Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2025, 02:47
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe
Resource
win7-20241010-en
windows7-x64
29 signatures
150 seconds
General
-
Target
53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe
-
Size
167KB
-
MD5
0d792b22e6631e0aa21d806ab41ca262
-
SHA1
0248a68fe072e51d80a125bb687bb52555cee59a
-
SHA256
53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a
-
SHA512
ae0337dd76c017809a0ee78dd3ac067c8a9c9f94e9a8a9d4dbf929d7614cc8ac39b9d86607d704b553225fc9c2c459c38f550d27ef416095434c0b68c6997efd
-
SSDEEP
3072:/Lk39+hYXJxDf1uP5a+YS0otaQ9mEUG7fIhF1+QGHVLi4Tn7Kx8zynfIuDpkos:/QvHDf1uE9msQ9mEJ4zq1e43Kx8zcfIz
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Banload family
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe -
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GLWorker.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GLWorker.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ GLWorker.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 2 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GLWorker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate GLWorker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GLWorker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate GLWorker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion GLWorker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate GLWorker.exe -
Executes dropped EXE 9 IoCs
pid Process 6032 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4628 toasterinstaller.exe 2448 GamesManager.exe 2284 GamesManager.exe 5712 GamesManager.exe 4056 GLWorker.exe 2992 GLWorker.exe 1652 GLWorker.exe -
Loads dropped DLL 64 IoCs
pid Process 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 6032 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe File opened (read-only) \??\G: 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe File opened (read-only) \??\H: 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe File opened (read-only) \??\I: 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe -
resource yara_rule behavioral2/memory/640-1-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-4-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-8-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-9-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-15-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-16-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-12-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-5-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-3-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-28-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-29-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-30-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-32-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-31-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-34-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-35-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-36-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-41-0x0000000002390000-0x000000000341E000-memory.dmp upx behavioral2/memory/640-56-0x0000000002390000-0x000000000341E000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GamesManagerInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GamesManagerInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GamesManager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GamesManager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GamesManager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GLWorker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language toasterinstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GLWorker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GLWorker.exe -
Modifies registry class 58 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\xRCxvljnFg = "DPoRzOZpGnJYL@\\XtF|ZBem\\Z" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\rzmtbwpaii = "xehwWv|uYtaEaQ[}NYpiB" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\msMzcrV = "_Sqj]^]gJB{KaV}cuRd|AEoLMtXP" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\InProcServer32\ = "C:\\Windows\\SysWOW64\\MbaeApi.dll" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\tkXZ = "\x7fN^@x^bvygQBvyvSJHFCGTjX" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\PPoIlsbgcJ = "Y@@gDc`}Dt_A`qjJRmx" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\ytbyyqqSbu = "ROTRJcSJ\\q|{[`Y~\\uBfKPZVPhT" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\msMzcrV = "_Sqj]^]gJB{KaV}ctRd|AEdLdl[d" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\rzmtbwpaii = "xehwWv|uYtaEaQ[}NYpiB" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\PPoIlsbgcJ = "Y@@gDc@}Dt_A`qJJRmx" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\ugFo = "cCFDJY\x7fio\\KtL}fd" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\ugFo = "~pWRwyG]WR`si\x7fYO" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\xRCxvljnFg = "Z}~xoeDMbQYrE^OCjuXtLEho~" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\msMzcrV = "qeBV~ctipWd~QAj^KBpfzVAfrXzP" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\ = "CCellularExternalEventHelper" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\SNoeZhdoco = "jT\x7feiE\x7ftHLOdL~Z\x7fYxaK" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\msMzcrV = "qeBV~ctipWd~QAj^HBpfzVCL@UVp" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\ytbyyqqSbu = "FyNq\\wObtkV\x7fkGHbUpk^NzMfTP^" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\msMzcrV = "_Sqj]^]gJB{KaV}cqRd|AEfTSw@l" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\qrlhgvmF = "MvsUDicwuBwQwo\\dUlq\x7fVsw" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\xRCxvljnFg = "DPoRzOZpGnJYL@\\XtF|ZBem\\Z" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\msMzcrV = "qeBV~ctipWd~QAj^ABpfzVNxRWiP" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\ytbyyqqSbu = "FyNq\\wObtkV\x7fkGHbUpk^NzMfTP^" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\PPoIlsbgcJ = "EmhPJ}uCwMgzyrfxsh{" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\msMzcrV = "_Sqj]^]gJB{KaV}cwRd|AElWfgHP" GLWorker.exe Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649} GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\tkXZ = "GeilkUsHGNZQ_uuNfwLa`{|t" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\msMzcrV = "qeBV~ctipWd~QAj^JBpfzVJf[@yd" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\rzmtbwpaii = "ZCUlSNnV\\w`I_ZjpkIUkH" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\PPoIlsbgcJ = "Y@@gDcP}Dt_A`qZJRmx" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\msMzcrV = "_Sqj]^]gJB{KaV}czRd|AEbJZ`PX" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\qrlhgvmF = "MvsUDicwuBwQwo\\dUlq\x7fVsw" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\msMzcrV = "_Sqj]^]gJB{KaV}cxRd|AEk`Au\x7fL" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\ugFo = "cCFDJY\x7fio\\KtL}fd" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\InProcServer32\ThreadingModel = "Both" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\PPoIlsbgcJ = "EmhPJ}eCwMgzyrvxsh{" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\msMzcrV = "qeBV~ctipWd~QAj^EBpfzVG`LTql" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\qrlhgvmF = "MxMXarDOFUTg{ifZE|p\x7fGxv" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\PPoIlsbgcJ = "Y@@gDcP}Dt_A`qZJRmx" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\msMzcrV = "qeBV~ctipWd~QAj^FBpfzVO{N_bX" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\xRCxvljnFg = "Z}~xoeDMbQYrE^OCjuXtLEho~" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\msMzcrV = "_Sqj]^]gJB{KaV}c{Rd|AEiJsxSl" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\msMzcrV = "qeBV~ctipWd~QAj^GBpfzVD{gGal" GLWorker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85} GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\ugFo = "~pWRwyG]WR`si\x7fYO" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\PPoIlsbgcJ = "EmhPJ}eCwMgzyrvxsh{" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\tkXZ = "\x7fN^@x^bvygQBvyvSJHFCGTjX" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\msMzcrV = "_Sqj]^]gJB{KaV}cvRd|AEgWO\x7fKd" GLWorker.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\InProcServer32 GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\PPoIlsbgcJ = "EmhPJ}UCwMgzyrFxsh{" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\rzmtbwpaii = "ZCUlSNnV\\w`I_ZjpkIUkH" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\ytbyyqqSbu = "ROTRJcSJ\\q|{[`Y~\\uBfKPZVPhT" GLWorker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{047BE818-8D8D-8851-38DB-E3ECADF6FC85}\SNoeZhdoco = "jT\x7feiE\x7ftHLOdL~Z\x7fYxaK" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\SNoeZhdoco = "\\PCkyKnuqik^gG`M\\SfI" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\tkXZ = "GeilkUsHGNZQ_uuNfwLa`{|t" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\msMzcrV = "qeBV~ctipWd~QAj^DBpfzVL`eLrX" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\qrlhgvmF = "MxMXarDOFUTg{ifZE|p\x7fGxv" GLWorker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\{6A46BC7E-D638-13D1-B2E4-0060975B8649}\SNoeZhdoco = "\\PCkyKnuqik^gG`M\\SfI" GLWorker.exe -
Modifies system certificate store 2 TTPs 18 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd GamesManager.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd GamesManager.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 GamesManager.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a GamesManager.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F GamesManager.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 19000000010000001000000014d4b19434670e6dc091d154abb20edc030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f7e00000001000000080000000080c82b6886d7017f000000010000000c000000300a06082b060105050703031d000000010000001000000052135310639a10f77f886b229b9f7afc1400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab553000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d0020004700320000000f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa42000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba GamesManager.exe Key created \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280 GamesManager.exe Set value (data) \REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc5c000000010000000400000000080000180000000100000010000000fd960962ac6938e0d4b0769aa1a64e265900000001000000160000005200530041002f0053004800410032003500360000004b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c GamesManager.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A GamesManager.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 GamesManager.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 GamesManager.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 0f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa40b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d002000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab51400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191831d000000010000001000000052135310639a10f77f886b229b9f7afc7f000000010000000c000000300a06082b060105050703037e00000001000000080000000080c82b6886d701030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f2000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba GamesManager.