dcrat | e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf

Resubmissions

29-03-2024 02:23

240329-cvlj6afg22 10

25-03-2024 05:04

240325-fqgl7abf6v 10

Analysis

max time kernel
300s
max time network
301s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-03-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf.exe
Size

231KB
MD5

1b45ceabe323a398ce7ae76de9ac33d8
SHA1

183e3c5983aacf7b8ed3b71780efb3d682b42b87
SHA256

e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf
SHA512

dc6a97ae48ccc1b1b44e2d947dd2d0405e769dec264bbf82e0b4a41ba9283ae771ce771990c6d180f8c289f7855ea68c4a64903e599579af06a66d7716d5538b
SSDEEP

3072:jgPTm64v6RZly8ZmPQWbXcbYoaR/hYw2TvWhItHgfJPs8qZvoh:Om64v++85WbQYqn7wgAfJk

Score

10^/10

dcrat glupteba smokeloader stealc zgrat backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5F90.exe	family_zgrat_v1
behavioral1/memory/2348-56-0x00000000001F0000-0x00000000006AA000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1916-95-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/1916-97-0x0000000004EA0000-0x000000000578B000-memory.dmp	family_glupteba
behavioral1/memory/1636-102-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/1916-100-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/1636-130-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/2528-133-0x0000000004E20000-0x000000000570B000-memory.dmp	family_glupteba
behavioral1/memory/2528-134-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/2528-258-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/2528-299-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/2528-301-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba
behavioral1/memory/2528-334-0x0000000000400000-0x0000000003130000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	288c47bbc1871b439df19ff4df68f076.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

900 netsh.exe

pid	process
900	netsh.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5F90.exe	net_reactor
behavioral1/memory/2348-56-0x00000000001F0000-0x00000000006AA000-memory.dmp	net_reactor

Deletes itself 1 IoCs

Processes:

pid process

1116

pid	process
1116

Executes dropped EXE 12 IoCs

Processes:

ADBE.exe5F90.exe4119.exeISetup4.exe288c47bbc1871b439df19ff4df68f076.exe288c47bbc1871b439df19ff4df68f076.exeu1tg.0.execsrss.exepatch.exeinjector.exeu1tg.1.exeBGIIEGIDHC.exe

pid	process
2440	ADBE.exe
2348	5F90.exe
2756	4119.exe
2356	ISetup4.exe
1916	288c47bbc1871b439df19ff4df68f076.exe
1636	288c47bbc1871b439df19ff4df68f076.exe
2920	u1tg.0.exe
2528	csrss.exe
2680	patch.exe
2276	injector.exe
2668	u1tg.1.exe
1236	BGIIEGIDHC.exe

Loads dropped DLL 32 IoCs

Processes:

regsvr32.exeWerFault.exeWerFault.exe4119.exeISetup4.exe288c47bbc1871b439df19ff4df68f076.exepatch.execsrss.exeu1tg.0.execmd.exe

pid	process
2492	regsvr32.exe
2424	WerFault.exe
2424	WerFault.exe
2424	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2196	WerFault.exe
2756	4119.exe
2756	4119.exe
2756	4119.exe
2356	ISetup4.exe
2356	ISetup4.exe
2356	ISetup4.exe
2356	ISetup4.exe
1636	288c47bbc1871b439df19ff4df68f076.exe
1636	288c47bbc1871b439df19ff4df68f076.exe
868
2680	patch.exe
2680	patch.exe
2680	patch.exe
2680	patch.exe
2680	patch.exe
2528	csrss.exe
2356	ISetup4.exe
2356	ISetup4.exe
2356	ISetup4.exe
2356	ISetup4.exe
2920	u1tg.0.exe
2920	u1tg.0.exe
2828	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\u1tg.1.exe	upx
\Users\Admin\AppData\Local\Temp\u1tg.1.exe	upx
\Users\Admin\AppData\Local\Temp\u1tg.1.exe	upx
C:\Users\Admin\AppData\Local\Temp\u1tg.1.exe	upx
C:\Users\Admin\AppData\Local\Temp\u1tg.1.exe	upx
\Users\Admin\AppData\Local\Temp\u1tg.1.exe	upx
behavioral1/memory/2668-193-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral1/memory/2668-289-0x0000000000400000-0x0000000000930000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0"	288c47bbc1871b439df19ff4df68f076.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	288c47bbc1871b439df19ff4df68f076.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

