dcrat | 9c12790e14c6770a0c0b7bc305fc7621f1b82f9918c6e527e55911342f50ee4c

Analysis

max time kernel
78s
max time network
154s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-12-2023 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7e5f3de8090ddb4f0d238e026f10bb6.exe
Size

36KB
MD5

b7e5f3de8090ddb4f0d238e026f10bb6
SHA1

1c52d7edc74d9485a6df963fbdf7399311b0d1b1
SHA256

9c12790e14c6770a0c0b7bc305fc7621f1b82f9918c6e527e55911342f50ee4c
SHA512

c1bbca61c13ad91530a161df68c28ffb4258920aed5ac4bc43a85f8892b73c0e0740c7ec035cd9c9539b53305a7aa74e6036c3e61e6a424c7dcee9082c6138cd
SSDEEP

768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

@oleh_ps

176.123.7.190:32927

195.20.16.190:45294

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

LiveTraffic

77.105.132.87:22221

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.loqw
offline_id
NrqpaQRhQqq5l2tBPp1QS34I3ME2IKsAlZ0A9pt1
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-MhbiRFXgXD Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0838ASdw

rsa_pubkey.plain

Extracted

Family

lumma

http://attachmentartikidw.fun/api

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Lumma Stealer payload V4 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2736-67-0x0000000000380000-0x00000000003FE000-memory.dmp	family_lumma_v4
behavioral1/memory/2736-130-0x0000000000380000-0x00000000003FE000-memory.dmp	family_lumma_v4

Detect ZGRat V1 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\C20B.exe	family_zgrat_v1
behavioral1/memory/2924-115-0x00000000008C0000-0x000000000094A000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\C20B.exe	family_zgrat_v1
\Users\Admin\AppData\Local\Temp\C20B.exe	family_zgrat_v1
\Users\Admin\AppData\Local\Temp\C20B.exe	family_zgrat_v1
\Users\Admin\AppData\Local\Temp\C20B.exe	family_zgrat_v1
\Users\Admin\AppData\Local\Temp\C20B.exe	family_zgrat_v1
\Users\Admin\AppData\Local\Temp\C20B.exe	family_zgrat_v1

Detected Djvu ransomware 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2756-331-0x00000000008E0000-0x00000000009FB000-memory.dmp	family_djvu
behavioral1/memory/2176-330-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2176-334-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2176-335-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2176-356-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/396-370-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/484-93-0x0000000002990000-0x000000000327B000-memory.dmp	family_glupteba
behavioral1/memory/484-109-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/484-164-0x0000000002990000-0x000000000327B000-memory.dmp	family_glupteba
behavioral1/memory/484-174-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/484-182-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/484-189-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/484-201-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2808-214-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2808-211-0x0000000002B50000-0x000000000343B000-memory.dmp	family_glupteba
behavioral1/memory/2808-236-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2100-239-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2100-357-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2100-381-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\B0F8.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\B0F8.exe	family_redline
behavioral1/memory/1876-20-0x0000000000EB0000-0x0000000000EEC000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\C70C.exe	family_redline
behavioral1/memory/2244-150-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2288-156-0x0000000004C30000-0x0000000004C70000-memory.dmp	family_redline
behavioral1/memory/2288-151-0x0000000000990000-0x00000000009E2000-memory.dmp	family_redline
behavioral1/memory/2244-144-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/2244-141-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\C70C.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Modifies boot configuration data using bcdedit 13 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2504	bcdedit.exe
2372	bcdedit.exe
2272	bcdedit.exe
944	bcdedit.exe
2672	bcdedit.exe
1916	bcdedit.exe
916	bcdedit.exe
1144	bcdedit.exe
2784	bcdedit.exe
1588	bcdedit.exe
1388	bcdedit.exe
2512	bcdedit.exe
2436	bcdedit.exe

Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

516 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Deletes itself 1 IoCs

Processes:

pid process

1248

pid	process
516	netsh.exe

pid	process
1248

Executes dropped EXE 16 IoCs

Processes:

ADBD.exeB0F8.exeB31B.exeInstallSetup9.exetoolspub2.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exeBDA7.exeetopt.exeC20B.exeC70C.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exepatch.exeinjector.exe6B2A.exe

pid	process
2776	ADBD.exe
1876	B0F8.exe
2736	B31B.exe
2548	InstallSetup9.exe
2336	toolspub2.exe
2920	toolspub2.exe
484	31839b57a4f11171d6abc8bbc4451ee4.exe
2816	BDA7.exe
2968	etopt.exe
2924	C20B.exe
2288	C70C.exe
2808	31839b57a4f11171d6abc8bbc4451ee4.exe
2100	csrss.exe
1676	patch.exe
2480	injector.exe
2756	6B2A.exe

Loads dropped DLL 25 IoCs

Processes:

ADBD.exeInstallSetup9.exetoolspub2.exeetopt.exeWerFault.exe31839b57a4f11171d6abc8bbc4451ee4.exepatch.execsrss.exe

pid	process
2776	ADBD.exe
2776	ADBD.exe
2776	ADBD.exe
2548	InstallSetup9.exe
2548	InstallSetup9.exe
2336	toolspub2.exe
2776	ADBD.exe
2776	ADBD.exe
2776	ADBD.exe
2968	etopt.exe
2968	etopt.exe
2316	WerFault.exe
2316	WerFault.exe
2316	WerFault.exe
2316	WerFault.exe
2316	WerFault.exe
2808	31839b57a4f11171d6abc8bbc4451ee4.exe
2808	31839b57a4f11171d6abc8bbc4451ee4.exe
852
1676	patch.exe
1676	patch.exe
1676	patch.exe
1676	patch.exe
1676	patch.exe
2100	csrss.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

548 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
548	icacls.exe

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

etopt.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID\{2EA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\Macro.dll"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32\ThreadingModel = "Apartment"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\Macro.dll"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32\ThreadingModel = "Apartment"	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID\{1FA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\Macro.dll"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32\ThreadingModel = "Apartment"	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32	etopt.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/3012-749-0x0000000001110000-0x00000000017EA000-memory.dmp	themida
C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe	themida

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

toolspub2.exeC20B.exe

description	pid	process	target process
PID 2336 set thread context of 2920	2336	toolspub2.exe	toolspub2.exe
PID 2924 set thread context of 2244	2924	C20B.exe	RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 2 IoCs

Processes:

etopt.exe

description	ioc	process
File created	C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg	etopt.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\Macro.dll	etopt.exe

Drops file in Windows directory 3 IoCs

Processes:

makecab.exe31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20231221025546.cab	makecab.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2316 2924 WerFault.exe C20B.exe
1120 2548 WerFault.exe InstallSetup9.exe

pid	pid_target	process	target process
2316	2924	WerFault.exe	C20B.exe
1120	2548	WerFault.exe	InstallSetup9.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2
C:\Program Files (x86)\ClocX\uninst.exe	nsis_installer_1
C:\Program Files (x86)\ClocX\uninst.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b7e5f3de8090ddb4f0d238e026f10bb6.exetoolspub2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b7e5f3de8090ddb4f0d238e026f10bb6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b7e5f3de8090ddb4f0d238e026f10bb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	b7e5f3de8090ddb4f0d238e026f10bb6.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