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E GamesManager.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd GamesManager.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 GamesManager.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 GamesManager.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a GamesManager.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd GamesManager.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4620 GamesManagerInstaller.exe 4628 toasterinstaller.exe 4628 toasterinstaller.exe 4628 toasterinstaller.exe 4628 toasterinstaller.exe 4628 toasterinstaller.exe 4628 toasterinstaller.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe Token: SeDebugPrivilege 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2448 GamesManager.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2448 GamesManager.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 640 wrote to memory of 784 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 9 PID 640 wrote to memory of 788 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 10 PID 640 wrote to memory of 1016 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 13 PID 640 wrote to memory of 2652 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 46 PID 640 wrote to memory of 2864 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 50 PID 640 wrote to memory of 3060 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 51 PID 640 wrote to memory of 3484 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 56 PID 640 wrote to memory of 3632 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 57 PID 640 wrote to memory of 3800 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 58 PID 640 wrote to memory of 3944 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 59 PID 640 wrote to memory of 4024 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 60 PID 640 wrote to memory of 3652 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 61 PID 640 wrote to memory of 4148 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 62 PID 640 wrote to memory of 5192 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 65 PID 640 wrote to memory of 3648 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 77 PID 640 wrote to memory of 3104 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 82 PID 640 wrote to memory of 5856 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 83 PID 640 wrote to memory of 6032 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 88 PID 640 wrote to memory of 6032 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 88 PID 640 wrote to memory of 6032 640 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe 88 PID 6032 wrote to memory of 4620 6032 GamesManagerInstaller.exe 89 PID 6032 wrote to memory of 4620 6032 GamesManagerInstaller.exe 89 PID 6032 wrote to memory of 4620 6032 GamesManagerInstaller.exe 89 PID 4620 wrote to memory of 4628 4620 GamesManagerInstaller.exe 90 PID 4620 wrote to memory of 4628 4620 GamesManagerInstaller.exe 90 PID 4620 wrote to memory of 4628 4620 GamesManagerInstaller.exe 90 PID 4620 wrote to memory of 2448 4620 GamesManagerInstaller.exe 91 PID 4620 wrote to memory of 2448 4620 GamesManagerInstaller.exe 91 PID 4620 wrote to memory of 2448 4620 GamesManagerInstaller.exe 91 PID 2448 wrote to memory of 2284 2448 GamesManager.exe 93 PID 2448 wrote to memory of 2284 2448 GamesManager.exe 93 PID 2448 wrote to memory of 2284 2448 GamesManager.exe 93 PID 2448 wrote to memory of 5712 2448 GamesManager.exe 98 PID 2448 wrote to memory of 5712 2448 GamesManager.exe 98 PID 2448 wrote to memory of 5712 2448 GamesManager.exe 98 PID 2448 wrote to memory of 4056 2448 GamesManager.exe 99 PID 2448 wrote to memory of 4056 2448 GamesManager.exe 99 PID 2448 wrote to memory of 4056 2448 GamesManager.exe 99 PID 2448 wrote to memory of 2992 2448 GamesManager.exe 100 PID 2448 wrote to memory of 2992 2448 GamesManager.exe 100 PID 2448 wrote to memory of 2992 2448 GamesManager.exe 100 PID 2448 wrote to memory of 1652 2448 GamesManager.exe 101 PID 2448 wrote to memory of 1652 2448 GamesManager.exe 101 PID 2448 wrote to memory of 1652 2448 GamesManager.exe 101 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1016
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2652
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2864
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3060
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe"C:\Users\Admin\AppData\Local\Temp\53a1eebbb64c49252cd29f5bf5b3d652c73ad7bf3116bbd1e17d1e1fa36c863a.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Downloads MZ/PE file
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:640 -
C:\Users\Admin\AppData\Local\Temp\nsu856D.tmp\GamesManagerInstaller.exe"C:\Users\Admin\AppData\Local\Temp\nsu856D.tmp\GamesManagerInstaller.exe" -installer.createiwinshortcuts=yes -config.channel=20000004 -config.uri=https://gm.download-free-games.com/ -config.channelName=DFG -config.iwinrequest="PF/2484398696830592063/game-11-islands-story-of-love/47/0"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6032 -