288c47bbc1871b439df19ff4df68f076.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 288c47bbc1871b439df19ff4df68f076.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	288c47bbc1871b439df19ff4df68f076.exe

Drops file in Windows directory 3 IoCs

Processes:

288c47bbc1871b439df19ff4df68f076.exemakecab.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	288c47bbc1871b439df19ff4df68f076.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240325050654.cab	makecab.exe
File opened for modification	C:\Windows\rss	288c47bbc1871b439df19ff4df68f076.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2424 2440 WerFault.exe ADBE.exe
2196 2348 WerFault.exe 5F90.exe

pid	pid_target	process	target process
2424	2440	WerFault.exe	ADBE.exe
2196	2348	WerFault.exe	5F90.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u1tg.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1tg.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1tg.0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2432 schtasks.exe
536 schtasks.exe

pid	process
2432	schtasks.exe
536	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

288c47bbc1871b439df19ff4df68f076.execsrss.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	288c47bbc1871b439df19ff4df68f076.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

patch.execsrss.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2540 PING.EXE

pid	process
2540	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf.exe

pid	process
2476	e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf.exe
2476	e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf.exe
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116
1116

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf.exe

pid process

2476 e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

288c47bbc1871b439df19ff4df68f076.execsrss.exe

description	pid	process
Token: SeShutdownPrivilege	1116
Token: SeShutdownPrivilege	1116
Token: SeDebugPrivilege	1916	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	1916	288c47bbc1871b439df19ff4df68f076.exe
Token: SeSystemEnvironmentPrivilege	2528	csrss.exe
Token: SeShutdownPrivilege	1116

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

pid process

1116
1116
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1116
1116
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

u1tg.1.exe

pid process

2668 u1tg.1.exe

pid	process
1116
1116

pid	process
1116
1116

pid	process
2668	u1tg.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeADBE.exe5F90.exe4119.exe288c47bbc1871b439df19ff4df68f076.execmd.exeISetup4.execsrss.exe

