fabookie | e46cfaaee5da4b1d369db1d1dca420d39c347227d95a445910f7adc7c286b5c9

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
15-01-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe
Size

6.6MB
MD5

623e41eaeb69f117691080e4ac4cd1bc
SHA1

dd330ae575e184f8955324a9d7c1e572306ae175
SHA256

fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983
SHA512

25104b32809f5cbd9ff22a528f77c90540e99e9d5193eba026ea269357f2e6d5b3ae6de0bcdc9be0dee9ee3a092eb909a3f404f74d33c71d0823107f9c206f74
SSDEEP

196608:jBoKvFpMWN59w86tAWGmKCJWd4IZ82mb5p5xsxu+lpf:jBNvF6WN5i86SWGmpsnZMYu+T

Score

10^/10

fabookie glupteba stealc discovery dropper evasion loader persistence spyware stealer trojan

Malware Config

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/2584-218-0x00000000035D0000-0x0000000003701000-memory.dmp	family_fabookie
behavioral1/memory/2584-350-0x00000000035D0000-0x0000000003701000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 21 IoCs

resource	yara_rule
behavioral1/memory/2920-38-0x0000000002900000-0x00000000031EB000-memory.dmp	family_glupteba
behavioral1/memory/2920-44-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2920-157-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2920-158-0x0000000002900000-0x00000000031EB000-memory.dmp	family_glupteba
behavioral1/memory/992-179-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/992-201-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-243-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-302-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-354-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-355-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-357-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-358-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-360-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-364-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-366-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-368-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-369-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-375-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-377-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-379-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1780-380-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\e0cbefcb1af40c7d4aff4aca26621a98.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2252	netsh.exe

Executes dropped EXE 9 IoCs

pid	Process
2920	e0cbefcb1af40c7d4aff4aca26621a98.exe
2584	rty27.exe
2832	InstallSetup8.exe
2572	BroomSetup.exe
2516	nst55A1.tmp
992	e0cbefcb1af40c7d4aff4aca26621a98.exe
1780	csrss.exe
2044	patch.exe
308	injector.exe

Loads dropped DLL 20 IoCs

pid	Process
1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe
1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe
1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe
1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe
2832	InstallSetup8.exe
2832	InstallSetup8.exe
2832	InstallSetup8.exe
2832	InstallSetup8.exe
2832	InstallSetup8.exe
992	e0cbefcb1af40c7d4aff4aca26621a98.exe
992	e0cbefcb1af40c7d4aff4aca26621a98.exe
844	Process not Found
2044	patch.exe
2044	patch.exe
2044	patch.exe
2044	patch.exe
2044	patch.exe
1780	csrss.exe
2516	nst55A1.tmp
2516	nst55A1.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\e0cbefcb1af40c7d4aff4aca26621a98.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	e0cbefcb1af40c7d4aff4aca26621a98.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	e0cbefcb1af40c7d4aff4aca26621a98.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rss\csrss.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240115025723.cab	makecab.exe
File opened for modification	C:\Windows\rss	e0cbefcb1af40c7d4aff4aca26621a98.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nst55A1.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nst55A1.tmp