952 schtasks.exe

pid	process
952	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies registry class 22 IoCs

Processes:

etopt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx\ = "{2EA1F62B-FCEB-0FF5-5733-0D1A23321CEC}"	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID\{1FA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID\{2EA1F62B-FCEB-0FF5-5733-0D1A23321CEC}	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA1F62B-FCEB-0FF5-5733-0D1A23321CEC}	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\Macro.dll"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32\ThreadingModel = "Apartment"	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA1F62B-FCEB-0FF5-5733-0D1A23321CEC}	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA1F62B-FCEB-0FF5-5733-0D1A23321CEC}	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\FileSystemEx	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID\{1FA1F62B-FCEB-0FF5-5733-0D1A23321CEC}	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID\{2EA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1AA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\Macro.dll"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32\ThreadingModel = "Apartment"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32\ = "C:\\Program Files (x86)\\Windows NT\\Accessories\\Macro.dll"	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_CLASSES\CLSID	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1AA1F62B-FCEB-0FF5-5733-0D1A23321CEC}"	etopt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2EA1F62B-FCEB-0FF5-5733-0D1A23321CEC}\InProcServer32\ThreadingModel = "Apartment"	etopt.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

patch.execsrss.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b7e5f3de8090ddb4f0d238e026f10bb6.exe

pid	process
1332	b7e5f3de8090ddb4f0d238e026f10bb6.exe
1332	b7e5f3de8090ddb4f0d238e026f10bb6.exe
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248
1248

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

b7e5f3de8090ddb4f0d238e026f10bb6.exetoolspub2.exe

pid process

1332 b7e5f3de8090ddb4f0d238e026f10bb6.exe
2920 toolspub2.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

C70C.exeBDA7.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exe

description	pid	process
Token: SeShutdownPrivilege	1248
Token: SeShutdownPrivilege	1248
Token: SeShutdownPrivilege	1248
Token: SeShutdownPrivilege	1248
Token: SeShutdownPrivilege	1248
Token: SeDebugPrivilege	2288	C70C.exe
Token: SeDebugPrivilege	2816	BDA7.exe
Token: SeDebugPrivilege	484	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	484	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeSystemEnvironmentPrivilege	2100	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ADBD.exetoolspub2.exeC20B.exe

description	pid	process	target process
PID 1248 wrote to memory of 2776	1248		ADBD.exe
PID 1248 wrote to memory of 2776	1248		ADBD.exe
PID 1248 wrote to memory of 2776	1248		ADBD.exe
PID 1248 wrote to memory of 2776	1248		ADBD.exe
PID 1248 wrote to memory of 1876	1248		B0F8.exe
PID 1248 wrote to memory of 1876	1248		B0F8.exe
PID 1248 wrote to memory of 1876	1248		B0F8.exe
PID 1248 wrote to memory of 1876	1248		B0F8.exe
PID 1248 wrote to memory of 2736	1248		B31B.exe
PID 1248 wrote to memory of 2736	1248		B31B.exe
PID 1248 wrote to memory of 2736	1248		B31B.exe
PID 1248 wrote to memory of 2736	1248		B31B.exe
PID 2776 wrote to memory of 2548	2776	ADBD.exe	InstallSetup9.exe
PID 2776 wrote to memory of 2548	2776	ADBD.exe	InstallSetup9.exe
PID 2776 wrote to memory of 2548	2776	ADBD.exe	InstallSetup9.exe
PID 2776 wrote to memory of 2548	2776	ADBD.exe	InstallSetup9.exe
PID 2776 wrote to memory of 2548	2776	ADBD.exe	InstallSetup9.exe
PID 2776 wrote to memory of 2548	2776	ADBD.exe	InstallSetup9.exe
PID 2776 wrote to memory of 2548	2776	ADBD.exe	InstallSetup9.exe
PID 2776 wrote to memory of 2336	2776	ADBD.exe	toolspub2.exe
PID 2776 wrote to memory of 2336	2776	ADBD.exe	toolspub2.exe
PID 2776 wrote to memory of 2336	2776	ADBD.exe	toolspub2.exe
PID 2776 wrote to memory of 2336	2776	ADBD.exe	toolspub2.exe
PID 2336 wrote to memory of 2920	2336	toolspub2.exe	toolspub2.exe
PID 2336 wrote to memory of 2920	2336	toolspub2.exe	toolspub2.exe
PID 2336 wrote to memory of 2920	2336	toolspub2.exe	toolspub2.exe
PID 2336 wrote to memory of 2920	2336	toolspub2.exe	toolspub2.exe
PID 2336 wrote to memory of 2920	2336	toolspub2.exe	toolspub2.exe
PID 2336 wrote to memory of 2920	2336	toolspub2.exe	toolspub2.exe
PID 2336 wrote to memory of 2920	2336	toolspub2.exe	toolspub2.exe
PID 2776 wrote to memory of 484	2776	ADBD.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2776 wrote to memory of 484	2776	ADBD.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2776 wrote to memory of 484	2776	ADBD.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2776 wrote to memory of 484	2776	ADBD.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 1248 wrote to memory of 2816	1248		BDA7.exe
PID 1248 wrote to memory of 2816	1248		BDA7.exe
PID 1248 wrote to memory of 2816	1248		BDA7.exe
PID 1248 wrote to memory of 2816	1248		BDA7.exe
PID 2776 wrote to memory of 2968	2776	ADBD.exe	etopt.exe
PID 2776 wrote to memory of 2968	2776	ADBD.exe	etopt.exe
PID 2776 wrote to memory of 2968	2776	ADBD.exe	etopt.exe
PID 2776 wrote to memory of 2968	2776	ADBD.exe	etopt.exe
PID 1248 wrote to memory of 2924	1248		C20B.exe
PID 1248 wrote to memory of 2924	1248		C20B.exe
PID 1248 wrote to memory of 2924	1248		C20B.exe
PID 1248 wrote to memory of 2924	1248		C20B.exe
PID 2924 wrote to memory of 2244	2924	C20B.exe	RegAsm.exe
PID 2924 wrote to memory of 2244	2924	C20B.exe	RegAsm.exe
PID 2924 wrote to memory of 2244	2924	C20B.exe	RegAsm.exe
PID 2924 wrote to memory of 2244	2924	C20B.exe	RegAsm.exe
PID 2924 wrote to memory of 2244	2924	C20B.exe	RegAsm.exe
PID 2924 wrote to memory of 2244	2924	C20B.exe	RegAsm.exe
PID 2924 wrote to memory of 2244	2924	C20B.exe	RegAsm.exe
PID 1248 wrote to memory of 2288	1248		C70C.exe
PID 1248 wrote to memory of 2288	1248		C70C.exe
PID 1248 wrote to memory of 2288	1248		C70C.exe
PID 1248 wrote to memory of 2288	1248		C70C.exe
PID 2924 wrote to memory of 2244	2924	C20B.exe	RegAsm.exe
PID 2924 wrote to memory of 2244	2924	C20B.exe	RegAsm.exe
PID 2924 wrote to memory of 2244	2924	C20B.exe	RegAsm.exe
PID 2924 wrote to memory of 2244	2924	C20B.exe	RegAsm.exe
PID 2924 wrote to memory of 2244	2924	C20B.exe	RegAsm.exe
PID 2924 wrote to memory of 2316	2924	C20B.exe	WerFault.exe
PID 2924 wrote to memory of 2316	2924	C20B.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b7e5f3de8090ddb4f0d238e026f10bb6.exe
"C:\Users\Admin\AppData\Local\Temp\b7e5f3de8090ddb4f0d238e026f10bb6.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1332

