glupteba | a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20231130-en
resource tags

arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
submitted
08-12-2023 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be9d02e68254f125e51577acaba81f25.exe
Size

238KB
MD5

be9d02e68254f125e51577acaba81f25
SHA1

87a2a3ed4ae400b6c03e73d3298d37a2b9f27aea
SHA256

a58e48ffbc29d8dd0a8d518e4665d478ce641aa60754c38b29634e9650135e75
SHA512

1a524616e7b4cdbffa77ee6503c575c1f110906a594b517a70de77ca7557a3f7debc2580551cd7b8257167622d228b9c5833b341b4ea1fcef5f351a3956138c3
SSDEEP

3072:A0OuGN405qDf+O8sIrVAJvyMqRoR5oGiWHqTCK:q9NrqDft83hAJrv3BHqT

Malware Config

Extracted

Family

smokeloader

Version

2022

http://onualituyrs.org/

http://sumagulituyo.org/

http://snukerukeutit.org/

http://lightseinsteniki.org/

http://liuliuoumumy.org/

http://stualialuyastrelia.net/

http://kumbuyartyty.net/

http://criogetikfenbut.org/

http://tonimiuyaytre.org/

http://tyiuiunuewqy.org/

http://humydrole.com/tmp/index.php

http://trunk-co.ru/tmp/index.php

http://weareelight.com/tmp/index.php

http://pirateking.online/tmp/index.php

http://piratia.pw/tmp/index.php

http://go-piratia.ru/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

lumma

http://opposesicknessopw.pw/api

Signatures

Detect Lumma Stealer payload V2 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2284-125-0x0000000000400000-0x000000000047E000-memory.dmp	family_lumma_V2

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\9270.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\9270.exe	family_zgrat_v1
behavioral1/memory/2620-19-0x0000000000C30000-0x0000000001144000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3048-139-0x0000000002A10000-0x00000000032FB000-memory.dmp	family_glupteba
behavioral1/memory/3048-140-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3048-201-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2624-206-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2624-215-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1852-219-0x0000000002BE0000-0x00000000034CB000-memory.dmp	family_glupteba
behavioral1/memory/1852-221-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2132-30-0x0000000000220000-0x0000000000236000-memory.dmp	family_raccoon_v2
behavioral1/memory/2132-32-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2
behavioral1/memory/2132-57-0x0000000000400000-0x000000000085E000-memory.dmp	family_raccoon_v2

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

210F.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	210F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\210F.exe = "0"	210F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	210F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	210F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	210F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	210F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	210F.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

578D.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 578D.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	578D.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
3068	bcdedit.exe
1296	bcdedit.exe
1848	bcdedit.exe
960	bcdedit.exe
1032	bcdedit.exe
716	bcdedit.exe
1880	bcdedit.exe
1816	bcdedit.exe
2432	bcdedit.exe
1488	bcdedit.exe
2496	bcdedit.exe
2556	bcdedit.exe
2920	bcdedit.exe
1136	bcdedit.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2292 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
2292	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

578D.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	578D.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	578D.exe

Deletes itself 1 IoCs

Processes:

pid process

1384

pid	process
1384

Executes dropped EXE 21 IoCs

Processes:

9270.exe9435.exe95BC.exeF819.exe210F.exe300E.exe300E.tmp210F.execsrss.exepatch.exeinjector.exe4BA9.exe4BA9.tmpMaildelivery.exe578D.exeMaildelivery.exedsefix.exeE06B.exeEF4B.exewindefender.exewindefender.exe

pid	process
2620	9270.exe
2132	9435.exe
2612	95BC.exe
1336	F819.exe
3048	210F.exe
1856	300E.exe
908	300E.tmp
2624	210F.exe
1852	csrss.exe
2852	patch.exe
1840	injector.exe
916	4BA9.exe
2900	4BA9.tmp
1592	Maildelivery.exe
1584	578D.exe
1548	Maildelivery.exe
880	dsefix.exe
1568	E06B.exe
2420	EF4B.exe
2256	windefender.exe
1660	windefender.exe

Loads dropped DLL 28 IoCs

Processes:

regsvr32.exe9270.exe300E.exe300E.tmp210F.exepatch.execsrss.exe4BA9.exe4BA9.tmpE06B.exeEF4B.exe

pid	process
2656	regsvr32.exe
2620	9270.exe
1856	300E.exe
908	300E.tmp
908	300E.tmp
908	300E.tmp
908	300E.tmp
2624	210F.exe
2624	210F.exe
872
2852	patch.exe
2852	patch.exe
2852	patch.exe
2852	patch.exe
2852	patch.exe
1852	csrss.exe
916	4BA9.exe
2900	4BA9.tmp
2900	4BA9.tmp
2900	4BA9.tmp
2900	4BA9.tmp
2900	4BA9.tmp
2852	patch.exe
2852	patch.exe
2852	patch.exe
1852	csrss.exe
1568	E06B.exe
2420	EF4B.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\578D.exe	themida
behavioral1/memory/1584-475-0x0000000001060000-0x00000000018F2000-memory.dmp	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

210F.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\210F.exe = "0"	210F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	210F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	210F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	210F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	210F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	210F.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	210F.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