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3032	schtasks.exe
2616	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1744	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rty27.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rty27.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rty27.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rty27.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2516	nst55A1.tmp
2920	e0cbefcb1af40c7d4aff4aca26621a98.exe
992	e0cbefcb1af40c7d4aff4aca26621a98.exe
992	e0cbefcb1af40c7d4aff4aca26621a98.exe
992	e0cbefcb1af40c7d4aff4aca26621a98.exe
992	e0cbefcb1af40c7d4aff4aca26621a98.exe
992	e0cbefcb1af40c7d4aff4aca26621a98.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe
308	injector.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe
Token: SeDebugPrivilege	2920	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeImpersonatePrivilege	2920	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeSystemEnvironmentPrivilege	1780	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2572	BroomSetup.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2920	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	29
PID 1856 wrote to memory of 2920	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	29
PID 1856 wrote to memory of 2920	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	29
PID 1856 wrote to memory of 2920	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	29
PID 1856 wrote to memory of 2584	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	30
PID 1856 wrote to memory of 2584	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	30
PID 1856 wrote to memory of 2584	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	30
PID 1856 wrote to memory of 2584	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	30
PID 1856 wrote to memory of 2832	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	31
PID 1856 wrote to memory of 2832	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	31
PID 1856 wrote to memory of 2832	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	31
PID 1856 wrote to memory of 2832	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	31
PID 1856 wrote to memory of 2832	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	31
PID 1856 wrote to memory of 2832	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	31
PID 1856 wrote to memory of 2832	1856	fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe	31
PID 2832 wrote to memory of 2572	2832	InstallSetup8.exe	32
PID 2832 wrote to memory of 2572	2832	InstallSetup8.exe	32
PID 2832 wrote to memory of 2572	2832	InstallSetup8.exe	32
PID 2832 wrote to memory of 2572	2832	InstallSetup8.exe	32
PID 2832 wrote to memory of 2572	2832	InstallSetup8.exe	32
PID 2832 wrote to memory of 2572	2832	InstallSetup8.exe	32
PID 2832 wrote to memory of 2572	2832	InstallSetup8.exe	32
PID 2832 wrote to memory of 2516	2832	InstallSetup8.exe	33
PID 2832 wrote to memory of 2516	2832	InstallSetup8.exe	33
PID 2832 wrote to memory of 2516	2832	InstallSetup8.exe	33
PID 2832 wrote to memory of 2516	2832	InstallSetup8.exe	33
PID 2572 wrote to memory of 952	2572	BroomSetup.exe	40
PID 2572 wrote to memory of 952	2572	BroomSetup.exe	40
PID 2572 wrote to memory of 952	2572	BroomSetup.exe	40
PID 2572 wrote to memory of 952	2572	BroomSetup.exe	40
PID 952 wrote to memory of 912	952	cmd.exe	41
PID 952 wrote to memory of 912	952	cmd.exe	41
PID 952 wrote to memory of 912	952	cmd.exe	41
PID 952 wrote to memory of 912	952	cmd.exe	41
PID 952 wrote to memory of 3032	952	cmd.exe	42
PID 952 wrote to memory of 3032	952	cmd.exe	42
PID 952 wrote to memory of 3032	952	cmd.exe	42
PID 952 wrote to memory of 3032	952	cmd.exe	42
PID 992 wrote to memory of 2124	992	e0cbefcb1af40c7d4aff4aca26621a98.exe	45
PID 992 wrote to memory of 2124	992	e0cbefcb1af40c7d4aff4aca26621a98.exe	45
PID 992 wrote to memory of 2124	992	e0cbefcb1af40c7d4aff4aca26621a98.exe	45
PID 992 wrote to memory of 2124	992	e0cbefcb1af40c7d4aff4aca26621a98.exe	45
PID 2124 wrote to memory of 2252	2124	cmd.exe	43
PID 2124 wrote to memory of 2252	2124	cmd.exe	43
PID 2124 wrote to memory of 2252	2124	cmd.exe	43
PID 992 wrote to memory of 1780	992	e0cbefcb1af40c7d4aff4aca26621a98.exe	46
PID 992 wrote to memory of 1780	992	e0cbefcb1af40c7d4aff4aca26621a98.exe	46
PID 992 wrote to memory of 1780	992	e0cbefcb1af40c7d4aff4aca26621a98.exe	46
PID 992 wrote to memory of 1780	992	e0cbefcb1af40c7d4aff4aca26621a98.exe	46
PID 1780 wrote to memory of 308	1780	csrss.exe	54
PID 1780 wrote to memory of 308	1780	csrss.exe	54
PID 1780 wrote to memory of 308	1780	csrss.exe	54
PID 1780 wrote to memory of 308	1780	csrss.exe	54
PID 2516 wrote to memory of 1904	2516	nst55A1.tmp	56
PID 2516 wrote to memory of 1904	2516	nst55A1.tmp	56
PID 2516 wrote to memory of 1904	2516	nst55A1.tmp	56
PID 2516 wrote to memory of 1904	2516	nst55A1.tmp	56
PID 1904 wrote to memory of 1744	1904	cmd.exe	57
PID 1904 wrote to memory of 1744	1904	cmd.exe	57
PID 1904 wrote to memory of 1744	1904	cmd.exe	57
PID 1904 wrote to memory of 1744	1904	cmd.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe
"C:\Users\Admin\AppData\Local\Temp\fdcf2c12cd0e232689188a7826c6a29e1604a5b98a77cb82690b581c049cd983.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
  "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
    "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2124
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:1468
    - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:2044
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:308
- C:\Users\Admin\AppData\Local\Temp\rty27.exe
  "C:\Users\Admin\AppData\Local\Temp\rty27.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2584
- C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:952
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:912
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:3032
- - C:\Users\Admin\AppData\Local\Temp\nst55A1.tmp
    C:\Users\Admin\AppData\Local\Temp\nst55A1.tmp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nst55A1.tmp" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:1744