C:\Users\Admin\AppData\Local\Temp\ADBD.exe
C:\Users\Admin\AppData\Local\Temp\ADBD.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1452
3⤵
- Program crash
PID:1120

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2920

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:484

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:1424

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:516

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2100

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:1044

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:952

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1676

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:2504

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:2372

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:2272

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:944

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:2672

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:1916

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:916

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:1144

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:2784

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:1588

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:1388

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:2512

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:2436

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2480

C:\Users\Admin\AppData\Local\Temp\etopt.exe
"C:\Users\Admin\AppData\Local\Temp\etopt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:2968

C:\Users\Admin\AppData\Local\Temp\B0F8.exe
C:\Users\Admin\AppData\Local\Temp\B0F8.exe
1⤵
- Executes dropped EXE
PID:1876

C:\Users\Admin\AppData\Local\Temp\B31B.exe
C:\Users\Admin\AppData\Local\Temp\B31B.exe
1⤵
- Executes dropped EXE
PID:2736

C:\Users\Admin\AppData\Local\Temp\BDA7.exe
C:\Users\Admin\AppData\Local\Temp\BDA7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Users\Admin\AppData\Local\Temp\C20B.exe
C:\Users\Admin\AppData\Local\Temp\C20B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 564
2⤵
- Loads dropped DLL
- Program crash
PID:2316

C:\Users\Admin\AppData\Local\Temp\C70C.exe
C:\Users\Admin\AppData\Local\Temp\C70C.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\36FE.bat" "
1⤵
PID:1624

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2268

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231221025546.log C:\Windows\Logs\CBS\CbsPersist_20231221025546.cab
1⤵
- Drops file in Windows directory
PID:3028

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
1⤵
PID:1740

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4B79.bat" "
1⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\6B2A.exe
C:\Users\Admin\AppData\Local\Temp\6B2A.exe
1⤵
- Executes dropped EXE
PID:2756

C:\Users\Admin\AppData\Local\Temp\6B2A.exe
C:\Users\Admin\AppData\Local\Temp\6B2A.exe
2⤵
PID:2176

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\da6f6197-6f48-4a9c-8565-aed6e7b7d771" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:548

C:\Users\Admin\AppData\Local\Temp\6B2A.exe
"C:\Users\Admin\AppData\Local\Temp\6B2A.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\6B2A.exe
"C:\Users\Admin\AppData\Local\Temp\6B2A.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:396

C:\Users\Admin\AppData\Local\12b588c1-d89c-448a-a4da-f0a03cf30851\build2.exe
"C:\Users\Admin\AppData\Local\12b588c1-d89c-448a-a4da-f0a03cf30851\build2.exe"
5⤵
PID:2852

C:\Users\Admin\AppData\Local\12b588c1-d89c-448a-a4da-f0a03cf30851\build2.exe
"C:\Users\Admin\AppData\Local\12b588c1-d89c-448a-a4da-f0a03cf30851\build2.exe"
6⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\95A4.exe
C:\Users\Admin\AppData\Local\Temp\95A4.exe
1⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oA9cA71.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oA9cA71.exe
1⤵
PID:2984

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pc4Ce55.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Pc4Ce55.exe
2⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ED90Xm9.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1ED90Xm9.exe
3⤵
PID:2232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login
4⤵
PID:3060

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3060 CREDAT:275457 /prefetch:2
5⤵
PID:2272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://store.steampowered.com/login
4⤵
PID:2736

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2
5⤵
PID:1064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
4⤵
PID:3044

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3044 CREDAT:275457 /prefetch:2
5⤵
PID:2824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://twitter.com/i/flow/login
4⤵
PID:2648

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:2
5⤵
PID:1492

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/openid/loginform
4⤵
PID:2556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2
5⤵
PID:2288

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
4⤵
PID:2160

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:275457 /prefetch:2
5⤵
PID:1916

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/signin
4⤵
PID:2168

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:275457 /prefetch:2
5⤵
PID:2232

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login
4⤵
PID:2212

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2
5⤵
PID:1704

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.epicgames.com/id/login
4⤵
PID:1096

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:275457 /prefetch:2
5⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4oQ963Aa.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4oQ963Aa.exe
3⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\B777.exe
C:\Users\Admin\AppData\Local\Temp\B777.exe
1⤵
PID:1820

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ClocX\uninst.exe
Filesize
52KB

MD5
3387961372fe91c2cc69b53180cbfee4

SHA1
ede6fb0d2319536efca218d461425d2addffd88e

SHA256
dad57975be6833c50d32ee77212addf11a80195d82365ade6042234e492bd845

SHA512
f6551803b90934a5555587bc81b4758b21fc8bad1653f298846e2195c797932893d761249f9cf527e95809ffc0bfd785872f0b42f56e8adc64bdb06c63f09c5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
578d23d0846b5c4e11d6e9e4a20c06c9

SHA1
c9e15497891a4b5912c9c3f779b5c09b0ff95844

SHA256
4e671a2e4454fe7c76f2211554bc061664b17d29829869d0d013e12a4edf4358

SHA512
65adf2f3f15228b2ee9a2973caf8570592748814a2c8f9bec031732a23fbfe5e86b9a818bebc963e7489e2f648b0e28788cebb06ae204d6ceab37b234ef0bdfd

Download Submit
C:\Users\Admin\AppData\Local\12b588c1-d89c-448a-a4da-f0a03cf30851\build2.exe
Filesize
301KB

MD5
e23c839edb489081120befe1e44b04db

SHA1
d57fd824ac54082312dcc23d2bca61e4d98f6065

SHA256
f68f73e9330202575e6476e37ed5bfaa11a52bfac4d1248c6fee5628f17c0cf7

SHA512
8c40e7cc8b538cf33ec650e694f81e50e576dcf9d771c2d6d8d960fbb6fd38b64bc604ba0dba1c9ca3cedabecdc83c789ca515352f3de12c997150df0ed4d0c1

Download Submit
C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
Filesize
2.7MB