210F.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	210F.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

578D.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 578D.exe
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

578D.exe

pid process

1584 578D.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	578D.exe

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

pid	process
1584	578D.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

95BC.exe9270.exeEF4B.exe

description	pid	process	target process
PID 2612 set thread context of 2480	2612	95BC.exe	AppLaunch.exe
PID 2620 set thread context of 2284	2620	9270.exe	RegSvcs.exe
PID 2420 set thread context of 2784	2420	EF4B.exe	RegSvcs.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

210F.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 210F.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	210F.exe

Drops file in Program Files directory 64 IoCs

Processes:

4BA9.tmp300E.tmp

description	ioc	process
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-73D87.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-SVGCG.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-FKFT0.tmp	4BA9.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\uninstall\unins000.dat	300E.tmp
File created	C:\Program Files (x86)\Maildelivery\uninstall\unins000.dat	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-F597G.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-O82PE.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-37P3R.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-TK17V.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-0LMOA.tmp	4BA9.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\uninstall\is-02DSL.tmp	300E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-K3RQB.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-7MF6Q.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-KN4PG.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-ER83O.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-SSNAA.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-4SIKS.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-7Q5G6.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-FATDD.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-JPK2L.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-SJ5DS.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-TSMTV.tmp	4BA9.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\stuff\is-H1T7H.tmp	300E.tmp
File created	C:\Program Files (x86)\Maildelivery\uninstall\is-ATU09.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-99MHO.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-GGS56.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-AP0UL.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-BOHUA.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-R7IFQ.tmp	4BA9.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\stuff\is-R63GN.tmp	300E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-RMCG8.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-KSHHK.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-J8654.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-SIKNP.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-99G4A.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-UBDSG.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\plugins\internal\is-T1J4E.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-QRV4G.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-6QKJN.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-P918I.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-RBKMF.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-7DGNM.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-D47JK.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-EA0CI.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-FPS00.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-EJS3R.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-OGGBD.tmp	4BA9.tmp
File opened for modification	C:\Program Files (x86)\Maildelivery\uninstall\unins000.dat	4BA9.tmp
File created	C:\Program Files (x86)\MDeliveryLIB\stuff\is-6HS3A.tmp	300E.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-5KQIM.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-TV28V.tmp	4BA9.tmp
File opened for modification	C:\Program Files (x86)\Maildelivery\Maildelivery.exe	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\stuff\is-OLKF3.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-9D25U.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-C4Q2N.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-TTFTN.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-5EU5E.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-O6SE6.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-M6ICT.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-RUJEH.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\plugins\internal\is-UO59U.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-JLISJ.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\is-GSIJU.tmp	4BA9.tmp
File created	C:\Program Files (x86)\Maildelivery\bin\x86\lessmsi\is-UGFCQ.tmp	4BA9.tmp

Drops file in Windows directory 5 IoCs

Processes:

csrss.exe210F.exemakecab.exe

description	ioc	process
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	210F.exe
File created	C:\Windows\rss\csrss.exe	210F.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231208172323.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

944 sc.exe

pid	process
944	sc.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

be9d02e68254f125e51577acaba81f25.exeF819.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be9d02e68254f125e51577acaba81f25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F819.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F819.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	F819.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be9d02e68254f125e51577acaba81f25.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	be9d02e68254f125e51577acaba81f25.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1260 schtasks.exe
2868 schtasks.exe

pid	process
1260	schtasks.exe
2868	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

210F.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	210F.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	210F.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	210F.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

patch.execsrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

be9d02e68254f125e51577acaba81f25.exe

pid	process
2664	be9d02e68254f125e51577acaba81f25.exe
2664	be9d02e68254f125e51577acaba81f25.exe
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384
1384

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

484
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

be9d02e68254f125e51577acaba81f25.exeF819.exe

pid process

2664 be9d02e68254f125e51577acaba81f25.exe
1336 F819.exe
1384
1384
1384
1384

pid	process
484

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

AppLaunch.exe210F.execsrss.exe578D.exesc.exe

description	pid	process
Token: SeDebugPrivilege	2480	AppLaunch.exe
Token: SeShutdownPrivilege	1384
Token: SeShutdownPrivilege	1384
Token: SeDebugPrivilege	3048	210F.exe
Token: SeImpersonatePrivilege	3048	210F.exe
Token: SeSystemEnvironmentPrivilege	1852	csrss.exe
Token: SeShutdownPrivilege	1384
Token: SeShutdownPrivilege	1384
Token: SeShutdownPrivilege	1384
Token: SeShutdownPrivilege	1384
Token: SeShutdownPrivilege	1384
Token: SeShutdownPrivilege	1384
Token: SeShutdownPrivilege	1384
Token: SeShutdownPrivilege	1384
Token: SeDebugPrivilege	1584	578D.exe
Token: SeSecurityPrivilege	944	sc.exe
Token: SeSecurityPrivilege	944	sc.exe
Token: SeShutdownPrivilege	1384
Token: SeShutdownPrivilege	1384
Token: SeShutdownPrivilege	1384