description	pid	process	target process
PID 1116 wrote to memory of 2540	1116		regsvr32.exe
PID 1116 wrote to memory of 2540	1116		regsvr32.exe
PID 1116 wrote to memory of 2540	1116		regsvr32.exe
PID 1116 wrote to memory of 2540	1116		regsvr32.exe
PID 1116 wrote to memory of 2540	1116		regsvr32.exe
PID 2540 wrote to memory of 2492	2540	regsvr32.exe	regsvr32.exe
PID 2540 wrote to memory of 2492	2540	regsvr32.exe	regsvr32.exe
PID 2540 wrote to memory of 2492	2540	regsvr32.exe	regsvr32.exe
PID 2540 wrote to memory of 2492	2540	regsvr32.exe	regsvr32.exe
PID 2540 wrote to memory of 2492	2540	regsvr32.exe	regsvr32.exe
PID 2540 wrote to memory of 2492	2540	regsvr32.exe	regsvr32.exe
PID 2540 wrote to memory of 2492	2540	regsvr32.exe	regsvr32.exe
PID 1116 wrote to memory of 2440	1116		ADBE.exe
PID 1116 wrote to memory of 2440	1116		ADBE.exe
PID 1116 wrote to memory of 2440	1116		ADBE.exe
PID 1116 wrote to memory of 2440	1116		ADBE.exe
PID 2440 wrote to memory of 2424	2440	ADBE.exe	WerFault.exe
PID 2440 wrote to memory of 2424	2440	ADBE.exe	WerFault.exe
PID 2440 wrote to memory of 2424	2440	ADBE.exe	WerFault.exe
PID 2440 wrote to memory of 2424	2440	ADBE.exe	WerFault.exe
PID 1116 wrote to memory of 2348	1116		5F90.exe
PID 1116 wrote to memory of 2348	1116		5F90.exe
PID 1116 wrote to memory of 2348	1116		5F90.exe
PID 1116 wrote to memory of 2348	1116		5F90.exe
PID 2348 wrote to memory of 2196	2348	5F90.exe	WerFault.exe
PID 2348 wrote to memory of 2196	2348	5F90.exe	WerFault.exe
PID 2348 wrote to memory of 2196	2348	5F90.exe	WerFault.exe
PID 2348 wrote to memory of 2196	2348	5F90.exe	WerFault.exe
PID 1116 wrote to memory of 2756	1116		4119.exe
PID 1116 wrote to memory of 2756	1116		4119.exe
PID 1116 wrote to memory of 2756	1116		4119.exe
PID 1116 wrote to memory of 2756	1116		4119.exe
PID 2756 wrote to memory of 2356	2756	4119.exe	ISetup4.exe
PID 2756 wrote to memory of 2356	2756	4119.exe	ISetup4.exe
PID 2756 wrote to memory of 2356	2756	4119.exe	ISetup4.exe
PID 2756 wrote to memory of 2356	2756	4119.exe	ISetup4.exe
PID 2756 wrote to memory of 2356	2756	4119.exe	ISetup4.exe
PID 2756 wrote to memory of 2356	2756	4119.exe	ISetup4.exe
PID 2756 wrote to memory of 2356	2756	4119.exe	ISetup4.exe
PID 2756 wrote to memory of 1916	2756	4119.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 2756 wrote to memory of 1916	2756	4119.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 2756 wrote to memory of 1916	2756	4119.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 2756 wrote to memory of 1916	2756	4119.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 1636 wrote to memory of 3008	1636	288c47bbc1871b439df19ff4df68f076.exe	cmd.exe
PID 1636 wrote to memory of 3008	1636	288c47bbc1871b439df19ff4df68f076.exe	cmd.exe
PID 1636 wrote to memory of 3008	1636	288c47bbc1871b439df19ff4df68f076.exe	cmd.exe
PID 1636 wrote to memory of 3008	1636	288c47bbc1871b439df19ff4df68f076.exe	cmd.exe
PID 3008 wrote to memory of 900	3008	cmd.exe	netsh.exe
PID 3008 wrote to memory of 900	3008	cmd.exe	netsh.exe
PID 3008 wrote to memory of 900	3008	cmd.exe	netsh.exe
PID 2356 wrote to memory of 2920	2356	ISetup4.exe	u1tg.0.exe
PID 2356 wrote to memory of 2920	2356	ISetup4.exe	u1tg.0.exe
PID 2356 wrote to memory of 2920	2356	ISetup4.exe	u1tg.0.exe
PID 2356 wrote to memory of 2920	2356	ISetup4.exe	u1tg.0.exe
PID 1636 wrote to memory of 2528	1636	288c47bbc1871b439df19ff4df68f076.exe	csrss.exe
PID 1636 wrote to memory of 2528	1636	288c47bbc1871b439df19ff4df68f076.exe	csrss.exe
PID 1636 wrote to memory of 2528	1636	288c47bbc1871b439df19ff4df68f076.exe	csrss.exe
PID 1636 wrote to memory of 2528	1636	288c47bbc1871b439df19ff4df68f076.exe	csrss.exe
PID 2528 wrote to memory of 2276	2528	csrss.exe	injector.exe
PID 2528 wrote to memory of 2276	2528	csrss.exe	injector.exe
PID 2528 wrote to memory of 2276	2528	csrss.exe	injector.exe
PID 2528 wrote to memory of 2276	2528	csrss.exe	injector.exe
PID 2356 wrote to memory of 2668	2356	ISetup4.exe	u1tg.1.exe
PID 2356 wrote to memory of 2668	2356	ISetup4.exe	u1tg.1.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf.exe
"C:\Users\Admin\AppData\Local\Temp\e40950ff256e0db73e210062b5098fe9dd0e7ed4fdc315b4835efd7d95fcdeaf.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2476

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7465.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\7465.dll
2⤵
- Loads dropped DLL
PID:2492

C:\Users\Admin\AppData\Local\Temp\ADBE.exe
C:\Users\Admin\AppData\Local\Temp\ADBE.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 124
2⤵
- Loads dropped DLL
- Program crash
PID:2424

C:\Users\Admin\AppData\Local\Temp\5F90.exe
C:\Users\Admin\AppData\Local\Temp\5F90.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 548
2⤵
- Loads dropped DLL
- Program crash
PID:2196

C:\Users\Admin\AppData\Local\Temp\4119.exe
C:\Users\Admin\AppData\Local\Temp\4119.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
"C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\u1tg.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1tg.0.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\BGIIEGIDHC.exe"
4⤵
- Loads dropped DLL
PID:2828

C:\Users\Admin\AppData\Local\Temp\BGIIEGIDHC.exe
"C:\Users\Admin\AppData\Local\Temp\BGIIEGIDHC.exe"
5⤵
- Executes dropped EXE
PID:1236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\BGIIEGIDHC.exe
6⤵
PID:1240

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
7⤵
- Runs ping.exe
PID:2540

C:\Users\Admin\AppData\Local\Temp\u1tg.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1tg.1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
4⤵
PID:2224