MD5
da044811ca4ac1cc04b14153dccbbf37

SHA1
6495d9b495010f8c79116e519a8784e342141b8a

SHA256
7c31979024f0d5873af50e66b541135b095a0958d7c0203e01f366cfb2a8d1b8

SHA512
0352129b629768f0192f58e43ac097758f3aae0236de363638ce14a994bdb0f17e31882f6ae7a93643222f542ffb21cf492d3c18dbaf6ec5822c45a8c2ce33d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
180KB

MD5
a5059dd238edde407ce3d8c7eda7e954

SHA1
2639f945c14e1af0f576d3053d290afdfffb8319

SHA256
a907a5e70511d64a69c5662b7c9ec06387b051d471d496c3fb00e0d3f2d12464

SHA512
c8569baa129e79722defa71f05189fd2bc1c3a48cc359fb5c350237045faea2115f2e029513b214253cf2c50e713d3b70ded0b13575e85691565095ff6bde96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
429KB

MD5
dcf0dc95ce26e04bc6d8153383670ced

SHA1
4e734d750941f8459c2d06c96d38ac294e2109ba

SHA256
15a4c63a63488f7b27c4492e4d15c1af6445d667da232e6cca5ed89de8773dc6

SHA512
efc81e6bcfec7430280dca3c9b0b7b4f3cb46bd4575d76e2225cafd5c7db2da62999979bbc4afa1c3506bcb7eaac251698f77a201c63fae59cf987a68501f786

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
485KB

MD5
c3da4b34a8a4a0f5753f72e6d3f4f3bd

SHA1
1add556dc0ab6a4f457de4d12280d7d23734503f

SHA256
53b8b289be5a7b8b08a00956b45c5ad4beec80b4e53d701703c1a89b1d24b290

SHA512
2af47a7eb3cdc83e4bc944089fe129619cde4a459e8d3d978ed8916af749ce0c7088305d139cbc2e71f143ef42db7c406a93cb0a3b227ecfca4e2b778e242167

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
359KB

MD5
2e56b9fa345b5f54b1d80aed1d5b5b9a

SHA1
30267c32e1c93e6e3cbbb196044a10b04cd279e1

SHA256
9bc78ce6428c823a65b84ef9ba46016935567e86d5654e58135650f1a0257988

SHA512
c901dcde654340b1ab4af9892f237317f3f7da42e8240de488875fad64d8a4a5e5cbbfa7511c8d5edc1a8e3b76e249af0859cf04524f73126bea0ee9e7d902c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\36FE.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B2A.exe
Filesize
315KB

MD5
81c41ddd005a252c595841e4e08cb775

SHA1
1b7859d1c5e70dc34fbb89cffba88666a8464f83

SHA256
39d19da71e865bf5a05eb051cacfdaf089e87da570dc0bde3d060ece04d7eee6

SHA512
3b3afb0f44f28295408765116b40d346a5666d62d868f2c116153cb2b3b415be543d8b5cd2e33b7066449ffb4f02482091cb5160fcccc0552bf86a32e428de0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B2A.exe
Filesize
252KB

MD5
188715abfed6e575d1555e982df7c619

SHA1
a509209d1727fe92925bc51bcda472dc886518f4

SHA256
3928ef33d72e4aae49596b095907ab8b80c400805fd86cebbdfab28f0bff9da4

SHA512
3f4633540d77d744da306a4f4c0cc7a29c4145b7b06e959ad78431e38dee14c60df80d27ccbb0dbdf68648e8152d82dc8ebb45aa7a6628c2f97689a0411d0a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B2A.exe
Filesize
210KB

MD5
7d47a1c64ab4640d0644cf7c0bf8c8b9

SHA1
ba3d6744da4c830d61cbdd99e79b5fdb50be2b01

SHA256
48adb29da9d53e1bdcefea0894d1bacbbf476875a3bac4937dfdec0d31d1a2d9

SHA512
b61a0d9ddcb88dffe3abfb1d42e91fb8648351e43c5b50399010a5eb8a74bedd9d44acead4d1028fae7799a637ab38f215b71482e83b616818d4ab59633a5b1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B2A.exe
Filesize
222KB

MD5
58c723a4e139f0cd42d2505b4866569c

SHA1
2e7a07f89411d32f93fd2bfc5d21ad0e947fc148

SHA256
2fcc943f15747828b4f29822dcac57a599d70148630d488f910febf3b8b965ab

SHA512
324452f45970f6b803dff7e45b0003809c2149957772fa82d6a51163a43eab4de7ed906116a52dc96a6b996098b602f08462a0aa309de52e6ccc9fffcffd98e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B2A.exe
Filesize
242KB

MD5
6e527002d2096f7927ac98d390773fcd

SHA1
6c66798fba075dec03f9302dcccf8c7412427fc9

SHA256
ddd51963167e0d1923b50dfa2d6f33d999b019be968a88e7f876422f689f3e99

SHA512
09b60adca3f31a8bf31475c54e70938bc5163c356dd0725c386d1f419092a16d3dae6313389e4110b4ab40ae78f390985e6590fe7fee6291d0eeee49d066ba69

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B2A.exe
Filesize
1KB

MD5
f8f3e784ccd5c4cf8fed2db83a3ae033

SHA1
69350dba75c7e73accf8182aeaf7651768fe99c8

SHA256
3dc8452a1417f20a4773d3ed281d3ee9d0a22783bb010312113cc28f74ecbb10

SHA512
fbc98e723177b8ce89487135f9ea52c94e4afb344ce094a2fcadc89c76e28aa008dd3c2629a70fbdbce24f465281be79cec3e5157bfa15236af2e0333530ce8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADBD.exe
Filesize
2.5MB

MD5
89087f0ca9fb246c038f2c8aedcaec14

SHA1
8ab0abefbf88aff16719dbe2ef3a3062ca7e20e1

SHA256
99fddd2ec325e2731384df670c6052dd2abbb99174efae0e4a471e32df289ea4

SHA512
6b1de62d557e51e23102a164cacf724345cd2e5dabf069f172162f2b0ee850e5e71beb52c6d06f2c85ffcff1c4681629c96f1d8149231540cb6b59037bd308ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADBD.exe
Filesize
1.5MB

MD5
bb79ceca7f5b5f50e36e4114c52e3834

SHA1
bbbbbfe033ef85eeda2b39be2586355c5b4b4e12

SHA256
d8f3bb6730fc14c5f1c2751c7c0f79ad0008a8d79e3456aaa6dbd5c7172c296d

SHA512
2c15a8264f42e1afd318c5e60c9126c8428d660d5e255515399b7a76da8e1df76193c20c515c6d17964f575fb2ac1997f140a3ddd4937210b539066901d51150

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0F8.exe
Filesize
219KB

MD5
91d23595c11c7ee4424b6267aabf3600

SHA1
ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02

SHA256
d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47

SHA512
cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B0F8.exe
Filesize
207KB