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1384
1384
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1384
1384

pid	process
1384
1384

pid	process
1384
1384

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

95BC.exeregsvr32.exe9270.exe

description	pid	process	target process
PID 1384 wrote to memory of 2620	1384		9270.exe
PID 1384 wrote to memory of 2620	1384		9270.exe
PID 1384 wrote to memory of 2620	1384		9270.exe
PID 1384 wrote to memory of 2620	1384		9270.exe
PID 1384 wrote to memory of 2620	1384		9270.exe
PID 1384 wrote to memory of 2620	1384		9270.exe
PID 1384 wrote to memory of 2620	1384		9270.exe
PID 1384 wrote to memory of 2132	1384		9435.exe
PID 1384 wrote to memory of 2132	1384		9435.exe
PID 1384 wrote to memory of 2132	1384		9435.exe
PID 1384 wrote to memory of 2132	1384		9435.exe
PID 1384 wrote to memory of 2612	1384		95BC.exe
PID 1384 wrote to memory of 2612	1384		95BC.exe
PID 1384 wrote to memory of 2612	1384		95BC.exe
PID 1384 wrote to memory of 2612	1384		95BC.exe
PID 2612 wrote to memory of 2480	2612	95BC.exe	AppLaunch.exe
PID 2612 wrote to memory of 2480	2612	95BC.exe	AppLaunch.exe
PID 2612 wrote to memory of 2480	2612	95BC.exe	AppLaunch.exe
PID 2612 wrote to memory of 2480	2612	95BC.exe	AppLaunch.exe
PID 2612 wrote to memory of 2480	2612	95BC.exe	AppLaunch.exe
PID 2612 wrote to memory of 2480	2612	95BC.exe	AppLaunch.exe
PID 2612 wrote to memory of 2480	2612	95BC.exe	AppLaunch.exe
PID 2612 wrote to memory of 2480	2612	95BC.exe	AppLaunch.exe
PID 2612 wrote to memory of 2480	2612	95BC.exe	AppLaunch.exe
PID 2612 wrote to memory of 2480	2612	95BC.exe	AppLaunch.exe
PID 2612 wrote to memory of 2480	2612	95BC.exe	AppLaunch.exe
PID 2612 wrote to memory of 2480	2612	95BC.exe	AppLaunch.exe
PID 1384 wrote to memory of 2804	1384		regsvr32.exe
PID 1384 wrote to memory of 2804	1384		regsvr32.exe
PID 1384 wrote to memory of 2804	1384		regsvr32.exe
PID 1384 wrote to memory of 2804	1384		regsvr32.exe
PID 1384 wrote to memory of 2804	1384		regsvr32.exe
PID 2804 wrote to memory of 2656	2804	regsvr32.exe	regsvr32.exe
PID 2804 wrote to memory of 2656	2804	regsvr32.exe	regsvr32.exe
PID 2804 wrote to memory of 2656	2804	regsvr32.exe	regsvr32.exe
PID 2804 wrote to memory of 2656	2804	regsvr32.exe	regsvr32.exe
PID 2804 wrote to memory of 2656	2804	regsvr32.exe	regsvr32.exe
PID 2804 wrote to memory of 2656	2804	regsvr32.exe	regsvr32.exe
PID 2804 wrote to memory of 2656	2804	regsvr32.exe	regsvr32.exe
PID 2620 wrote to memory of 2296	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2296	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2296	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2296	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2296	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2296	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2296	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2284	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2284	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2284	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2284	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2284	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2284	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2284	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2284	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2284	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2284	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2284	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2284	2620	9270.exe	RegSvcs.exe
PID 2620 wrote to memory of 2284	2620	9270.exe	RegSvcs.exe
PID 1384 wrote to memory of 1336	1384		F819.exe
PID 1384 wrote to memory of 1336	1384		F819.exe
PID 1384 wrote to memory of 1336	1384		F819.exe
PID 1384 wrote to memory of 1336	1384		F819.exe
PID 1384 wrote to memory of 3048	1384		210F.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2185821622-4133679102-1697169727-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\be9d02e68254f125e51577acaba81f25.exe
"C:\Users\Admin\AppData\Local\Temp\be9d02e68254f125e51577acaba81f25.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2664

C:\Users\Admin\AppData\Local\Temp\9270.exe
C:\Users\Admin\AppData\Local\Temp\9270.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\9435.exe
C:\Users\Admin\AppData\Local\Temp\9435.exe
1⤵
- Executes dropped EXE
PID:2132

C:\Users\Admin\AppData\Local\Temp\95BC.exe
C:\Users\Admin\AppData\Local\Temp\95BC.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A853.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\A853.dll
2⤵
- Loads dropped DLL
PID:2656

C:\Users\Admin\AppData\Local\Temp\F819.exe
C:\Users\Admin\AppData\Local\Temp\F819.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1336

C:\Users\Admin\AppData\Local\Temp\210F.exe
C:\Users\Admin\AppData\Local\Temp\210F.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Users\Admin\AppData\Local\Temp\210F.exe
"C:\Users\Admin\AppData\Local\Temp\210F.exe"
2⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:1812

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2292

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
4⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2852

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
5⤵
- Modifies boot configuration data using bcdedit
PID:3068