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:2460

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
5⤵
- Creates scheduled task(s)
PID:536

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:900

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:2432

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2680

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2276

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240325050654.log C:\Windows\Logs\CBS\CbsPersist_20240325050654.cab
1⤵
- Drops file in Windows directory
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
433KB

MD5
00fc58fc76fc352c11c969cbc0628073

SHA1
3e167cb94038440a0e64f7441fc30ea058ec490f

SHA256
fb2cc18c0b8e7e7c20af76c6411e56f6f4eef4303359b54e44d7a50837b15b2c

SHA512
e976d5e416974c30f46b4d53265f65ef51fc6b2e03e8c124ef6cbd013450ffcf1db4142af1b22b920cd57d75e1c58a59d9dfda5acfb5058d2ee863f5125ee109

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
162KB

MD5
280984df082c73a790894e661d9a4732

SHA1
80061f2b0d35b3f1cf4c9aab87c2b47005d4cbbb

SHA256
e8458d1b4a6695cd626900a746263c5ff6a08698a79c4788b5d0d1820412c09e

SHA512
8f54bfff50b599ec45ef26953936eaa5dcc2c65f7beebb6eb42731130a14ffb79f79ef76ed3b3cca73814d977860503cc2f35e095b77025afc37eabd5fc9925f

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
3.7MB

MD5
39ba213870c4ccdc89ae3e8ba27fb6c1

SHA1
7c20c2a03c7ef040edd7333958027d4fafc29a76

SHA256
eccae8a7905b9bf9e92507b951781103eb55841f236b1c74a4b36e3c41caf700

SHA512
1848410c79b8a163776815142f96e3dbd32fbfc3f23ed10021621f7749af51b2868196fa4445318a3aaa2f99ba97a164e617c262ed698e8c9bbc60bba6b6c41d

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
1.6MB

MD5
dc322c78cfd5b7f2c7fa984cf9ef6b30

SHA1
50661eb39fac151792a3b6c41a7f392d64027809

SHA256
9f3651162b67e2e3c674f5577ed3cbff6dfd8cb9d23a01ae016f6071f872d92d

SHA512
0898a404cd217eb952b98aa4c1183da117d7a824ded7a16e325df953321339bfbda9ea79416c0d3231fc80111964b8e6df3540869e68edff3194ac687b3f87a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4119.exe
Filesize
1.9MB

MD5
575a734e93dbb1526dfad0c08d7739ca

SHA1
b07b01e3aa2087915e1509bf435a74dcc8dba51d

SHA256
53a2acbcc513bf37d8bc00dc73edeae8532005a4c3e698e494d3e04da4e20880

SHA512
b0432ffd875f424e1db8f59f72b31eef480ef77bebbd8ae68d26dfdfeb670474689d2155dbc90710523e035ed082f944f8c2c89db551d36d066d8b649cb7f68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4119.exe
Filesize
1.4MB

MD5
3fac1f27a76f7bc997dda447ae41f0a1

SHA1
b4d7beeff5d8d297b4295351595f47e14f291493

SHA256
98530a57bd984b0bc4ee5415ef96dd3fa7984f95db85d06dafc260236414c7ff

SHA512
19f3b196df7cffd07956b9b1dd5e799817cec8876423b3fdcbdc70664542588f75ac5795b30289873143fd53a020df668afe29e598fe4ad83e8a29788c4426fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5F90.exe
Filesize
4.7MB

MD5
51bbeea88f8a35343552bc5823edb988

SHA1
74f371d394fb163b0c902b373f0e7c24d2650a3c

SHA256
18df4c7693f23944649d8db601c7fe0224b229edcb461e86beaab4f23ff0f73f

SHA512
4514ac09ca64627334f3de774ec854fc6e71a235e13d68331829963ffd043d95754c9899290bf51b3fc49c86762e07e27132ad6cacf7c3e950994cf086eb1ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7465.dll
Filesize
2.2MB

MD5
e69125300a060d1eb870d352de33e4c3

SHA1
60f2c2e6f2a4289a05b5c6212cdaf0d02dad82ea

SHA256
009de0571eb77c7ed594b9e5cda731e2953fd2198e00b25a0e2c4c4ef7414355

SHA512
257d3b61b2c85c1e71d2a80a5fbf44436e9734785fe6b0a643c1939dd01c1d8b98f1c454695296f7137ff035ec6c0118f053e4833e0be91618f2a9066a8cace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADBE.exe
Filesize
1.8MB