MD5
2eb4bdde1d05e29a874c11514e4c23f9

SHA1
3aac5f01627422cc22e602a5782e42becdff0b95

SHA256
f562163ee07069fd098aec4718cb5e6332ad0aa998d8f9c0e873241c34685a0f

SHA512
9036f0efcfd55c6c7d61d63147a771289af16472bf6a6ea9b3ff79336b74777fb5fe70f4afbe997b559e1b533ce37d5cdff7da0ab22a0f143d1decfc53905384

Download Submit
C:\Users\Admin\AppData\Local\Temp\B31B.exe
Filesize
667KB

MD5
c760b0581c937f70ae512f90a10b42b4

SHA1
0a3fc7c26fee51dd8d0d8bf3ad8c8b9152f35bba

SHA256
d604b05dd7b6bdfab88fe8e4e02923363be650a8ccfd59b42edbaf59e9d17446

SHA512
0e7f6f2a8078c50aa9339f69e26c0d1a787de1bc962cbf2067e06c030bc53434b5e29ca68134676200760f3b89e688ad4f06b6c42fcaa03a6770ec7b548079a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B31B.exe
Filesize
589KB

MD5
b8584a17894b542579181b4d2ff5e7e9

SHA1
6eb0e47f280c864a8f93e40b18a59a2c0d19650c

SHA256
05e2bdcdf442718080b21f388833f31aecdbe755f54470c8cf664e22a44a25d4

SHA512
f78569fde1cafdd4a66c951764683e0245a753f674e45b551d1e9c6ef28a6cdb864955a2f8ba1fc25761edf93d2f0668efbf2e2261a0fb461a4f3c3161197600

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDA7.exe
Filesize
229KB

MD5
e1ce2991962eabf7fdaa1c9c7d0ac0ce

SHA1
99842361b0a8458e9990a4a44dce5ccf1c0f8ea3

SHA256
173fcee3bd9757cc6b2c7d8aaa79fbd87bdb2f33936cad642026b6e7fea4f623

SHA512
9043ab4ed0c3ffa9bbd8c993879470d24c7885d932e4b45e0ff4e7165448d203018533a1cd3ea786349cdd5306a3c937f7b26d89e3df33c1c5981f16aa175de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDA7.exe
Filesize
217KB

MD5
f375da494cf8935c5d3de41e31fd84b7

SHA1
23a257cc42fd64abeb8217c6f883e06bc13ed11e

SHA256
05f1e6c39863ebf8b9c3221f7dc6be23ff3797049c064d77945f365f548cd516

SHA512
2d87f05324c674611d9aa29e4e41555214c510b9aef62a900de59982f84d7a5ca0c29efe4941c8c820133698a45d4d4ae0f38c7974ce025408fb05b990cb66b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\C20B.exe
Filesize
324KB

MD5
7842b49e80c7605cc58b553d471a0acb

SHA1
aa2e7e6a7400cba866bc827ffd213fd5d065b48c

SHA256
c648e9dc344c1701929a7b6113f2f474209c7f80e694cd1f4ba61c96e9486943

SHA512
f149c95b10968ac091e4d7f9c48b301bb1864cada94a3188441bdd0db01c0973f2acabc5f370b373fe5ef49df348885f66fe62d024e9f59a8a39097a37ecd8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\C20B.exe
Filesize
282KB

MD5
669d43dcf69ea803102d1cab68fc70c9

SHA1
f617b68eeff5d2a5b8be2d7903f597deb83302ae

SHA256
f91d09ef76d41de58ac2c915bafb3ed63d3292d6482b37a00513f7450dc41a37

SHA512
5638b02b79329d4a97e8e1b05de973d65bddfcefc23b98749e17a9eec952a9550a9a36a086c785cec9407affea5f16b5335cd6f891fb750ee64dde6e2413f713

Download Submit
C:\Users\Admin\AppData\Local\Temp\C70C.exe
Filesize
231KB

MD5
46fbba0a0ea517cdbde6a905ca742f52

SHA1
4f127f04f004ace86734f3098386bee068204c5c

SHA256
802b0dd14985d2d6ab5a8a7c41bf9cb7b3369fe9b0db15248e0e4a37a3179b50

SHA512
144ad2e892ef96389c11b74b00dc8b941eb1e7e2645305499e925e871f5f9648d150417ef5263a8f60710dae00cb73af237d646bfce8541a8304e0decbeb40ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\C70C.exe
Filesize
54KB

MD5
2d0c135fd5aa91b5ce774202c5a04081

SHA1
1da50f86863106cb2246d2cee6ad2747e1935c57

SHA256
fdabd57f835fb987956ade9edfdb99d4c9497e74003b3f51d41a344af4d3f049

SHA512
c5d951efac24f815af9019fad94f94f6764cde0eaeb78e3c55c0fd7f10bf7db59e44f1f45d9f0128b3dd5cb76d817d4a4fa20de26a9fee906be17d62f75062ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab678B.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6oq7sc7.exe
Filesize
37KB

MD5
4bb94084ca4c6c67e32495c32fc80d8f

SHA1
87eb826f4015aab8a8c40c7dd607490e2ee515ec

SHA256
1206ef10a6025cb6ec4f266ea6288377a1d8121caeb3a51f637cf20127491a62

SHA512
f605ada430a5b8a64c8f612352db7cd0f15e57af83c853e0799c8bcfadaf5f5801d6469bfcea7847dd290c015aac349868d74c11f2a1ce3207d6000dba5d943d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
989KB

MD5
54f85b06c996398bf868f6476ae680a2

SHA1
6a7c0fc2d48d24f3dc77f18594d2d48fecd5796c

SHA256
f5194e071b77a110546fee3922854bfd6a05446950f2849faebeacb1b18f72f5

SHA512
0ccf3fe07719b5d6cdaec170037cb8f21583d52984a3126a9e4fc114792468a39541700369591024e1de6dec85cf8b548b5e89f5a371d37270b35959fa78ee4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
1018KB

MD5
4f870f2133738f3cfe3b1f9d73a32edb

SHA1
afe13f560664675b12433db32115caed7b828317

SHA256
2c70a0fbe7cd3bf10df78397c0bbc844a24062157bc1a11a4d204f88316a6968

SHA512
177697192a3ac09152ac749a295b989664c32ea7fc274d26394fad72104d4c5afc56846a65e282032f0487a8ca6b828b62de804b4c6ca71f4b62729c0e8035ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar681B.tmp
Filesize
41KB

MD5
c15fca0ef175b6b77b7d6902e46db92f

SHA1
45a50dd01c505ea03564858fd173d658dd886fd3

SHA256
fbc1ff745b341c22667b850529d255d7353afa27e23eaf6ea30bf5b8369adf89

SHA512
4ff92820075c38c3f52f06d2907b3886240b8eec97fa2ab0a0381e67891d5e7f5d4d56aae43acf25af5fffcaa58ebaee26908a419bc811ac1e281f5a4eab1ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
24KB