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:1296

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:1848

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
5⤵
- Modifies boot configuration data using bcdedit
PID:960

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:1032

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:716

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
5⤵
- Modifies boot configuration data using bcdedit
PID:1880

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
5⤵
- Modifies boot configuration data using bcdedit
PID:1816

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
5⤵
- Modifies boot configuration data using bcdedit
PID:2432

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
5⤵
- Modifies boot configuration data using bcdedit
PID:1488

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
5⤵
- Modifies boot configuration data using bcdedit
PID:2496

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
5⤵
- Modifies boot configuration data using bcdedit
PID:2556

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
5⤵
- Modifies boot configuration data using bcdedit
PID:2920

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:1260

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
4⤵
- Executes dropped EXE
PID:1840

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:1136

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
4⤵
- Executes dropped EXE
PID:880

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:2868

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
4⤵
- Executes dropped EXE
PID:2256

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
5⤵
PID:2544

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Users\Admin\AppData\Local\Temp\is-P5S59.tmp\300E.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P5S59.tmp\300E.tmp" /SL5="$50098,7932209,54272,C:\Users\Admin\AppData\Local\Temp\300E.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:908

C:\Users\Admin\AppData\Local\Temp\300E.exe
C:\Users\Admin\AppData\Local\Temp\300E.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231208172323.log C:\Windows\Logs\CBS\CbsPersist_20231208172323.cab
1⤵
- Drops file in Windows directory
PID:1524

C:\Users\Admin\AppData\Local\Temp\4BA9.exe
C:\Users\Admin\AppData\Local\Temp\4BA9.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916

C:\Users\Admin\AppData\Local\Temp\is-LA6TJ.tmp\4BA9.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LA6TJ.tmp\4BA9.tmp" /SL5="$C01F6,7905477,54272,C:\Users\Admin\AppData\Local\Temp\4BA9.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2900

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
3⤵
PID:2936

C:\Program Files (x86)\Maildelivery\Maildelivery.exe
"C:\Program Files (x86)\Maildelivery\Maildelivery.exe" -i
3⤵
- Executes dropped EXE
PID:1592

C:\Program Files (x86)\Maildelivery\Maildelivery.exe
"C:\Program Files (x86)\Maildelivery\Maildelivery.exe" -s
3⤵
- Executes dropped EXE
PID:1548

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
3⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\578D.exe
C:\Users\Admin\AppData\Local\Temp\578D.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
1⤵
PID:804

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\E06B.exe
C:\Users\Admin\AppData\Local\Temp\E06B.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\EF4B.exe
C:\Users\Admin\AppData\Local\Temp\EF4B.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:2784

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Maildelivery\Maildelivery.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\Program Files (x86)\Maildelivery\Maildelivery.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\Program Files (x86)\Maildelivery\Maildelivery.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
C:\Program Files (x86)\Maildelivery\stuff\date.txt

Filesize
1KB

MD5
257d1bf38fa7859ffc3717ef36577c04

SHA1
a9d2606cfc35e17108d7c079a355a4db54c7c2ee

SHA256
dfacc2f208ebf6d6180ee6e882117c31bb58e8b6a76a26fb07ac4f40e245a0cb

SHA512
e13a6f489c9c5ba840502f73acd152d366e0ccdd9d3d8e74b65ff89fdc70cd46f52e42eee0b4ba9f151323ec07c4168cf82446334564adaa8666624f7b8035f3

Download Submit
C:\Program Files (x86)\Maildelivery\stuff\is-OLKF3.tmp

Filesize
1KB

MD5
992c00beab194ce392117bb419f53051

SHA1
8f9114c95e2a2c9f9c65b9243d941dcb5cea40de

SHA256
9e35c8e29ca055ce344e4c206e7b8ff1736158d0b47bf7b3dbc362f7ec7e722c

SHA512
facdca78ae7d874300eacbe3014a9e39868c93493b9cd44aae1ab39afa4d2e0868e167bca34f8c445aa7ccc9ddb27e1b607d739af94aa4840789a3f01e7bed9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
85853bd913670a1376a8c93bdb9e7576

SHA1
9c390724563974e022075076f232319958619a75

SHA256
0597b5d47bc8878a48f42f64d0c8852a36b55c4c1711d4170b44b71b82fe05bb

SHA512
50771ed71ca6dc6743491a3fe9eb94c4dcc1fab1d536fc96cde77a36dcc47f778940ec4eadfc97400b2fb2dc7cb30988fd9c0f98ea143ae95ca0c93e8c13c028

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
2aa548e34d29ac9e7540c25de833a741

SHA1
ae8de5d2b84090c510a37ad6ce0e52a90f98f6b8

SHA256
3af03b768f03d8f355204859205682675e2a15b9c08fe0c5277db24655660dd2

SHA512
bc5e846912f73826e5229a2b6ee0876b7fabb58fbd35b254dc927edf2c9f2a46022aef51b7632954f1b48b324cfa7d60ca7f1021a5cbaab3a80f44291836344d