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240115025723.log C:\Windows\Logs\CBS\CbsPersist_20240115025723.cab
1⤵
- Drops file in Windows directory
PID:2356

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f394072b39f302d1675cab6868a52714

SHA1
f4acd1ff55bd1b881645e13c2d15bc978023e11c

SHA256
9aab54ee762cfb1b9d299d21d9d7a794831b6938cc8502478c2f88c4e5d974cf

SHA512
ac0c1395ceab9f3e4df85559a73b578420f4bc64fc8ff980cd13817fc049c696e1e9d74374f20521acbdd093637d2924189a99e967357b776ed71fdff8402159

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
491KB

MD5
b31c97ea92ae54a02d72fd85dd322182

SHA1
190da19f84568f927cf49de4be5c38b50a8a925a

SHA256
7c9872b69d7f7a5530bac15d516e4d13ee1d67098fb3a6306890b28b21677ba1

SHA512
8a23cdc43be8348f80ee83a3c59f5731def618ddf2510756971a6ba496d3fd005fb37b1ddbf7d5617d5c67e5bd24bc29f4f20c1bb08354199338107ebc6f29ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5C64.tmp

Filesize
17KB

MD5
15935899c37e1111c8c655d59c95b09e

SHA1
1291b118697def08f3b6a1d245ea1a94305aa7e9

SHA256
26ad48fae35d6b92a8324807c8f2646b254d6e6655be1e8adedbe6fdb94c4046

SHA512
60acfbc5e1876d99796cb6bbe2bbd2f157c098a966cf760e5d611ba1d10bd71431f8b1c8723ff5ae18a171cfee92940b491a8a2324d91ce29fcfcc44e8234629

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
446KB

MD5
6647d048d2b63b9155c36f0b80a7172b

SHA1
264045e99ccf665b006582108ee3747850668888

SHA256
0291e31d7561473aec0609cfdba10e27caf78ff8537f5aa0dd85f540092d9ddc

SHA512
0ed86590c38b77bb27dfe6c4b0c33d5227488dcd57295275f34fb6ed0986ead4451e38b165783733c2c7153d85cea87e6e7efe999b9373645a302f4a0283a306

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
490KB

MD5
3612501a38930f97cdd484a23834ca5d

SHA1
7742dfc7c6bdb5e93d8916ef20487486cf7122ad

SHA256
5f2046dde8b239a36e19784ac65a0ea4540bc897238335696fbfda5864a61576

SHA512
516e63f8ed10a3d6b5214ac765d566d9a1ae61f9af85ca1e12325dfcc097bc24dd32a0a3a64271e03bae9db6a8e04073ba73f5e1f65408f05cb927a2bfea85b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5D03.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
22KB

MD5
0a003541d0934de80aabec765784f4c8

SHA1
06ca0b69e56733d31eaa0b3216bd107740eaa2b6

SHA256
c9e790a4ea7c99833246c30a6b219d0df527925af9b1b23e5b20b5658c6e279e

SHA512
b7a2260ee27c664ed430ab0d570aa469317317553037a8b8eebfc50b75edc292345d0f6120008d561c8b5e0c9869c5a40d988af9c3ef0ef1d8bee21ca465d9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
132KB

MD5
3ca3c40218e19e7b4f343537a247cf77

SHA1
953abc5448fae1b3a745e9e04f89266bc188d308

SHA256
f3d116eea75d414935a8c2294b02ddecf662f9d0c349be5e0c974affbf366aa9

SHA512
8a451074e2f6763f18b617ee9e20d4f0503afde702b48cbc0c94123b6ae475feece77eb4696294e54c5090c91249a495c3c50d7b192bdb55d3362091f0171502