MD5
5a28a9e93d3bf54d2f55ae683e884d29

SHA1
c0dd3cc6237eff8b23950ff63cef25bc8abd15e9

SHA256
3c78a1d03e5a8e161d2faccdd0d9ca72b3f61c87a3d6fb6ab3fe0fa00fe37ba4

SHA512
ddf8020a2f1eed24b846906e0468ce372dac5a76fb0831d31e217c3a9d7abfa3f114b47f08627c55985fd260b834466cf608b11705cb8fd964621195f4f0d570

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
267KB

MD5
e7a8cce598dd993d855b0092bb35a605

SHA1
d8b8bb41e501aace44147e80f97f803e5ba1ffd7

SHA256
ebd5c32d2113274d1e260c4c0ba506cf9cbc405f5d39b8b1173691df3b0dc4a9

SHA512
385c06c1022aaefb82f9720f3285619367a0ebebf144faf67f3de28ae76c67014b5fb465559d410a41a60c6977182f92b1bec0632eac55a13858c9125cbd3059

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
239KB

MD5
87c2b3a9bc970cfbbfa7724855992acc

SHA1
6933ba8067d368d16bf2f2a3bcde2fbe9c3b3b38

SHA256
901b1bbc5a59c028f8e9e0e104fe866acdc2043874f13fa31063cf8fd718165d

SHA512
ec49abd6fd460f175149a817e1e83b6f361e2b944cd9477268b03dd3bf3a36afade337d841144f1ce063b33794b215db38827ea26ba3e0ff5663817b12999553

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
198KB

MD5
8c5bdfc5002669cfb8f555bd6cfe4c7a

SHA1
d963798fff4d5ab83a1f55b4c0478de6fc91f3fd

SHA256
4c84e164a8bc458776b78700a9b6b4ad9490382f9c8b5e364da8f48b3d8429ec

SHA512
5fc5d640fc7f9d2258f1a3533993cbe7c1415a2e2f70d29624bbd9786365344ae7a6d1108aac2aab263561886b708b4a24aaa63a93866ad5d22bb9ceb46c7cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC360.tmp\Checker.dll
Filesize
41KB

MD5
8dcc038ce15a235ea9e22fc9663e4c40

SHA1
cc702c128e3035d42220bd504d6c061967d3726f

SHA256
64b23aa5ca4e2e516fae3d2480957d6f1065c91caa930e0ffac2bda1cadea76a

SHA512
bf81fee736e02680b2d5cd23dd360430b9bd97ad1f75ae9485e82b548f61b83a092c5e17a4d537a06ece6384003aeb9b7b9e7eac4a7ffb2b371160570bce6b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjC360.tmp\Zip.dll
Filesize
76KB

MD5
0f459c2bd249a8b1f4b1b598d8e5299d

SHA1
ca47103107cd686d002cb1c3f362efc5750bfeb4

SHA256
acd3d2b809c320bb8b93385212bac23536bd6894e8e2638a5e85468ccd54fb3b

SHA512
1a7e6e48ee9d966a59082f2ad3b6405d8bbdc1a45f54dec1de9fd1a16b34bb0dc422683ecffd5dfb484db3c5c42caea410d49debeae50ba3979520834212afe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
165KB

MD5
0447723796a0c052c69ed77f1178c70e

SHA1
5ba21821b66f8a3e2591ab2c61ca1dc844bda074

SHA256
613edd4a456b2fab0e42d3e1fe31c48db369b27df21cff8c76433e87758fa390

SHA512
d113ef53824c936a09bd5dfa36e65c8ddf4bcd29ab6b9786bf79cf5047078bea976a79fdc12c64bd837f1e197e02bea6f257f54b761b97c0fdbc7c29d2b50bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
253KB

MD5
b7ae48ad68a9e1f063fe75c76bf84c44

SHA1
e8e5f0dcc9aaf98f574a29df81c74079be545360

SHA256
63bc7dec45027d98b236782ef2f5d6b53dfc278b8d0aabe1a9932431eb58d654

SHA512
08d0a0846262c1eec95dfa79221ae4d406b44b3dda696ad55cc0308956f9abc341b83e08ad975aaa3c63e4dcf320d4bdbdbc41a697e031a3c3133944e678e5fc

Download Submit
C:\Users\Admin\AppData\Local\da6f6197-6f48-4a9c-8565-aed6e7b7d771\6B2A.exe
Filesize
181KB

MD5
609378e9dbe639f4c0251abbabf82270

SHA1
445496d4b3a449ff32b7abaf45c1e73355e474c3

SHA256
1833b70d7c5245479a494a83451f448cb58870e8008265b772f971ab342f4e86

SHA512
8319b3ca9b30229acb6c946486abe4f1a6e15eaaed04a38f4b2157bbc1c57da0abeb402712b86883f891543bdd4fac0e26c85f479920875cd51ab465ddc1f719

Download Submit
C:\Windows\rss\csrss.exe
Filesize
642KB

MD5
9de3b32f41bddbdb982066cb84f1ce19

SHA1
ee8d04f915b5b5fefa6a852cd16aae41fad65802

SHA256
32c3b4ee5ea0c747c26b91f19e4755c2be065dcf199d48efcd99162e2e9a1e3f

SHA512
fa056fd87392a0872db7cbe0702d0a404be0672ec640df223f3e6210c0665bb342355b70f11b7307bbd84ee4a405dbbe5275b622ec6eb67b7dda16ecc3e062ff

Download Submit
C:\Windows\rss\csrss.exe
Filesize
297KB

MD5
5de688a71c63757730cbf75acdbcba4a

SHA1
4ecf3cd9a2049fe6a5bfb68c10fd6568e1f244a4

SHA256
2e33d5a3b0da9f214188ea1793d0f08df03361b3f8a3bad2b41ac8db33069516

SHA512
faa5021dbc18eb1a49dac77e102cfa37c341fce1891f5d3ff3d8479401eaf5c0bbf86c495d3a07330741c53e11df3fa756aee2f1ea32afb2c64d7c3738966ec1

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
342KB

MD5
0bdc204f35cac595b1bf25f98e766202

SHA1
d4312c511c764162f93bfda53a38cb0fd02a3e4d

SHA256
451339a91eff49eb1c39310ce2f7f6f1157118cf1ff5adc250d40343b499af7f

SHA512
6f0010641a463c9f4710fe7a516ccef22a6251ff202cfcb0f1f5f995826c3fabdd0127be4e002887642b32cfe197ac01c7b2f24a3ce78bed1b9f0783f765fe04

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
383KB

MD5
87a2f8ea0eb49297269f31e6714ded80

SHA1
df3460e0914b24868d97731ee1a2a9a9f0f19e39

SHA256
c32a96f71ff7d9bdab589a5dee665f3b01995eaca35c4dd5ac8e732788eaa19d

SHA512
971024f30ec5740eb0cc76b40b61b6f72019ad8cf5640084dd39f6c6802fcdd015d31ab20728c26cbbb4fdf2c69ccec356ecf171ea0216b5854c669a2dc9babb