Download Submit
C:\Users\Admin\AppData\Local\Temp\210F.exe

Filesize
4.1MB

MD5
f4cc12ca64e579ab32dfbf8c431d69e6

SHA1
d52d72c9a22032b5148d4ded20529eb757dcd244

SHA256
70baed950fbcd28d695bedcf44d7042d0b32fae088188a4b8492d47f72320dbd

SHA512
e24d017f6b28f74443f6f7feeb2319c1205a74ab238bc086c79597be22ab9468eac54439c91b52b407b3782442f1ada4b928eece7dcde94035774b69ef3fd858

Download Submit
C:\Users\Admin\AppData\Local\Temp\210F.exe

Filesize
4.1MB

MD5
f4cc12ca64e579ab32dfbf8c431d69e6

SHA1
d52d72c9a22032b5148d4ded20529eb757dcd244

SHA256
70baed950fbcd28d695bedcf44d7042d0b32fae088188a4b8492d47f72320dbd

SHA512
e24d017f6b28f74443f6f7feeb2319c1205a74ab238bc086c79597be22ab9468eac54439c91b52b407b3782442f1ada4b928eece7dcde94035774b69ef3fd858

Download Submit
C:\Users\Admin\AppData\Local\Temp\210F.exe

Filesize
4.1MB

MD5
f4cc12ca64e579ab32dfbf8c431d69e6

SHA1
d52d72c9a22032b5148d4ded20529eb757dcd244

SHA256
70baed950fbcd28d695bedcf44d7042d0b32fae088188a4b8492d47f72320dbd

SHA512
e24d017f6b28f74443f6f7feeb2319c1205a74ab238bc086c79597be22ab9468eac54439c91b52b407b3782442f1ada4b928eece7dcde94035774b69ef3fd858

Download Submit
C:\Users\Admin\AppData\Local\Temp\210F.exe

Filesize
4.1MB

MD5
f4cc12ca64e579ab32dfbf8c431d69e6

SHA1
d52d72c9a22032b5148d4ded20529eb757dcd244

SHA256
70baed950fbcd28d695bedcf44d7042d0b32fae088188a4b8492d47f72320dbd

SHA512
e24d017f6b28f74443f6f7feeb2319c1205a74ab238bc086c79597be22ab9468eac54439c91b52b407b3782442f1ada4b928eece7dcde94035774b69ef3fd858

Download Submit
C:\Users\Admin\AppData\Local\Temp\300E.exe

Filesize
7.8MB

MD5
0e6e123574b271dc6191459d9891b7e7

SHA1
588cf85439b2d13b9fa8b6a41c0f5f749d78c4ec

SHA256
8873e2b8ff3fffa0005cd940c5622d38517030f68b26bbe7f0444590f9609814

SHA512
bda737c167ca3915dcaf3251a98c61daf6fc57a3141290fb67cdc5ab0797f70e101d47af97d24cb37b66b6714606c964053ec8e3d40c705196e8fcfdf56ec9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\300E.exe

Filesize
7.8MB

MD5
0e6e123574b271dc6191459d9891b7e7

SHA1
588cf85439b2d13b9fa8b6a41c0f5f749d78c4ec

SHA256
8873e2b8ff3fffa0005cd940c5622d38517030f68b26bbe7f0444590f9609814

SHA512
bda737c167ca3915dcaf3251a98c61daf6fc57a3141290fb67cdc5ab0797f70e101d47af97d24cb37b66b6714606c964053ec8e3d40c705196e8fcfdf56ec9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BA9.exe

Filesize
7.8MB

MD5
8e4ababd8277cb8fd39a6866789d6a33

SHA1
145d8720b4c49948bf679d3baf47a738252ece62

SHA256
8d4b655539b3756721a3c26394ac2af82db97ccb04f1672881c5496d0a2f2e71

SHA512
7d9f98770da3a1f1ae77229cf6928541c624e1bf47e3270228599a93448c312e27f32bcfe172a51225b3086d2ca5e806145423fc1b95fc8a828a9e30edde576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BA9.exe

Filesize
7.8MB

MD5
8e4ababd8277cb8fd39a6866789d6a33

SHA1
145d8720b4c49948bf679d3baf47a738252ece62

SHA256
8d4b655539b3756721a3c26394ac2af82db97ccb04f1672881c5496d0a2f2e71

SHA512
7d9f98770da3a1f1ae77229cf6928541c624e1bf47e3270228599a93448c312e27f32bcfe172a51225b3086d2ca5e806145423fc1b95fc8a828a9e30edde576e

Download Submit
C:\Users\Admin\AppData\Local\Temp\578D.exe

Filesize
3.0MB

MD5
f4cb9c8b7e02e8084008cd61e1899390

SHA1
af1a95a823a8c24cab9d8e8aaf46d69b3612dd4b

SHA256
a9ef0a36e9924f9742af01b648d7c89624e1e360716adb8fe7f58a6f28c4865e

SHA512
e808e95a5f57a13e61f8b77502f0f01c7faf66f2663d4de0b61a308f39520da8d649f32ed886edf446eefd88cf324854bcca059f8c0a6f46148388242e6b65b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9270.exe