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
561KB

MD5
16c82d8e953e91ff70a81310378e3c24

SHA1
62819fdc6cbc9da4a2e1c4da582bf0fe8518c769

SHA256
64034afda435aae322980ffa5003d80dc0ae7425fe1c7e8f2872873cf704f539

SHA512
aa3c636b55d57d38694b00ffd9dcca7cb80eefdbb2e5add90cb1b63c73ea3c8c3896447ed08ca370fe1f8f441ac449236b54a8a942b51275fce4d911eb3b611e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
137KB

MD5
0781cb9cc1766e73c40590aba2c6e03c

SHA1
9100b8f14127d7eb8d81a7a90a965f9916fc2963

SHA256
a71140cecba13c2229184811b28f38083df6bf2f325197806dc5f949d7e37518

SHA512
4bdf0f79b561fc63ea08a45dfa3c01b7f2640ac3b841f743282afcc2d098735071c6a42af47b66d9b2d825af513e3c7d7d244c47ba3d15ea0cd06b64b5c66d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
733KB

MD5
fb72c73c90df13fd383802acfa92211d

SHA1
0ed9a0049854e39ea9364cc36cf66c43660eb7cf

SHA256
83b5a55e8c071eea189f00b57db80e3b9568250f4f9ad219a639e75af7541f13

SHA512
51bcc1b71f66b38de0aaf30cfa35bd19507463fee3329a101181d20e1b785fb2d9606b42d0409bb1d62ae8a3c531c4840caf75bc0eaef98cfd3b16c716566f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst55A1.tmp

Filesize
148KB

MD5
eea07c1f2bdcf4af7df58bc89e3e246e

SHA1
3635a46328cbb0283821ec1cefa4da538da0dbbd

SHA256
2c53746427ba26ef8730144a267b6d3414a3deb6e484d031bcde6b7729236b26

SHA512
0613a5710c11973e996472012d480c5b89981103b10115a508d57d0e1b050fa3361d54d844eca7e8b797e319c6fdbc3d7f178801d00211c6e6b6d5e0ab0086e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst55A1.tmp

Filesize
99KB

MD5
98feb2d2dad2cd26aea78ea5c63875d9

SHA1
f33dd8ffb4696f3a573d8a2ca1ad39c0984f76bf

SHA256
bf8091d1e60b00029210f2aae8900e42699a04893eb9287ee9704b79aee679b5

SHA512
654a1e40cab8891710a0d71ccbb64891c8ac8d16ea12e0767810248b9e9bf187178a6b7fec28e27d252dffd6bceb92da065a051c040f3a0b49799f7395fcdcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst55A1.tmp

Filesize
110KB

MD5
be65a49cf88684d196b5e9c09eb42af5

SHA1
3554301e34cf682549872ba64c57d667e04767c3

SHA256
fd9776da478b5258548839603909d00215f92ad0a1a7ed60de9f1510b01b2f06

SHA512
22b38676c62415bb1e30f857b7eea01039aeb47f322340ccaa50b5bbdcaab5e08bb14d13cea2e1d9ee9ec39aac09a761e42ced5058780268cae537241249bd9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
100KB

MD5
688a66ef8bc1bd5f5c774a2975a6c3a5

SHA1
35c7bdc9a60d1bb741278f190f1b5cfbcfd15374

SHA256
8c01e58b86ce0ca7473d2fb7ea6a65b2d9cf54724258d529ffcf2a3b8ffa194f

SHA512
04776fb2da56a3d0086bf66038c5e3dc1c6b472961e0a45dacdbf707ffc923889b591d7b5aacc8453cfa507939a8bde6bdf62d2d744fcd53630fe62e26556ef6

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\rss\csrss.exe

Filesize
121KB

MD5
8630f2248a95888edf4f7c1b256ce3b8

SHA1
269a89337f1f7993a70b913618b3f0b53783c5af

SHA256
372c9818befe82cc705f3207644addb1a206cfad40a276e24cb02d9afb32cc8b

SHA512
33b7bc1262eba281db44563b6345231a0e4ffc0e5fb61ed998cd573c8c11ad1504e6afc5889ae40f23bc5c33d10b4db85fc927fedb83ba18ae979344be89c002