C:\Users\Admin\AppData\Local\Temp\GMInstaller\GamesManagerInstaller.exe"C:\Users\Admin\AppData\Local\Temp\GMInstaller\GamesManagerInstaller.exe" -installer.logstartsent=true -config.channel=20000004 -config.uri="https://gm.download-free-games.com/" -config.channelName="DFG" -config.sku=FIRST_INSTALL -installer.createshortcutswithname="Download Free Games" -autoupdate=1 -config.iwinrequest="PF/2484398696830592063/game-11-islands-story-of-love/47/0"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Users\Admin\AppData\Local\GamesManager_iWin_DFG\toasterinstaller.exe"C:\Users\Admin\AppData\Local\GamesManager_iWin_DFG\toasterinstaller.exe" /S --no-desktop-shortcut5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4628
-
-
C:\Users\Admin\AppData\Local\GamesManager_iWin_DFG\GamesManager.exe"C:\Users\Admin\AppData\Local\GamesManager_iWin_DFG\GamesManager.exe" -config.uri=https://gm.download-free-games.com/ -config.channel="20000004" -config.sku="FIRST_INSTALL" -config.iwinrequest="PF/2484398696830592063/game-11-islands-story-of-love/47/0"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Local\GamesManager_iWin_DFG\GamesManager.exe"C:\Users\Admin\AppData\Local\GamesManager_iWin_DFG\GamesManager.exe" --type=renderer --no-sandbox --service-pipe-token=AAA5268F8D17C01782BEA76E6520A391 --lang=en-US --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager_iWin_DFG\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) Chromium/61.0.0.0 Chrome/61.0.0.0 Version/3.9.6.635 GamesManager/3.9.6.635 20000004 WinVer/10.0 [x64] CEF/3.3163.1651.gf229796 UAPI" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=AAA5268F8D17C01782BEA76E6520A391 --renderer-client-id=2 --mojo-platform-channel-handle=2840 /prefetch:16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2284
-
-
C:\Users\Admin\AppData\Local\GamesManager_iWin_DFG\GamesManager.exe"C:\Users\Admin\AppData\Local\GamesManager_iWin_DFG\GamesManager.exe" --type=renderer --no-sandbox --service-pipe-token=7DF11A39695A3D43D81864877787CC30 --lang=en-US --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager_iWin_DFG\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) Chromium/61.0.0.0 Chrome/61.0.0.0 Version/3.9.6.635 GamesManager/3.9.6.635 20000004 WinVer/10.0 [x64] CEF/3.3163.1651.gf229796 UAPI" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=7DF11A39695A3D43D81864877787CC30 --renderer-client-id=3 --mojo-platform-channel-handle=3320 /prefetch:16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5712
-
-
C:\Users\Admin\AppData\Local\UGMgames\20000004\game-11-islands-story-of-love\game-11-islands-story-of-love\GLWorker.exeC:\Users\Admin\AppData\Local\UGMgames\20000004\game-11-islands-story-of-love\game-11-islands-story-of-love\GLWorker.exe ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid24843987080027212816⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4056
-
-
C:\Users\Admin\AppData\Local\UGMgames\20000004\game-11-islands-story-of-love\game-11-islands-story-of-love\GLWorker.exeC:\Users\Admin\AppData\Local\UGMgames\20000004\game-11-islands-story-of-love\game-11-islands-story-of-love\GLWorker.exe ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid24843987080027212816⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2992
-
-
C:\Users\Admin\AppData\Local\UGMgames\20000004\game-11-islands-story-of-love\game-11-islands-story-of-love\GLWorker.exeC:\Users\Admin\AppData\Local\UGMgames\20000004\game-11-islands-story-of-love\game-11-islands-story-of-love\GLWorker.exe ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid24843987080027212816⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1652
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3632
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3800
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4024
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3652
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4148
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5192
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3648
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3104
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5856
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.7MB
MD5a6459cb0905d774983ee0fe1320d6d13
SHA15e62f1b56fb76f95f7f9d08c2a47506314d32f67
SHA256e70670dac2ce844ae9828b20f3349b5c25eb8a05d39c1be5dc867e27f474c26a
SHA512ba61dc7ea1c2763411f1df3b77e1c1769dd59fa4bbed2e51a8a38b0d64e7a0215d463f267757ad45c95c3e4711427bdb522ceb7dcb1243e6b82c233ca016157f
-
Filesize
3KB
MD51cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA10b9519763be6625bd5abce175dcc59c96d100d4c
SHA2569be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA5127acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f
-
Filesize
25KB
MD5e7ebd034dacf96fcc0c7a35c62477d21
SHA1cd372d0607d94b48ac84a1738ed434df4d882f22
SHA256dc84aa66f398781fe76eecf90fc6613f729076552d4b268269228b754bfd70d2
SHA512df367b39c7c62ba2df1d50cbe3dbc97a7a2719fae7684330b4df971f0742c3447f0beb2d295a206522bbce6fbd0053d188d159f7236b6953d35cbf51aecc1bf3
-
Filesize
14KB
MD5a5f8399a743ab7f9c88c645c35b1ebb5
SHA1168f3c158913b0367bf79fa413357fbe97018191
SHA256dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9
SHA512824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
11KB
MD5bf712f32249029466fa86756f5546950
SHA175ac4dc4808ac148ddd78f6b89a51afbd4091c2e
SHA2567851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af
SHA51213f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
-
Filesize
32.0MB
MD5082498c717b542a12971c37ca63375ec
SHA18ff2a9b3a7e4d82e3f6ffa00dd0e88f41dbac826
SHA2560581c5c9550456d2be8c9d03576d2af73a97e0686ab0ba88e3c1bd8ccd7f7a16
SHA5122005e2ee9e730951b5977eacc1e2d985a015dbfd544291a0fac5b2cb4e02198bf6b573fad8c1949b34747fe55042f49048b73493bc2ba12edb5985c33c27dd54