Filesize
5.1MB

MD5
7f4f98a26d4835578f46224112cc6a15

SHA1
c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0

SHA256
c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276

SHA512
c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9270.exe

Filesize
5.1MB

MD5
7f4f98a26d4835578f46224112cc6a15

SHA1
c5cbaf07ef86ee77e7a079ece95e749e7b93a0f0

SHA256
c20f57c4db1ec145b3f2131677c80e8ceb88b11b81dbb1e7bf84983daf514276

SHA512
c2fe13271b35c799ea871b54f0d73a61a2ceed5b4f8fa7464bc758908f35185bfe1c43d38c54941c9fef18284334d61ddab506121d7d993ec87752a77eea8c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9435.exe

Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\9435.exe

Filesize
237KB

MD5
22a51b329fa194d51f68705a25d7396d

SHA1
aada03d8b7f1e28dbf6d72c1503981ccc5bb94da

SHA256
82857c5bbab91ba9c66bcd07c9f25c1b140e94fa892e97cc97db82fe06439742

SHA512
0d9a8a6b1df054a84bea0c4d38fd3c702f95c7d372bf2255c29611aec38fca5c81b972a2d45135a6488ba313d5674cf5e60e5bc7bdc888bb3524739e473ff821

Download Submit
C:\Users\Admin\AppData\Local\Temp\95BC.exe

Filesize
382KB

MD5
d8aff64273bcd3ef2208d6c4b0214d24

SHA1
593273f5f0e1bc79e15a18b5ca19a51ecdf1e9b1

SHA256
a9d74ae5f8e2319b1333b898747853bd0d39907eba2f4575db81156b67630283

SHA512
bebac874198ac8e006e2549086436e8f0fd71e7d4de21c81434b504d8cbf8000d2ff32f0e1757236df73399b0bfab2ea22ca7a5caeb4306bcaa617f14816649b

Download Submit
C:\Users\Admin\AppData\Local\Temp\95BC.exe

Filesize
382KB

MD5
d8aff64273bcd3ef2208d6c4b0214d24

SHA1
593273f5f0e1bc79e15a18b5ca19a51ecdf1e9b1

SHA256
a9d74ae5f8e2319b1333b898747853bd0d39907eba2f4575db81156b67630283

SHA512
bebac874198ac8e006e2549086436e8f0fd71e7d4de21c81434b504d8cbf8000d2ff32f0e1757236df73399b0bfab2ea22ca7a5caeb4306bcaa617f14816649b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A853.dll

Filesize
4.1MB

MD5
184fc62aeb4c9d78891eb8d509c429e5

SHA1
4456d00e767b918a5118741985f2e1bc924b8e53

SHA256
6b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052

SHA512
100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab41D1.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E06B.exe

Filesize
6.4MB

MD5
a4ce9eab6facc5c9a722e408f735ee2a

SHA1
d36c9f8b0c205dc821aa18b65536e1619ea54b69

SHA256
3e2dde3ce6cb7daee5e76108d39449b867e592e22faefe63991ebbf282834483

SHA512
270f906ae6101d57c2672671aa7bf7bd120f8e4eda6e2135bbc7aeb3a3b16bbf3a11099a66b81d0d58c3fa4a7fbb6bd1688516b5be5706b9f1471b6d816d03d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E06B.exe

Filesize
6.4MB

MD5
a4ce9eab6facc5c9a722e408f735ee2a

SHA1
d36c9f8b0c205dc821aa18b65536e1619ea54b69

SHA256
3e2dde3ce6cb7daee5e76108d39449b867e592e22faefe63991ebbf282834483

SHA512
270f906ae6101d57c2672671aa7bf7bd120f8e4eda6e2135bbc7aeb3a3b16bbf3a11099a66b81d0d58c3fa4a7fbb6bd1688516b5be5706b9f1471b6d816d03d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF4B.exe

Filesize
6.4MB

MD5
a4ce9eab6facc5c9a722e408f735ee2a

SHA1
d36c9f8b0c205dc821aa18b65536e1619ea54b69

SHA256
3e2dde3ce6cb7daee5e76108d39449b867e592e22faefe63991ebbf282834483

SHA512
270f906ae6101d57c2672671aa7bf7bd120f8e4eda6e2135bbc7aeb3a3b16bbf3a11099a66b81d0d58c3fa4a7fbb6bd1688516b5be5706b9f1471b6d816d03d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF4B.exe

Filesize
6.4MB

MD5
a4ce9eab6facc5c9a722e408f735ee2a

SHA1
d36c9f8b0c205dc821aa18b65536e1619ea54b69

SHA256
3e2dde3ce6cb7daee5e76108d39449b867e592e22faefe63991ebbf282834483

SHA512
270f906ae6101d57c2672671aa7bf7bd120f8e4eda6e2135bbc7aeb3a3b16bbf3a11099a66b81d0d58c3fa4a7fbb6bd1688516b5be5706b9f1471b6d816d03d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF4B.exe

Filesize
6.4MB

MD5
a4ce9eab6facc5c9a722e408f735ee2a

SHA1
d36c9f8b0c205dc821aa18b65536e1619ea54b69

SHA256
3e2dde3ce6cb7daee5e76108d39449b867e592e22faefe63991ebbf282834483

SHA512
270f906ae6101d57c2672671aa7bf7bd120f8e4eda6e2135bbc7aeb3a3b16bbf3a11099a66b81d0d58c3fa4a7fbb6bd1688516b5be5706b9f1471b6d816d03d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\F819.exe