Download Submit
C:\Windows\rss\csrss.exe

Filesize
108KB

MD5
e3fa211a503579ee47bc8f72ce28a499

SHA1
f69fd2696126948417a4f4c6a76326303203ca8d

SHA256
2105ce96eb65cb6b2d3408f83eb3e3a9008cdf4fa6f29015a7c345947ea618fa

SHA512
2930f162fe7c1dd11f7101ceff247d9cf384d474df10da4680ea9e7723ead204abbb7d2293feb1633a61943ae34b0fed50185fc3497d102e140f30bfd79163cc

Download Submit
\ProgramData\mozglue.dll

Filesize
210KB

MD5
d6b46870142780dae9e2839792103f47

SHA1
7c98af0d286efa865c6304f7780f6974c1fa7852

SHA256
e044e2f7c95cfc819925904ceb73d3fa924aa6af50ba9c7ce2dc65776e74a8a8

SHA512
93c6be6d0faa40cd0179dddb34b9498ede07424c1d023a9614bb308b9a260803cfc0bd3a557d4205d2c578edbfa6f1d0630ba7c26240190ced41788e042a967b

Download Submit
\ProgramData\nss3.dll

Filesize
89KB

MD5
2657495f0f913a9b4a4ad26c299c54a8

SHA1
6e658a00b9aab51c882fa5415f03ca60a347cb1d

SHA256
c3a881213d9c17a3de74c77e12ab6f9272c8a0eb229f5912a0fe46d0ac80213b

SHA512
b987a9055672a58dc722aa26485a927d82318f3c71e39541e151421c7433388e8f795580935e435e46b7c4384cc6ff67a5d352be5c4ee13256294d57c7ff90e2

Download Submit
\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
570KB

MD5
2ce9e2596ce8dd25d8b6acdc92d1159b

SHA1
9d38e9e8c125c336958444a05db43d5a5ddba501

SHA256
b86b8f9e5b759e64280829c20d121a701ca2079fcf165f8a550e10c203062711

SHA512
04b48538f85357142208c14a72ea6507c719600e3ace253cf799f69309ed0410466a0e824b62f5e13be9d6b48a8f195730715d15ab6ff81984a7d9333c3e9f6d

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
440KB

MD5
fc9560434f34c3ece90a8e47c4c3014c

SHA1
3deb8b937b3278b37008cc2811a701c423ef5ce9

SHA256
2f6a233506096513da01433234e48c3037eb426f41374d4afee96bf62ad0019f

SHA512
196e91e229b984eaaf5b4f90c2210c2972ed90ffb584c381c96878295d56d85fc094bd8d7badc82c1931e4f1595deddedef44a8dea5d7226b821d3997f451cae

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
19KB

MD5
20d565e9453b5541d4659918ba64f022

SHA1
80e2792aeed22203b648edfd98ede03000f330b9

SHA256
95807a8a157d6e4a74d86e87e760bb710ab55450678e43249e5deab40dc721db

SHA512
cb9012e285745c5fb1ab9fada02e985acbe0ef6eadfd921258b8c0bf37174e2d5b0ee0c2627d76551786c4eb38308837f87f07879ad1d5bb47ef34364c4b412b

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
82KB

MD5
7659bd4a8b023956647b0b3089a559ae

SHA1
9cb758aac060f17834306b9aceea239c46b00898

SHA256
8dee4a4688116b9fe7b951ef442a4720a836c5d4d24b497051d8074e0d6706da

SHA512
1780dbd9ee09179091cb99099f51c12a43f88631af25cd577a65ec3d41ca476f0462a19168aaaaefb9031ddebd76b8b79b92df885ea2a34555fb4083e2a157c3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
168KB

MD5
c05f16c4c79855bcee8fc36658e27397

SHA1
204c70661cb25f0df5447c54e4d6316b0f4c65e1

SHA256
aceb6cc1c77926490ed3514fb35572d7abee745abdab9f52a3436b511bcf923f

SHA512
cbbc90cec8e5f41725e7135b8ac410853b5b6bb1986d99b4f9b3441edf9eb0ce70352b665e3a96adf5b9c96d0c7a7cd5364c328069b6c189a19a0be5487bb935

