\Admin\AppData\Local\Temp\57D.dll
Filesize
3.0MB

MD5
3a750b231ca7d49b77a2811578e223ac

SHA1
dbf0520ff8919405d4ffaa620dfce2db63e56367

SHA256
f75b0fc647b7f0a05d07ec3fe7b8880d6099074151e889108eff670a4dc675c2

SHA512
05751db3d113250df57bcf99dae3fe2b04737adfd29384caf17002fcbd272aca85675fb33a25083315fb0f4f2c5524f6c425c3f42f1afc7eceda154aa54578d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AD3.exe
Filesize
7.8MB

MD5
b215f3726cc4ad0ee51479c703226921

SHA1
4ba2b845ec53115b9e9d1553377782becd749430

SHA256
fc82ae779fe7fe22a71d9baca800a7318ee5bccc419b301916a24dcba9a93e70

SHA512
a9667cb046c0530f216bf2116f7f93087f8ae2745f22654a9a486dfed3510496a403d3443a26d142252ef2ac9177b81115fd24127faa6092dc6173e2c369b27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AD3.exe
Filesize
7.8MB

MD5
b215f3726cc4ad0ee51479c703226921

SHA1
4ba2b845ec53115b9e9d1553377782becd749430

SHA256
fc82ae779fe7fe22a71d9baca800a7318ee5bccc419b301916a24dcba9a93e70

SHA512
a9667cb046c0530f216bf2116f7f93087f8ae2745f22654a9a486dfed3510496a403d3443a26d142252ef2ac9177b81115fd24127faa6092dc6173e2c369b27e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F4.exe
Filesize
1.1MB

MD5
8d6db1c0be603e301e14d59ef24d7b06

SHA1
4d31f48256ed1320605284c119dffadd14dcc510

SHA256
e6bc630ef036093b32773f92b3204391b31285dcd173f12ce2acb7830f812de2

SHA512
53abdf54aabd735dfccd02045f47381136bd37b5bc1d7d6c8ec164b228b8b4d73c4847d2798619e9bae86e3317eee39b7bf40cea1fe4f31451fa4b2d8b2f22e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F4.exe
Filesize
1.1MB

MD5
8d6db1c0be603e301e14d59ef24d7b06

SHA1
4d31f48256ed1320605284c119dffadd14dcc510

SHA256
e6bc630ef036093b32773f92b3204391b31285dcd173f12ce2acb7830f812de2

SHA512
53abdf54aabd735dfccd02045f47381136bd37b5bc1d7d6c8ec164b228b8b4d73c4847d2798619e9bae86e3317eee39b7bf40cea1fe4f31451fa4b2d8b2f22e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7872.exe
Filesize
7.5MB

MD5
879cde359bb9b468b133a08b540daa2e

SHA1
431f4b3f013363b0c5f9c24db02f93c69fb7ca4d

SHA256
8a72479e5543a93625afeb3caf9e5b420b687cb84dff2c769bd8ab971dfe864b

SHA512
665665ef5218e49be7b03ae4d787cce64d468fb3c4b5c3ceb48a84eca79c621f3d50b83ae8271016e1f64ab2b995f34faf89b603902161633d5a503acae410f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7872.exe
Filesize
7.5MB

MD5
879cde359bb9b468b133a08b540daa2e

SHA1
431f4b3f013363b0c5f9c24db02f93c69fb7ca4d

SHA256
8a72479e5543a93625afeb3caf9e5b420b687cb84dff2c769bd8ab971dfe864b

SHA512
665665ef5218e49be7b03ae4d787cce64d468fb3c4b5c3ceb48a84eca79c621f3d50b83ae8271016e1f64ab2b995f34faf89b603902161633d5a503acae410f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CF5.exe
Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CF5.exe
Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab90EC.tmp
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F20.exe
Filesize
4.6MB

MD5
18522f12bc42b23be611bd4d961d7bff

SHA1
6c37991adeb58df30b3476acddb97ac7152d2662

SHA256
ad68b573ce00db5608871f4a64c1f92bf77f63be5f149d7cbb176d24d63d12fd

SHA512
019df8189e2889fb500c849faee9984f2bb42ac74ffe843eb6f964febdea48a3ef8963f02d38f233a4abd8156dee543a14da786dfa5e6025e3ab34f0020dafb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar920C.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3K5GB.tmp\411B.tmp
Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3VK1L.tmp\DaisoLIB\stuff\is-7IDNR.tmp
Filesize
1KB

MD5
257d1bf38fa7859ffc3717ef36577c04

SHA1
a9d2606cfc35e17108d7c079a355a4db54c7c2ee

SHA256
dfacc2f208ebf6d6180ee6e882117c31bb58e8b6a76a26fb07ac4f40e245a0cb

SHA512
e13a6f489c9c5ba840502f73acd152d366e0ccdd9d3d8e74b65ff89fdc70cd46f52e42eee0b4ba9f151323ec07c4168cf82446334564adaa8666624f7b8035f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3VK1L.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9UFR3.tmp\5AD3.tmp
Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9UFR3.tmp\5AD3.tmp
Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9UFR3.tmp\5AD3.tmp
Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
20ef67d27729a102f1d7eb78a1d096b7