Download Submit
\Users\Admin\AppData\Local\Temp\6B2A.exe
Filesize
156KB

MD5
e6a76585965fc7ebb23e70c39539581a

SHA1
cadc539c70757c45a216a9e171e228d6307f7b34

SHA256
c3c3f9ba5cda84f888c522591dd97f100e6eed42be7c36be4f213e9b28acc8ee

SHA512
4dd63f6992b39f79cd3f8c2cacae2c9c7bbd8e8bb32cbe278aceeb8ae727f3f4704500722a7f5302b52145b76bf239d036dc94b90bba455728720d2f37fb18ef

Download Submit
\Users\Admin\AppData\Local\Temp\6B2A.exe
Filesize
64KB

MD5
03c89d77fcf4fd6dfc2dd01d5b2635e4

SHA1
8638c2371ff929126696151758b881623b87fc86

SHA256
2c6ed4a5bd484a27f5311b31dbe2d0aebf2b372e94a17de2b525b5f6a080537d

SHA512
1d3855eb3b4476f94b897b38ea673b51fa92d1128eb0f75caca4701b4c72f4ebec9db1725b867813f75b8449346c7cd8caa09e517809dc110df87b11b2abb543

Download Submit
\Users\Admin\AppData\Local\Temp\6B2A.exe
Filesize
119KB

MD5
beadc8e41d70253d8acf3206403f0068

SHA1
76136a39376332c236e399d7a4a63a9d844fae12

SHA256
b906961116e8fc0ab80b3b80893380cdbc5f7a96de2000caf9b25de88868c87f

SHA512
d518477bc18137b7450329134de455a17be9d9934155e0870cd5c1884c93005ea614cb142c70c603f1eeba7b099f60b81c793f08a5dc70638551d171fcdde9f6

Download Submit
\Users\Admin\AppData\Local\Temp\C20B.exe
Filesize
68KB

MD5
f4a6ed8d4b99b80000bab06ca832dd32

SHA1
1dd9990868fc06349ee99e205369e70f03c92b28

SHA256
28d02c8e17b1b4e987d00ecb6f18e9d1d5774a4b45c9942d0e717122020493ed

SHA512
0716e93d87a59e12db3d0b66b9fa9265bdbcdef5908b35ebcd1876efd9c1b068ef49cb4cbc67190465a1e868e5ae6491615c67af524adede9d9ec335d0f51246

Download Submit
\Users\Admin\AppData\Local\Temp\C20B.exe
Filesize
45KB

MD5
f2cc8c59caa2b46a4b0ad667675f657e

SHA1
a05060842cfab095e7fc17a57e80e1da18c5f211

SHA256
0fb009e462a1304079754642e63c2a6d8de0e4ade11fe8d43c3ef48988c97af0

SHA512
50a6fdadad7c01fc29123a5849f263083480661b1d1c0da42ec89c335b8dbb3741898f8b637c2dfaf2efac90a2ec6be1b876e5ce015dcfebf46cf4e5b4b04a83

Download Submit
\Users\Admin\AppData\Local\Temp\C20B.exe
Filesize
57KB

MD5
81a891b8da51a24bbbe3235605ce5316

SHA1
96d9ac588c398d684d4bff51dff2aece059c4d16

SHA256
4c31214a080a654a1a965b68f6039a14b4b19ce6d20da50f2a1b97888b2728f8

SHA512
d4e87a67fe5ba3ba269e28aa39df2525d39b1dec4865cfcf0a6af92bbc6ca42c59cb26138340b08c08af4105a9a0836db51ef7fa87a2c56dccde34770729e8e6

Download Submit
\Users\Admin\AppData\Local\Temp\C20B.exe
Filesize
21KB

MD5
6149c2183642405d51db6a05dc34df5b

SHA1
6574d3ad5f7640b1cecb621887c586961081e840

SHA256
05ea79fcbfeb683aa2c65d2232ddbade65cb5c87885550f2627be2efbf94bec1

SHA512
7052fc8c5b1d1392449c9b368a1571bc50da866898be1644739c10c6397e3e91a7f4b7d5930cb69727495e5de04ce7fd12ea3297482c37441b0e052802b27aea

Download Submit
\Users\Admin\AppData\Local\Temp\C20B.exe
Filesize
319KB

MD5
5e6bcecb75c1a3f889588d84ce0c1614

SHA1
59f8086cbc4addd1f584d9bdb58ce4107eb04753

SHA256
80e38ae7758d72204046e1aecfc77a2a40b068250a77fd3f75f177da8d1e1b1c

SHA512
1744e848051c61eba75059fe534ad36014c24b6d0c6c34ad14182eaaf6bf95bb0d8af648c4f04388f1bed49145d3f7925f0c495401015a53a7288fab8f69bd01

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
1.1MB

MD5
a0d94eaea66826ddecdff937a4d1be39

SHA1
090060365f5ca88a1b2c8b7b04936a1281c0af75

SHA256
5de4007769d920126f11592bc2e9dc4e43eb3a8aa7f5d3c1057f9cf55694519f

SHA512
82a186ff2a9efff1485459412d65dec2091cbbff01b3b5c6f9d85691a0babdc3326a25e8412c886b4e5a4d549255f59586b469ac572260709f866acaf13a7f3b

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
117B

MD5
15e4f9a6c0a1234d33dd65950c2864de

SHA1
2dfb6f115564468a8fe5db3c7dde01f5c981af46

SHA256
7572879cf94c2bb57e801cdfa06eeb4493ad525631528c6f5fe1fa12e951cfd7

SHA512
5ceef1b9c5972347ee39a61109843f55ac28de7a1d261965700ad88ab57cf92586c2d41aaecf50127a43caea8ce12a0ab27d0997efa53b9f45857447c9e85fbf

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
161KB

MD5
e666a458c7cbff336ceaa49178e71571

SHA1
14761357db37b4e2148e43dfc97d06ee2120e692

SHA256
4ba43bc760c2ebac405a09f481a5377a8ebe8555fc0921d293ff4ef3f9a1a61a

SHA512
17be74eca752a63878b32f209a3423817ac275b6fb58fa0e2f821e294ea403868e8ece64760d1ccb8daa0a75354afceb0b2f742bd96ee753277e68b450756f37

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
209KB

MD5
a5ff42f5b275649b73412c5f9f62e332

SHA1
9a747639afd265c9faa381016a9de274c956c816

SHA256
031663cfb7d13acd056e7e89a769c0f6a7617283ed2980d5679a78457b484642

SHA512
c0ed0198fa36faeedf46f6b2e883575b64bfa859acbfd8e82dea186c75398881db12fa02be3050ad39c405bcdfeddc3fdc49df97c355c3ee9098b7511fd3ce37