Filesize
230KB

MD5
d43aff1b1667cf208008d4e2d76e124f

SHA1
f097e2c33c9d65f20634ab8d7c4078007e96f8a9

SHA256
33dcd949d98d7eae6e432af70a6b4cdc6aa8997043785c91848ad9478eff7623

SHA512
ac8e1ee8ec0725129a4d2beb24188ca5572f415b0cffc52e399ee102292f0ee78f1a75eb155b3d53a1bdf53067699495f471822c29a2d71810dbef91a26e88e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\F819.exe

Filesize
230KB

MD5
d43aff1b1667cf208008d4e2d76e124f

SHA1
f097e2c33c9d65f20634ab8d7c4078007e96f8a9

SHA256
33dcd949d98d7eae6e432af70a6b4cdc6aa8997043785c91848ad9478eff7623

SHA512
ac8e1ee8ec0725129a4d2beb24188ca5572f415b0cffc52e399ee102292f0ee78f1a75eb155b3d53a1bdf53067699495f471822c29a2d71810dbef91a26e88e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar44D0.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KIJ5D.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LA6TJ.tmp\4BA9.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LA6TJ.tmp\4BA9.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P5S59.tmp\300E.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f4cc12ca64e579ab32dfbf8c431d69e6

SHA1
d52d72c9a22032b5148d4ded20529eb757dcd244

SHA256
70baed950fbcd28d695bedcf44d7042d0b32fae088188a4b8492d47f72320dbd

SHA512
e24d017f6b28f74443f6f7feeb2319c1205a74ab238bc086c79597be22ab9468eac54439c91b52b407b3782442f1ada4b928eece7dcde94035774b69ef3fd858

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f4cc12ca64e579ab32dfbf8c431d69e6

SHA1
d52d72c9a22032b5148d4ded20529eb757dcd244

SHA256
70baed950fbcd28d695bedcf44d7042d0b32fae088188a4b8492d47f72320dbd

SHA512
e24d017f6b28f74443f6f7feeb2319c1205a74ab238bc086c79597be22ab9468eac54439c91b52b407b3782442f1ada4b928eece7dcde94035774b69ef3fd858

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\??\c:\users\admin\appdata\local\temp\is-la6tj.tmp\4ba9.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\??\c:\users\admin\appdata\local\temp\is-p5s59.tmp\300e.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Program Files (x86)\Maildelivery\Maildelivery.exe

Filesize
3.5MB

MD5
27afd644b9ee5bf5b70c6a7793842ffb

SHA1
9e6e7cfbd05127413f629e743f8b917d2827ca36

SHA256
e19cfb7de1b988ac75beb15b974d03bc1366c94daf8f65110243234147281e1c

SHA512
4c3efcbcbfe1b7e234362da27a3e9bd493cadb594a2590c72a7afcc2c92d47863d2d98ce11d7b3339cc67b5e2fb37f3d39397651eeb5c091fb3f162eccd1f9a1

Download Submit
\Users\Admin\AppData\Local\Temp\A853.dll

Filesize
4.1MB

MD5
184fc62aeb4c9d78891eb8d509c429e5

SHA1
4456d00e767b918a5118741985f2e1bc924b8e53

SHA256
6b2a111ace1e8469a99e2696a6313352cadf138f5b431d68fdb36a7268df1052

SHA512
100eb18ee1ef332862b668769fc64b37429df107873525b3ffcd5a8ccea8ad31fe57bba97cb103c2b444d62113a999a58f7743eb0b8266bb9ff8f116472d854b

Download Submit
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\is-K74K3.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-K74K3.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-K74K3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-K74K3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KIJ5D.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-KIJ5D.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-KIJ5D.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KIJ5D.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-LA6TJ.tmp\4BA9.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Users\Admin\AppData\Local\Temp\is-P5S59.tmp\300E.tmp

Filesize
694KB

MD5
5525670a9e72d77b368a9aa4b8c814c1

SHA1
3fdad952ea00175f3a6e549b5dca4f568e394612

SHA256
1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978

SHA512
757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f4cc12ca64e579ab32dfbf8c431d69e6

SHA1
d52d72c9a22032b5148d4ded20529eb757dcd244

SHA256
70baed950fbcd28d695bedcf44d7042d0b32fae088188a4b8492d47f72320dbd

SHA512
e24d017f6b28f74443f6f7feeb2319c1205a74ab238bc086c79597be22ab9468eac54439c91b52b407b3782442f1ada4b928eece7dcde94035774b69ef3fd858

Download Submit
\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
f4cc12ca64e579ab32dfbf8c431d69e6

SHA1
d52d72c9a22032b5148d4ded20529eb757dcd244

SHA256
70baed950fbcd28d695bedcf44d7042d0b32fae088188a4b8492d47f72320dbd

SHA512
e24d017f6b28f74443f6f7feeb2319c1205a74ab238bc086c79597be22ab9468eac54439c91b52b407b3782442f1ada4b928eece7dcde94035774b69ef3fd858