MD5
4d20cc49f30c355140ef0f54786a48c6

SHA1
68f6d5f788a6c5964e6af8760e9f5e7f98392ef1

SHA256
c5e17c2d042ad2eeb6db8cd5ddc54d055a3de781ce5b66f15c29361d0ff6406a

SHA512
5a50de61cee4cf4114de3df00ff8d01a8f049f2be73d10361a56d7fcb5222110e1353ddb5ff599a2f9e872839993fca2acb939ddc95d6685a2f53851c0236528

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGIIEGIDHC.exe
Filesize
106KB

MD5
fe380780b5c35bd6d54541791151c2be

SHA1
7fe3a583cf91474c733f85cebf3c857682e269e1

SHA256
b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

SHA512
ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6598.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar72C9.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
2KB

MD5
79fcd4b65795d1a37069417575fe2e9e

SHA1
19d5933d2bfd8287f3392146ace4944b37e70a26

SHA256
b44c83c2cc091a51034881c56e8231d3cfb316b7f21a31a93738e7ab96786b36

SHA512
0478ef41c17129e629ddd02b3dea5ae40de29012a48b4e78c14dbf783a2934cfbaa67e26a75bd2f22146ba8077c776b9f5b7a85b237cc13a25510c2f06d13e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.2MB

MD5
fa9254cde8249ab5035f6e2a3d4fa0c1

SHA1
688daadb3f97bde912451251be15dcb062dac2eb

SHA256
5bbee567f2199fa24ef6460dc32613b51b2c6604e7cf275da7c8e4006a78600e

SHA512
99258c2aa8266fe6862445234e7ca66fcc5bd8f276ee4f4b081d00e0a22454f349be3867ed50ef9880f55481cf28deca55ed1e8f3cabc7922bc523521423d0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1tg.0.exe
Filesize
267KB

MD5
29cabd4d9d440e1af8fd3af62d4d212d

SHA1
6934c91a6d08028cbab84d48e9dc95bf3d347d57

SHA256
65489577655b65796c1d6d285b3f8ff7f557150339a67e3fbeaef96ea0e9e365

SHA512
938620f4e91bcac57f6b6fd4be4cc2355b27ddc33e90217ae5415aa3c87ae37176f330d0d2e5d5da78bf0edd92c1a8a42b5d0d50a21b2f3ef7021963899742d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1tg.1.exe
Filesize
481KB

MD5
2dfed1156ee607cd3584694513a81643

SHA1
4156616d84000d4ea252927318d8a079fae15a09

SHA256
cd1669bfb528b33d730ad1f7f96dde027e4170dbb0d7d0962e9c20c09c636c5e

SHA512
23f48c67a19358418d2c5b12e01376397663237c75be824cc73eb681ad0ade6cddac231289dfcdde6f1b1b586869f272935895a8edd7b1157b376823a0062c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1tg.1.exe
Filesize
382KB

MD5
aea584052be685692c61798414ef180f

SHA1
118974d77b61f15302c5eb000d30878706e95d26

SHA256
0f6554f2b2f9b6734b615fce3a9c5abe1dd9fd4aef5670fef911664cbfefb45e

SHA512
726cb24d0a789bf79843d2b6e68ddfaeb3a5f6f2fd06e1d3e5a8fd79fa81d67c72afaa046ad5ec2d578aaba141448a79c5c04c81489be86df1cefe331c3ff1ab

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.6MB

MD5
1436fd223b42bdd1724c9c9e5b9fb430

SHA1
027c85cfd8399ae1c19f10f0f1ef9e5aa6330aca

SHA256
cbd06bd46606c48b7fe0b49aa9c5cfeac3182a5d8ad53cd1ec896583fbb7b93d

SHA512
71762126b6ed3b2b5d87715062419bdb193de96fd917ba5fe0cd55489632534d4a0c529207328beaa04509b6849bddbbfbfe4c9b9ccb8db5201d25a64bef8291

Download Submit
C:\Windows\rss\csrss.exe
Filesize
435KB

MD5
5e0a6df1d96d252c856b6e95359bc823

SHA1
e7db793891ae74b2fd3159c7fa258166b6ee6c47

SHA256
9f8931ca6042f3dc928da2aaca7258d2afd411c3548d5c366cbd65d2abb2912d

SHA512
2b34a17609d98ecc60d38a00ef331c8f81458d29c1b8e4dd7484c6de58a0fb60780c6a78976f2441e643c67195ca3e85e9a09bb0356ff249cd5bbd75019cc799