SHA1
72e0000abca7dafa74b7d9ea08aa1cef818c7060

SHA256
a44c86d66d73625631213ade970c34ae88a53035c1b8ccad151cc620f4e72083

SHA512
511f23c3be99574c6a28c07a3858bcfa3e0c802502dc158f2301ef2cc5171fb59917859a920cff30cc410fe24b55e8bded10868bac9ba1d069906a35b72448f4

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
20ef67d27729a102f1d7eb78a1d096b7

SHA1
72e0000abca7dafa74b7d9ea08aa1cef818c7060

SHA256
a44c86d66d73625631213ade970c34ae88a53035c1b8ccad151cc620f4e72083

SHA512
511f23c3be99574c6a28c07a3858bcfa3e0c802502dc158f2301ef2cc5171fb59917859a920cff30cc410fe24b55e8bded10868bac9ba1d069906a35b72448f4

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe
Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\??\c:\users\admin\appdata\local\temp\is-3k5gb.tmp\411b.tmp
Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Users\Admin\AppData\Local\Temp\57D.dll
Filesize
3.0MB

MD5
3a750b231ca7d49b77a2811578e223ac

SHA1
dbf0520ff8919405d4ffaa620dfce2db63e56367

SHA256
f75b0fc647b7f0a05d07ec3fe7b8880d6099074151e889108eff670a4dc675c2

SHA512
05751db3d113250df57bcf99dae3fe2b04737adfd29384caf17002fcbd272aca85675fb33a25083315fb0f4f2c5524f6c425c3f42f1afc7eceda154aa54578d9

Download Submit
\Users\Admin\AppData\Local\Temp\6F4.exe
Filesize
1.1MB

MD5
8d6db1c0be603e301e14d59ef24d7b06

SHA1
4d31f48256ed1320605284c119dffadd14dcc510

SHA256
e6bc630ef036093b32773f92b3204391b31285dcd173f12ce2acb7830f812de2

SHA512
53abdf54aabd735dfccd02045f47381136bd37b5bc1d7d6c8ec164b228b8b4d73c4847d2798619e9bae86e3317eee39b7bf40cea1fe4f31451fa4b2d8b2f22e2

Download Submit
\Users\Admin\AppData\Local\Temp\6F4.exe
Filesize
1.1MB

MD5
8d6db1c0be603e301e14d59ef24d7b06

SHA1
4d31f48256ed1320605284c119dffadd14dcc510

SHA256
e6bc630ef036093b32773f92b3204391b31285dcd173f12ce2acb7830f812de2

SHA512
53abdf54aabd735dfccd02045f47381136bd37b5bc1d7d6c8ec164b228b8b4d73c4847d2798619e9bae86e3317eee39b7bf40cea1fe4f31451fa4b2d8b2f22e2

Download Submit
\Users\Admin\AppData\Local\Temp\6F4.exe
Filesize
1.1MB

MD5
8d6db1c0be603e301e14d59ef24d7b06

SHA1
4d31f48256ed1320605284c119dffadd14dcc510

SHA256
e6bc630ef036093b32773f92b3204391b31285dcd173f12ce2acb7830f812de2

SHA512
53abdf54aabd735dfccd02045f47381136bd37b5bc1d7d6c8ec164b228b8b4d73c4847d2798619e9bae86e3317eee39b7bf40cea1fe4f31451fa4b2d8b2f22e2

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\is-3K5GB.tmp\411B.tmp
Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Users\Admin\AppData\Local\Temp\is-3VK1L.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-3VK1L.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-3VK1L.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-3VK1L.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-9UFR3.tmp\5AD3.tmp
Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Users\Admin\AppData\Local\Temp\is-EJ9R4.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-EJ9R4.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-EJ9R4.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-EJ9R4.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
20ef67d27729a102f1d7eb78a1d096b7

SHA1
72e0000abca7dafa74b7d9ea08aa1cef818c7060

SHA256
a44c86d66d73625631213ade970c34ae88a53035c1b8ccad151cc620f4e72083

SHA512
511f23c3be99574c6a28c07a3858bcfa3e0c802502dc158f2301ef2cc5171fb59917859a920cff30cc410fe24b55e8bded10868bac9ba1d069906a35b72448f4