Download Submit
\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
535KB

MD5
3920d9a9370bc82373d3c96c375912ac

SHA1
e0acc9cf2d2e51d6c7eed63a2c59e469b6529abf

SHA256
068b946f91d4d8d3cce42e06d4d37dbc24475e10c4ae1fef9151605182166d7d

SHA512
e5202b9299b0435eb188d00ab7712d277de24d7c1393cab65725fa4402619b0d453d361f2b397a90145a58f3d36df050ace00f0c4a8e5a47c34f0af9c71daea5

Download Submit
\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
737KB

MD5
067a3b220d141374d4773f35b0cd4d35

SHA1
55604d2336f260cdf564f7645ea6a8ea3b90d073

SHA256
f878e8aa88611e28cfe8d64eb99adda7eabb870c8348d3db94e49b8c7a237f7a

SHA512
1f2e894a53835f606897c70e576b7a2a44cfddeaff6dc145de4824ec197c3b3bc3214ba8ecd5c388ea206941d51faf232d3a11eee2e9c5c3cc7c56b856d7e413

Download Submit
\Users\Admin\AppData\Local\Temp\nsd514C.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nst55A1.tmp

Filesize
190KB

MD5
9498f650a0efc004fd9616cf3982a550

SHA1
56db4c3f15f0901a18e6f9d23efd00d7de94a31d

SHA256
05220ad373db8d11233964710596d41138f88c9f4f8648759569a0a85adad0b2

SHA512
93c5aba505e82ce940b175011411471acd40e5ad931b2d9cf5bb9124a44e5b39ca2e75640facaab6746893cb690ddafe083885abdec9e13412fe0764cfe082fa

Download Submit
\Users\Admin\AppData\Local\Temp\nst55A1.tmp

Filesize
163KB

MD5
1a6decf89c2ce00d1c6ae5e7a3d0aa72

SHA1
b33b08394fd0bf2506a39950a3c282c3ddb03e15

SHA256
0a3bd312bba105f41f92c8f1c2f08aa9be350880986fa64fc4ea0f4330ced35e

SHA512
636b009f033e1996405e353272020324eb68c10b16829ce270808e58440ac7109686ae5b07a13b93a6c2315861ce502d634e64bcbf54bbe0b88d480ad8c6b1ea

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
64KB

MD5
8e5e327269a59c2f24cbca8f4fc6a169

SHA1
61dafac588c6d7ad867e3ac2c2c29fb2d3667379

SHA256
bf96f40e052c871d55af8acd6c494976aaf07dff115416db51295d97d8bc869a

SHA512
5fa2c0f73110629610488556571be703bc362d721edfba5cc358b6cdef4b40326091bd0ae0f46bb31ba50abb3caa77dab0a7696f963793007dbfe2774630fd4e

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
96KB

MD5
ace53bfcf8837e14eff672845560f2d0

SHA1
5e312c77541b11d6e64a7c4079a02384bd95136c

SHA256
eda5bd48dc0568a2ed87cb626f3bf4142010ad37561ca851ffa3201a66805a9f

SHA512
53f076ef9f8d0069d4b61b6fbcaf1bc3f3defe4a7602bb61c7af0dd2c7626873424c3eb122c670476045e6ed610a73711ac9d27cd979291fc43737a99f0456c3

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
112KB

MD5
d0e7ec9a7438a5d097b0e1ab23840999

SHA1
db86a93a47d197d6c339887c58464ee31b4871f0

SHA256
90fd47c590ac0c776ca4512ffc4dee5db1437793f6a7eaeb2eac8fd6a76c9abd

SHA512
becdf1fee4626eb00502e20a2e9031b83175970c807af1986f283f2aebb1beec6d357cd164a77dc31ec2b7c5557399459888a01cfe30d353593e2e2f475a58ba

Download Submit
\Users\Admin\AppData\Local\Temp\rty27.exe

Filesize
369KB

MD5
04d09043575b509ad237fbaaf5e36efd

SHA1
10298ff4d0908ec34a449f8967cc12eabc4e56da

SHA256
5984de213458470ca4bd9c07f0bbe713deb6fc692cfd5604f590c2461c13f685

SHA512
5d1bcca83fe338c44705c0f7c7c75add7e14ef3b75b1beb98573c88127fa445b46c2bb44ad61cee8aacb2930701b1b4657746d58862eb17869f3f92ff26f3523