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Filesize
4.2MB

MD5
43b4b9050e5b237de2d1412de8781f36

SHA1
125cd51af3ca81d4c3e517b8405b9afae92b86f2

SHA256
97bb5c78c753aa5e39ffc3d4c1058f584d0241e9b19aff20a248f1f159fdca6d

SHA512
24e90d5a5d4a06e0d62ff2b5bc91e686f5cdb2e77fb4c31ef3b6a59f62afae9fc6642bb57576c334e46e234d10300a2814cca747cc315b52ea63b0226a6695d3

Download Submit
\Users\Admin\AppData\Local\Temp\ADBE.exe
Filesize
2.3MB

MD5
038f01c7ab34d20394b657ce5d5f3152

SHA1
7f82fb84c6c0aff1012675d48ba95b0558d3230f

SHA256
28119987147a63910d12662c2008089f85571817695dcd443d02303d52479c55

SHA512
4e0e25bfabb8882b58341205ee60f3f5dd83a9b93518aa3badd433b784531244fcc9bb07981461a6a382dbd2d1c4de211731156f8768f7cc8e61e0a7c0689a86

Download Submit
\Users\Admin\AppData\Local\Temp\ADBE.exe
Filesize
960KB

MD5
401d4de4d2dcdbcb90b74750d55db7b5

SHA1
6bc3426f685c989241e6adc3b764e73016545a1f

SHA256
ecd387bd32829c5ef0931469bc0690372a5b1caa26e359be47ecf667c2325b08

SHA512
288ca6c6218c7180d57a3342f819225a9d060acc662bfa15ad189ca7efde2fad9ed14437bb4a2773526985975a68a6567a1a62ae766a485640db6cd0c30805c0

Download Submit
\Users\Admin\AppData\Local\Temp\ISetup4.exe
Filesize
464KB

MD5
44f814be76122897ef325f8938f8e4cf

SHA1
5f338e940d1ee1fa89523d13a0b289912e396d23

SHA256
2899d533753918409ab910b70ba92f8740f76c8e8ac74f4c890e53b258e3bff6

SHA512
daeb1a81dd4fe1578502d0c681c7e723273d06297c2fad7aeb74b1a06cd05f72a418af9571c82188525af329b3fef9785d588f1416d6ccf45ab58b589d8f0d79

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.3MB

MD5
3df04147934c5788d720b57a64a1335b

SHA1
7fe3a81ea5883d2dc4d604d333ce465359d39a52

SHA256
b6205394a8ccda4aa1d723271752ec73944eae73bca8d2406143b95efa8ed155

SHA512
d539dc353db37e4ef13defaa13f670f8a6c67cc4c7d7872e605d5b63cfb8e69102558df35fff3ad50776cdb8c79bf64256f627f11f59f3644b3c8cbbd8b0cb28

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.2MB

MD5
f591a620a5abe4aa699c3726ec54f471

SHA1
29e32d9cda296a6e58a552e4e4207bd073b072ee

SHA256
2e0c1f23141fe24c1bb7f76274fcdda64cea78aea70687aed2da9f83420594f3

SHA512
4c1d144b705ed0436f682a1c4d7d4705a562456b80cf8d04b39e182aa516cbe18e4f05260a6c04679a6394ef5a865d75e9141407d78fec7e7f8642516f38a3df

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
824KB

MD5
ef20ec3f986097b895351bbd97775cd2

SHA1
8d77706632917735328205579e05a0918491b2d0

SHA256
767024a216314106769b9d540862cd65c6412a968cb4c56ebf2315426b571cba

SHA512
5f9f9cd28428291c323b18e6dd3564fc96a2ae9df8fb0aa0b2580a7e226eb4482963495e021154e89ca0a2faf636a6cced870f69ef23826693ca37dc61e1a7b0

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
909KB

MD5
bbbe43be902d7e0b99225618642b63fd

SHA1
2eff0c364d9ebe38f26d80cd5a9e0e313a988e80

SHA256
b07bfdb2ad80fb5a674145b35b2ce3aed787df29c2aa91ed7249c265a7588497

SHA512
1dd567ed81ace81b8c3d4f98d114f3d179a5f90b683374640e64a70f24a91048a13853a3d429b4dd63a6e0cd100df20941425924f5d0bd2dc15d90c1ef870c86

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Users\Admin\AppData\Local\Temp\u1tg.1.exe
Filesize
458KB