Download Submit
memory/908-182-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/916-311-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/916-316-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1336-107-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/1336-105-0x0000000000CA0000-0x0000000000DA0000-memory.dmp

Filesize
1024KB

Download
memory/1336-121-0x0000000000400000-0x000000000085C000-memory.dmp

Filesize
4.4MB

Download
memory/1336-106-0x00000000003B0000-0x00000000003BB000-memory.dmp

Filesize
44KB

Download
memory/1384-120-0x0000000003CE0000-0x0000000003CF6000-memory.dmp

Filesize
88KB

Download
memory/1384-4-0x0000000002AE0000-0x0000000002AF6000-memory.dmp

Filesize
88KB

Download
memory/1584-476-0x0000000001060000-0x00000000018F2000-memory.dmp

Filesize
8.6MB

Download
memory/1584-475-0x0000000001060000-0x00000000018F2000-memory.dmp

Filesize
8.6MB

Download
memory/1592-466-0x0000000000400000-0x000000000078F000-memory.dmp

Filesize
3.6MB

Download
memory/1852-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1852-219-0x0000000002BE0000-0x00000000034CB000-memory.dmp

Filesize
8.9MB

Download
memory/1852-218-0x00000000027E0000-0x0000000002BD8000-memory.dmp

Filesize
4.0MB

Download
memory/1852-217-0x00000000027E0000-0x0000000002BD8000-memory.dmp

Filesize
4.0MB

Download
memory/1856-158-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1856-148-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1856-314-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2132-77-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/2132-57-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2132-29-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/2132-30-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/2132-32-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2284-79-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2284-88-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2284-125-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2284-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2284-81-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2284-89-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2284-82-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2284-80-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2284-83-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2284-86-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2480-40-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2480-41-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2480-39-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2480-49-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

Filesize
256KB

Download
memory/2480-48-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2480-38-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2480-42-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2480-43-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2480-47-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2480-45-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2480-53-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-156-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-69-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-20-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-19-0x0000000000C30000-0x0000000001144000-memory.dmp

Filesize
5.1MB

Download
memory/2620-21-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-136-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-137-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-78-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-171-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-76-0x00000000071C0000-0x00000000072C0000-memory.dmp

Filesize
1024KB

Download
memory/2620-75-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-74-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-73-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-72-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-71-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-70-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-150-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-170-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-203-0x00000000071C0000-0x00000000072C0000-memory.dmp

Filesize
1024KB

Download
memory/2620-68-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-204-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-67-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2620-66-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-65-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2620-64-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-59-0x0000000006A90000-0x0000000006C22000-memory.dmp

Filesize
1.6MB

Download
memory/2620-58-0x0000000005860000-0x0000000005A88000-memory.dmp

Filesize
2.2MB

Download
memory/2620-154-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2620-149-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2624-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2624-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2624-205-0x0000000002620000-0x0000000002A18000-memory.dmp

Filesize
4.0MB

Download
memory/2624-202-0x0000000002620000-0x0000000002A18000-memory.dmp

Filesize
4.0MB

Download
memory/2656-55-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/2656-194-0x0000000000110000-0x0000000000122000-memory.dmp

Filesize
72KB

Download
memory/2656-195-0x0000000051870000-0x00000000518C0000-memory.dmp

Filesize
320KB

Download
memory/2656-143-0x00000000038F0000-0x0000000003A01000-memory.dmp

Filesize
1.1MB

Download
memory/2656-90-0x00000000027F0000-0x0000000002933000-memory.dmp

Filesize
1.3MB

Download
memory/2656-142-0x0000000002A70000-0x00000000038E3000-memory.dmp

Filesize
14.4MB

Download
memory/2656-141-0x0000000002940000-0x0000000002A67000-memory.dmp

Filesize
1.2MB

Download
memory/2656-91-0x0000000002940000-0x0000000002A67000-memory.dmp

Filesize
1.2MB

Download
memory/2656-54-0x0000000010000000-0x0000000010418000-memory.dmp

Filesize
4.1MB

Download
memory/2656-94-0x0000000002940000-0x0000000002A67000-memory.dmp

Filesize
1.2MB

Download
memory/2656-96-0x0000000010000000-0x0000000010418000-memory.dmp

Filesize
4.1MB

Download
memory/2656-157-0x0000000003A10000-0x0000000003B2E000-memory.dmp

Filesize
1.1MB

Download
memory/2656-166-0x0000000003A10000-0x0000000003B2E000-memory.dmp

Filesize
1.1MB

Download
memory/2664-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2664-1-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/2664-3-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2664-5-0x0000000000400000-0x000000000085E000-memory.dmp

Filesize
4.4MB

Download
memory/2852-241-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2852-225-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2900-465-0x00000000031F0000-0x000000000357F000-memory.dmp

Filesize
3.6MB

Download
memory/2900-335-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3048-140-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3048-138-0x0000000002610000-0x0000000002A08000-memory.dmp

Filesize
4.0MB

Download
memory/3048-134-0x0000000002610000-0x0000000002A08000-memory.dmp

Filesize
4.0MB

Download
memory/3048-139-0x0000000002A10000-0x00000000032FB000-memory.dmp

Filesize
8.9MB

Download
memory/3048-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download