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
54KB

MD5
e44530157c1da057b4e7b5df18145201

SHA1
ecb2f4cd9e10eff95010b7650d620e14be4ad1f0

SHA256
120f000a7f84bd8ff0c4d12d55d7615479ea9d20c6d55b7e95a0dce4cbb6cbfc

SHA512
297a958047e894a675e1529b6039453952d7d797e3672f4de872969d56e99650604507c044fcbec7f460ea1264afc5f5a91210de78e25251a16ae35f81e40b74

Download Submit
\Windows\rss\csrss.exe

Filesize
101KB

MD5
c10a5b29394b015ae6610316dbcc6c00

SHA1
c772d36650376a87c1c35a41943da5f70b286a3a

SHA256
92fed773d6c674d82ac9974fcd1b3548cb0f6fd7b734082da7eb0750e0bb508f

SHA512
ffbda2daf7999be696158099c6ec98c9ddb62817760d0eb0a3f109950e71ae0e2d5a6f34bfa82b1c9953867c91b803cf3b9ffcb0e075635618901aeaf2474adf

Download Submit
\Windows\rss\csrss.exe

Filesize
138KB

MD5
a9fe377aa6f06047cf188863fe45bb4c

SHA1
017086b26af1abfd297b6ffbd6d024c867d9c6f8

SHA256
bb96c77349dbff983f6eb4f9489dc33565f01104cb96b33517d699d66b7e7a02

SHA512
60a4a2ee34759f052cc60f6d2ce50bb9efa22f28c3b513d9fbf7c988b4a28bc9f247dc8c52f9a7a89500cacda096d01b8616c3781c95c48a93000884c36baa3b

Download Submit
memory/992-163-0x00000000025B0000-0x00000000029A8000-memory.dmp

Filesize
4.0MB

Download
memory/992-167-0x00000000025B0000-0x00000000029A8000-memory.dmp

Filesize
4.0MB

Download
memory/992-179-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/992-209-0x00000000025B0000-0x00000000029A8000-memory.dmp

Filesize
4.0MB

Download
memory/992-201-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-357-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-355-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-380-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-379-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-354-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-228-0x00000000026C0000-0x0000000002AB8000-memory.dmp

Filesize
4.0MB

Download
memory/1780-230-0x00000000026C0000-0x0000000002AB8000-memory.dmp

Filesize
4.0MB

Download
memory/1780-351-0x00000000026C0000-0x0000000002AB8000-memory.dmp

Filesize
4.0MB

Download
memory/1780-366-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-377-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-358-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-302-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-375-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-360-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-369-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-368-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-364-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1856-24-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/1856-0-0x0000000000D00000-0x00000000013A6000-memory.dmp

Filesize
6.6MB

Download
memory/1856-1-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-263-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2044-253-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2516-234-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/2516-56-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/2516-345-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2516-346-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2516-347-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/2516-160-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2516-57-0x00000000002B0000-0x00000000002CC000-memory.dmp

Filesize
112KB

Download
memory/2516-58-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2516-227-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2572-35-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2572-213-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2572-216-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2584-17-0x00000000FF1A0000-0x00000000FF204000-memory.dmp

Filesize
400KB

Download
memory/2584-350-0x00000000035D0000-0x0000000003701000-memory.dmp

Filesize
1.2MB

Download
memory/2584-217-0x0000000002460000-0x000000000256C000-memory.dmp

Filesize
1.0MB

Download
memory/2584-218-0x00000000035D0000-0x0000000003701000-memory.dmp

Filesize
1.2MB

Download
memory/2920-38-0x0000000002900000-0x00000000031EB000-memory.dmp

Filesize
8.9MB

Download
memory/2920-37-0x0000000002500000-0x00000000028F8000-memory.dmp

Filesize
4.0MB

Download
memory/2920-36-0x0000000002500000-0x00000000028F8000-memory.dmp

Filesize
4.0MB

Download
memory/2920-157-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2920-158-0x0000000002900000-0x00000000031EB000-memory.dmp

Filesize
8.9MB

Download
memory/2920-159-0x0000000002500000-0x00000000028F8000-memory.dmp

Filesize
4.0MB

Download
memory/2920-44-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download