MD5
31a50f4547f88f9e2badbc5c17e55444

SHA1
d1da20a85fffc33c27d5e568ca70c851bc00171c

SHA256
d10c063c13c973a8898ffd9768ed0b1e8b1c7dde789ce301ed5781a5241d6ff7

SHA512
542a1dd47fa501d6c0339a732f65f987542e7dfc73f497b8ab2b320d6d5f25712debd8d3793e68facca3035bdd95e4f14d1248bbcea7a2de60dad5f65a341cb3

Download Submit
\Users\Admin\AppData\Local\Temp\u1tg.1.exe
Filesize
639KB

MD5
a8971d21779ce66ecf6ec6e7fcaca629

SHA1
f418b555abfd6369f093fa102e167a01c5587534

SHA256
020f84ee0b2edbd541349eec939d5950033401699a4c8cb3f25e11bb0786a884

SHA512
50c825d426d51660bf4ef0f829905c87a190e26c2eaaf248861d6beb8ff4df19343317f946d0e7059f575e9339e44559232c42878d464ad7d9406442c43989a8

Download Submit
\Users\Admin\AppData\Local\Temp\u1tg.1.exe
Filesize
658KB

MD5
a91b500dc5956364582df04e04989b80

SHA1
ae24918dea61035bf55d14ce072a3d340bbc57c7

SHA256
37353f6745a2f3ff4602d9502266aa7ddfa7ebca18711ff41dba80e1826f766e

SHA512
f66e5a6d2a543ff1c36b415667868928ee48e278659211eac4d44ed3951ee9367b1b23a0de15e8f52abd487de231698cf7b37671ceb1d8b57b89de3a2c5fbf78

Download Submit
\Users\Admin\AppData\Local\Temp\u1tg.1.exe
Filesize
504KB

MD5
9a8e31c3cdec30368b6302f9c1088ebc

SHA1
ec7cea15a247a097fa72ff99151aee921311750f

SHA256
37824fb05dacf0d7b2be02b485f21108fad97b123cf399231fb51f1256a97474

SHA512
e42d70b4cdfdb305402144a8528104076832ae0baff4772fa7fa1b041c516fa36b69b80ca7c5f27e279ed95659819929244756cb2adb06e28764ee54434cdd21

Download Submit
\Windows\rss\csrss.exe
Filesize
1.1MB

MD5
0c542374c6633c8265088c86cfc4bf3d

SHA1
ffa037b119718123b769c6cf05a9759b51dde2a9

SHA256
d469c41d6235fe40aaaac404cf8d7cb1e8cea6ef42ca5b6b6894ff88ed5414e2

SHA512
c03f2d4334520ca3a112c3cba3152cf6d24d2af37d5b8dd7338c12600a0ae7795599436840a9939d4da114c760646c51f833b184b59aeb8cc1bec7478c82980a

Download Submit
\Windows\rss\csrss.exe
Filesize
1.2MB

MD5
458d716886a6a4e3ea509ca4d8241abd

SHA1
9ba14c65ae12f0589d5e566ceafc928b00f1d973

SHA256
15f48f756557a0f8da22498973090790ae13acfcdbd04ffad11c513adabfc47f

SHA512
cf6543f071b3f0fe5a921654e5aa2b027fee48d5ad04c97df8a010ac7eca76031d6dbae1ca5bc98e9cfaf9b99b0eacc88c146ee88926f877bc6c11c52cb75098

Download Submit
memory/1116-4-0x0000000002DA0000-0x0000000002DB6000-memory.dmp

Filesize
88KB

Download
memory/1236-352-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1236-353-0x0000000000C00000-0x0000000000C40000-memory.dmp

Filesize
256KB

Download
memory/1236-355-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1236-351-0x00000000013E0000-0x0000000001400000-memory.dmp

Filesize
128KB

Download
memory/1636-99-0x0000000004980000-0x0000000004D78000-memory.dmp

Filesize
4.0MB

Download
memory/1636-101-0x0000000004980000-0x0000000004D78000-memory.dmp

Filesize
4.0MB

Download
memory/1636-102-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/1636-130-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/1916-95-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/1916-96-0x0000000004AA0000-0x0000000004E98000-memory.dmp

Filesize
4.0MB

Download
memory/1916-97-0x0000000004EA0000-0x000000000578B000-memory.dmp

Filesize
8.9MB

Download
memory/1916-100-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/1916-89-0x0000000004AA0000-0x0000000004E98000-memory.dmp