Download Submit
\Windows\rss\csrss.exe
Filesize
4.1MB

MD5
20ef67d27729a102f1d7eb78a1d096b7

SHA1
72e0000abca7dafa74b7d9ea08aa1cef818c7060

SHA256
a44c86d66d73625631213ade970c34ae88a53035c1b8ccad151cc620f4e72083

SHA512
511f23c3be99574c6a28c07a3858bcfa3e0c802502dc158f2301ef2cc5171fb59917859a920cff30cc410fe24b55e8bded10868bac9ba1d069906a35b72448f4

Download Submit
memory/364-94-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/364-144-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/364-147-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/364-95-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/364-96-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/364-97-0x0000000002A90000-0x000000000337B000-memory.dmp

Filesize
8.9MB

Download
memory/688-181-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/688-247-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1080-246-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1080-161-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1080-156-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1160-131-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1160-208-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1244-4-0x0000000002980000-0x0000000002996000-memory.dmp

Filesize
88KB

Download
memory/1244-98-0x0000000003800000-0x0000000003816000-memory.dmp

Filesize
88KB

Download
memory/1528-23-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/1528-47-0x0000000002420000-0x0000000002533000-memory.dmp

Filesize
1.1MB

Download
memory/1528-50-0x0000000002420000-0x0000000002533000-memory.dmp

Filesize
1.1MB

Download
memory/1528-55-0x0000000002420000-0x0000000002533000-memory.dmp

Filesize
1.1MB

Download
memory/1528-46-0x00000000022E0000-0x0000000002412000-memory.dmp

Filesize
1.2MB

Download
memory/1528-24-0x0000000010000000-0x00000000102FB000-memory.dmp

Filesize
3.0MB

Download
memory/1660-393-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1660-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1660-409-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1660-204-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1660-203-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/1660-348-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1660-201-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/1660-355-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1884-202-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1884-143-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/1884-146-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/1884-148-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1952-284-0x0000000000130000-0x00000000001B0000-memory.dmp

Filesize
512KB

Download
memory/1952-285-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1952-283-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/2148-356-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2148-251-0x0000000000A30000-0x0000000000B30000-memory.dmp

Filesize
1024KB

Download
memory/2148-255-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2148-254-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2200-1-0x00000000008E0000-0x00000000009E0000-memory.dmp

Filesize
1024KB

Download
memory/2200-5-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2200-3-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2200-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2336-108-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2336-207-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2580-214-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2580-228-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2628-75-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-77-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-160-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-43-0x0000000001000000-0x0000000001B40000-memory.dmp

Filesize
11.2MB

Download
memory/2628-149-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-150-0x0000000076250000-0x0000000076297000-memory.dmp

Filesize
284KB

Download
memory/2628-151-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-57-0x0000000001000000-0x0000000001B40000-memory.dmp

Filesize
11.2MB

Download
memory/2628-130-0x0000000001000000-0x0000000001B40000-memory.dmp

Filesize
11.2MB

Download
memory/2628-60-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-88-0x0000000005630000-0x0000000005670000-memory.dmp

Filesize
256KB

Download
memory/2628-58-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-66-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-67-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-68-0x0000000076250000-0x0000000076297000-memory.dmp

Filesize
284KB

Download
memory/2628-83-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-82-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/2628-78-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-69-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-70-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-71-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-72-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-79-0x00000000770A0000-0x00000000770A2000-memory.dmp

Filesize
8KB

Download
memory/2628-73-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2628-74-0x0000000076650000-0x0000000076760000-memory.dmp

Filesize
1.1MB

Download
memory/2872-260-0x0000000000130000-0x00000000001B0000-memory.dmp

Filesize
512KB

Download
memory/2872-256-0x00000000000C0000-0x000000000012B000-memory.dmp

Filesize
428KB

Download
memory/2872-253-0x00000000000C0000-0x000000000012B000-memory.dmp

Filesize
428KB

Download
memory/2872-270-0x00000000000C0000-0x000000000012B000-memory.dmp

Filesize
428KB

Download
memory/3008-84-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/3008-99-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3008-80-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/3008-81-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/3028-331-0x000000001B3E0000-0x000000001B460000-memory.dmp

Filesize
512KB

Download
memory/3028-372-0x000007FEF49E0000-0x000007FEF53CC000-memory.dmp

Filesize
9.9MB

Download
memory/3028-332-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/3028-238-0x000007FEF49E0000-0x000007FEF53CC000-memory.dmp

Filesize
9.9MB

Download
memory/3028-252-0x0000000000030000-0x00000000007B2000-memory.dmp

Filesize
7.5MB

Download
memory/3052-405-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3064-205-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-56-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-170-0x0000000001360000-0x00000000013A0000-memory.dmp

Filesize
256KB

Download
memory/3064-145-0x0000000073990000-0x000000007407E000-memory.dmp

Filesize
6.9MB

Download
memory/3064-39-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3064-37-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3064-32-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3064-34-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3064-33-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/3064-30-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3064-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3064-85-0x0000000001360000-0x00000000013A0000-memory.dmp

Filesize
256KB

Download
memory/3064-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download