Download Submit
\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
845KB

MD5
967a8a5b404579a411fdb4044e750eb5

SHA1
871c7951b8e0fac4797a01cb64d8297f45c3ad9a

SHA256
7b4a319f3dd08fe3d8a582e0f866ccc89adcd377098e93f30c068fc9e77bd72b

SHA512
8e83621506b770ac5ef131a724962ec3428923d7c6ceea5a5d7d690c580e1bb7212573e7cb1b828998bc451578d684ced24768bd81b008ff3f686007ad917632

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB433.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB433.tmp\Math.dll
Filesize
67KB

MD5
ebd8a7a5042ae1d4ce1aa9071859c851

SHA1
ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6

SHA256
fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837

SHA512
daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
152KB

MD5
418b899c9880eca24ceb354848a57c91

SHA1
3e5679d6a5a37f8773e26216068378eaac544ca6

SHA256
a96b10b4e61cc6514e259cad48c220aff1410a714298ae8308fd26de6f65df59

SHA512
db30b08d66041ef2e05fae6694afb733cc276e89af981d718bcb480ccb8a3d921437b12c49530aa1a7adbd17280a5a34ac263e831e9e47bd613e0975f6043f52

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
170KB

MD5
dc4db03dcbe558072ee0870526155ac9

SHA1
ea6da4e8200ca798c0e7a58c67bfdbcdff8df86e

SHA256
ecf8be81c40d35aecf883b598bc52d4e462aff2d25ce6b043b012ea735cc9d50

SHA512
fe996ff77d902a865db78637018324883220320bfd122674230cb61243e563b14c8c685bd6cdbfcf5f2220bc6c1d3c9f39e3c7f3c12272a6cfc58404cded026d

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
128KB

MD5
9d1816a549b92f97216a11d5e541b2ce

SHA1
02abed0ad44b8cde7640ad8661816ea0c0f68572

SHA256
a3549e3cfff43ae683b5b5a40a881e979c176e4bb67f13ece117f2f96c20d9bd

SHA512
a29425491cc9db686223586a7a88774065a064fe0582221e19d81b5edd575ad939e0bc98d4191d93ca45e70d9580ec1c55fed25c91ddb253ab1ef5c251cf1967

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
175KB

MD5
69301e945f55c974c58b648b4a84f282

SHA1
527cc768f3da85b5ba115912a1071e7368a102db

SHA256
21fabbf67980bdb3fd57e09e49a656c81308ed95cf4cfc7811873e79cbcf4828

SHA512
ac5b808d0c8b8695cfc0fb49962d725189dd33b9c60dc2e034962e4f0159d35538fdcd9c4883487a829da02bc2bab6bb2240ac49578e0d1402601cedc0f9c14e

Download Submit
\Windows\rss\csrss.exe
Filesize
63KB

MD5
9fed2d5d5d3cc28a0f72a9d4e4729da8

SHA1
4be35a35c010f39888f47f91258614c8dac304da

SHA256
b532a724650f5a8b67a539c7c960902600b0c43f7f94b9a5fa09ad0ec90e87e1

SHA512
4960e3c98cd6cd8d29b272ad3bee5242919a8541cc6c5e5d8cf18cb2ab908c9b6a737f0ff3636341b97f3dec1e875cab10a93b13f99993a24ec5df492577247e

Download Submit
memory/396-370-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/484-82-0x0000000002590000-0x0000000002988000-memory.dmp

Filesize
4.0MB

Download
memory/484-182-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/484-109-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/484-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/484-189-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/484-164-0x0000000002990000-0x000000000327B000-memory.dmp

Filesize
8.9MB

Download
memory/484-93-0x0000000002990000-0x000000000327B000-memory.dmp

Filesize
8.9MB

Download
memory/484-90-0x0000000002590000-0x0000000002988000-memory.dmp

Filesize
4.0MB

Download
memory/484-174-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1248-1-0x00000000029D0000-0x00000000029E6000-memory.dmp

Filesize
88KB

Download
memory/1248-159-0x0000000003A10000-0x0000000003A26000-memory.dmp

Filesize
88KB

Download
memory/1332-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1332-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1676-247-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1676-261-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1876-21-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/1876-30-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/1876-147-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/1876-20-0x0000000000EB0000-0x0000000000EEC000-memory.dmp

Filesize
240KB

Download
memory/1876-123-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/1884-359-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/1884-363-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2100-238-0x0000000002700000-0x0000000002AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2100-239-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2100-365-0x0000000002700000-0x0000000002AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2100-235-0x0000000002700000-0x0000000002AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2100-381-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2100-357-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2164-710-0x00000000001E0000-0x000000000035E000-memory.dmp

Filesize
1.5MB

Download
memory/2176-335-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2176-330-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2176-334-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2176-356-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2244-150-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2244-146-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2244-137-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2244-132-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2244-141-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2244-144-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2288-188-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/2288-152-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-156-0x0000000004C30000-0x0000000004C70000-memory.dmp

Filesize
256KB

Download
memory/2288-151-0x0000000000990000-0x00000000009E2000-memory.dmp

Filesize
328KB

Download
memory/2288-184-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-241-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2336-63-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2336-61-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/2736-67-0x0000000000380000-0x00000000003FE000-memory.dmp

Filesize
504KB

Download
memory/2736-130-0x0000000000380000-0x00000000003FE000-memory.dmp

Filesize
504KB

Download
memory/2756-328-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2756-324-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2756-331-0x00000000008E0000-0x00000000009FB000-memory.dmp

Filesize
1.1MB

Download
memory/2776-107-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2776-14-0x0000000000350000-0x0000000000E58000-memory.dmp

Filesize
11.0MB

Download
memory/2776-13-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2808-237-0x0000000002750000-0x0000000002B48000-memory.dmp

Filesize
4.0MB

Download
memory/2808-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2808-211-0x0000000002B50000-0x000000000343B000-memory.dmp

Filesize
8.9MB

Download
memory/2808-214-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2808-203-0x0000000002750000-0x0000000002B48000-memory.dmp

Filesize
4.0MB

Download
memory/2808-200-0x0000000002750000-0x0000000002B48000-memory.dmp

Filesize
4.0MB

Download
memory/2816-175-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-176-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/2816-106-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-213-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-91-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/2816-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-111-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/2852-630-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2852-627-0x0000000000A10000-0x0000000000B10000-memory.dmp

Filesize
1024KB

Download
memory/2920-160-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2920-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2920-64-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2920-66-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2924-180-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-115-0x00000000008C0000-0x000000000094A000-memory.dmp

Filesize
552KB

Download
memory/2924-116-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-118-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2924-117-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/2924-133-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2924-183-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/2968-149-0x0000000003C10000-0x0000000004838000-memory.dmp

Filesize
12.2MB

Download
memory/2968-143-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2968-131-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2968-161-0x0000000002BA0000-0x0000000002BDA000-memory.dmp

Filesize
232KB

Download
memory/3012-749-0x0000000001110000-0x00000000017EA000-memory.dmp

Filesize
6.9MB

Download