Filesize
4.0MB

Download
memory/2348-56-0x00000000001F0000-0x00000000006AA000-memory.dmp

Filesize
4.7MB

Download
memory/2348-59-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2348-57-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2356-191-0x0000000006230000-0x0000000006760000-memory.dmp

Filesize
5.2MB

Download
memory/2356-192-0x0000000006230000-0x0000000006760000-memory.dmp

Filesize
5.2MB

Download
memory/2356-93-0x0000000000400000-0x0000000002D72000-memory.dmp

Filesize
41.4MB

Download
memory/2356-186-0x0000000000400000-0x0000000002D72000-memory.dmp

Filesize
41.4MB

Download
memory/2356-190-0x0000000006230000-0x0000000006760000-memory.dmp

Filesize
5.2MB

Download
memory/2356-91-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/2356-92-0x0000000000250000-0x00000000002BF000-memory.dmp

Filesize
444KB

Download
memory/2356-189-0x0000000006230000-0x0000000006760000-memory.dmp

Filesize
5.2MB

Download
memory/2356-187-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/2356-155-0x0000000000400000-0x0000000002D72000-memory.dmp

Filesize
41.4MB

Download
memory/2440-31-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2440-28-0x0000000000BA0000-0x0000000000F37000-memory.dmp

Filesize
3.6MB

Download
memory/2476-1-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2476-7-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2476-2-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2476-3-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2476-5-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/2492-23-0x00000000028B0000-0x00000000029B8000-memory.dmp

Filesize
1.0MB

Download
memory/2492-39-0x00000000029C0000-0x0000000003672000-memory.dmp

Filesize
12.7MB

Download
memory/2492-44-0x0000000003780000-0x0000000003877000-memory.dmp

Filesize
988KB

Download
memory/2492-41-0x0000000003780000-0x0000000003877000-memory.dmp

Filesize
988KB

Download
memory/2492-46-0x0000000058630000-0x0000000058680000-memory.dmp

Filesize
320KB

Download
memory/2492-40-0x0000000003680000-0x000000000377A000-memory.dmp

Filesize
1000KB

Download
memory/2492-16-0x00000000000E0000-0x00000000000E6000-memory.dmp

Filesize
24KB

Download
memory/2492-38-0x00000000028B0000-0x00000000029B8000-memory.dmp

Filesize
1.0MB

Download
memory/2492-34-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/2492-20-0x00000000028B0000-0x00000000029B8000-memory.dmp

Filesize
1.0MB

Download
memory/2492-45-0x00000000000F0000-0x0000000000102000-memory.dmp

Filesize
72KB

Download
memory/2492-15-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/2492-19-0x0000000002780000-0x00000000028A3000-memory.dmp

Filesize
1.1MB

Download
memory/2528-134-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/2528-334-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/2528-133-0x0000000004E20000-0x000000000570B000-memory.dmp

Filesize
8.9MB

Download
memory/2528-132-0x0000000004A20000-0x0000000004E18000-memory.dmp

Filesize
4.0MB

Download
memory/2528-301-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/2528-131-0x0000000004A20000-0x0000000004E18000-memory.dmp

Filesize
4.0MB

Download
memory/2528-299-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/2528-258-0x0000000000400000-0x0000000003130000-memory.dmp

Filesize
45.2MB

Download
memory/2668-193-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2668-289-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/2668-324-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2668-194-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2680-160-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2680-141-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2756-90-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2756-70-0x0000000000A10000-0x0000000000EC0000-memory.dmp

Filesize
4.7MB

Download
memory/2756-71-0x0000000073910000-0x0000000073FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2920-120-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/2920-333-0x0000000000400000-0x0000000000AEC000-memory.dmp

Filesize
6.9MB

Download
memory/2920-300-0x0000000000400000-0x0000000000AEC000-memory.dmp

Filesize
6.9MB

Download
memory/2920-346-0x0000000000C40000-0x0000000000D40000-memory.dmp

Filesize
1024KB

Download
memory/2920-260-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2920-121-0x0000000000400000-0x0000000000AEC000-memory.dmp

Filesize
6.9MB

Download
memory/2920-259-0x0000000000C40000-0x0000000000D40000-memory.dmp

Filesize
1024KB

Download
memory/2920-349-0x0000000000400000-0x0000000000AEC000-memory.dmp

Filesize
6.9MB

Download
memory/2920-257-0x0000000000400000-0x0000000000AEC000-memory.dmp

Filesize
6.9MB

Download
memory/2920-119-0x0000000000C40000-0x0000000000D40000-memory.dmp

Filesize
1024KB

Download