dcrat | 473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
28-09-2023 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe
Size

269KB
MD5

d8352cbc2d1768cd64d5700d09b3118d
SHA1

c6791c5be07e06e18ea685c7407975682cf918df
SHA256

473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7
SHA512

0b41b8e3372affdeda356c9918946cc2c8f479e6c37c90590dfbab990773cff67fc11893ded0caf84f2264fcc525885800a776f3401e16f2d182f4a354ac21fc
SSDEEP

6144:2QBctlMQMY6Vo++E0R6gFAOQyhzTkSsSXg35:2QGtiQMYlXavlz35

Malware Config

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

redline

Botnet

YT LOGS CLOUD

176.123.4.46:33783

Attributes

auth_value
f423cd8452a39820862c1ea501db4ccf

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

fabookie

http://app.nnnaajjjgc.com/check/safe

Signatures

DcRat 3 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Processes:

AppLaunch.exeschtasks.exeschtasks.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe
2984 schtasks.exe
2368 schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
2984	schtasks.exe
2368	schtasks.exe

Detect Fabookie payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2236-362-0x0000000003560000-0x0000000003691000-memory.dmp	family_fabookie
behavioral1/memory/2236-380-0x0000000003560000-0x0000000003691000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1844-168-0x0000000004840000-0x000000000512B000-memory.dmp	family_glupteba
behavioral1/memory/1844-179-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/1844-330-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/1844-355-0x0000000004840000-0x000000000512B000-memory.dmp	family_glupteba
behavioral1/memory/1844-357-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/1844-358-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/1844-375-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/1844-376-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2472-381-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2472-392-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2020-408-0x00000000045B0000-0x0000000004E9B000-memory.dmp	family_glupteba
behavioral1/memory/2020-410-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2020-414-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2020-443-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2020-483-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2020-490-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba
behavioral1/memory/2020-512-0x0000000000400000-0x000000000298D000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\BCC2.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\BCC2.exe	family_redline
behavioral1/memory/968-174-0x0000000000F50000-0x0000000000FAA000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2388	bcdedit.exe
528	bcdedit.exe
1768	bcdedit.exe
1268	bcdedit.exe
1700	bcdedit.exe
968	bcdedit.exe
1028	bcdedit.exe
1624	bcdedit.exe
2516	bcdedit.exe
1948	bcdedit.exe
1344	bcdedit.exe
1744	bcdedit.exe
1616	bcdedit.exe
1740	bcdedit.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

2940 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
2940	netsh.exe

Executes dropped EXE 29 IoCs

Processes:

8B8D.exex4835485.exe8EB9.exex5615539.exex1377404.exeg8676483.exe9447.exe9B0B.exe9F70.exeB072.exess41.execonhost.exe31839b57a4f11171d6abc8bbc4451ee4.exekos1.exetoolspub2.exeBCC2.exeTrustedInstaller.exeset16.exekos.exeis-J9CTK.tmppreviewer.exepreviewer.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exepatch.exeinjector.exedsefix.exewindefender.exewindefender.exe

pid	process
2732	8B8D.exe
2712	x4835485.exe
2760	8EB9.exe
2452	x5615539.exe
2440	x1377404.exe
2636	g8676483.exe
1936	9447.exe
2520	9B0B.exe
1312	9F70.exe
992	B072.exe
2236	ss41.exe
2092	conhost.exe
1844	31839b57a4f11171d6abc8bbc4451ee4.exe
2992	kos1.exe
2864	toolspub2.exe
968	BCC2.exe
544	TrustedInstaller.exe
2156	set16.exe
1584	kos.exe
1184	is-J9CTK.tmp
2768	previewer.exe
1140	previewer.exe
2472	31839b57a4f11171d6abc8bbc4451ee4.exe
2020	csrss.exe
1904	patch.exe
396	injector.exe
2476	dsefix.exe
2432	windefender.exe
2152	windefender.exe

Loads dropped DLL 64 IoCs

Processes:

8B8D.exex4835485.exex5615539.exex1377404.exeWerFault.exeg8676483.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeB072.execonhost.exekos1.exeset16.exeis-J9CTK.tmppreviewer.exepreviewer.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exepatch.exe

pid	process
2732	8B8D.exe
2732	8B8D.exe
2712	x4835485.exe
2712	x4835485.exe
2452	x5615539.exe
2452	x5615539.exe
2440	x1377404.exe
2440	x1377404.exe
2440	x1377404.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2636	g8676483.exe
2120	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
1568	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
1592	WerFault.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe
560	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
992	B072.exe
992	B072.exe
992	B072.exe
992	B072.exe
992	B072.exe
992	B072.exe
2092	conhost.exe
992	B072.exe
2992	kos1.exe
2156	set16.exe
2156	set16.exe
2156	set16.exe
2992	kos1.exe
2156	set16.exe
1184	is-J9CTK.tmp
1184	is-J9CTK.tmp
1184	is-J9CTK.tmp
1184	is-J9CTK.tmp
1184	is-J9CTK.tmp
2768	previewer.exe
2768	previewer.exe
1184	is-J9CTK.tmp
1140	previewer.exe
1140	previewer.exe
2472	31839b57a4f11171d6abc8bbc4451ee4.exe
2472	31839b57a4f11171d6abc8bbc4451ee4.exe
2020	csrss.exe
836
1904	patch.exe
1904	patch.exe
1904	patch.exe
1904	patch.exe
1904	patch.exe
1904	patch.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2432-540-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2152-541-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2432-543-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.execsrss.exe8B8D.exex4835485.exex5615539.exex1377404.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8B8D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4835485.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5615539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1377404.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.execonhost.exeTrustedInstaller.exe

description	pid	process	target process
PID 2024 set thread context of 2640	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2092 set thread context of 2864	2092	conhost.exe	toolspub2.exe
PID 544 set thread context of 2292	544	TrustedInstaller.exe	vbc.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 7 IoCs

Processes:

is-J9CTK.tmp

description	ioc	process
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-J9CTK.tmp
File created	C:\Program Files (x86)\PA Previewer\is-0P82M.tmp	is-J9CTK.tmp
File created	C:\Program Files (x86)\PA Previewer\is-7KHOU.tmp	is-J9CTK.tmp
File created	C:\Program Files (x86)\PA Previewer\is-6HRUB.tmp	is-J9CTK.tmp
File created	C:\Program Files (x86)\PA Previewer\is-4AN8L.tmp	is-J9CTK.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-J9CTK.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-J9CTK.tmp

Drops file in Windows directory 5 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exemakecab.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20230928185246.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

308 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
308	sc.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3004	2024	WerFault.exe	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe
2120	2760	WerFault.exe	8EB9.exe
1568	2636	WerFault.exe	g8676483.exe
1592	1936	WerFault.exe	9447.exe
560	2520	WerFault.exe	9B0B.exe
2200	1312	WerFault.exe	9F70.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exetoolspub2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2984 schtasks.exe
2368 schtasks.exe

pid	process
2984	schtasks.exe
2368	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exenetsh.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

csrss.exepatch.exess41.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	ss41.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	ss41.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	ss41.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	ss41.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exe

pid	process
2640	AppLaunch.exe
2640	AppLaunch.exe
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192
1192

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1192
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

AppLaunch.exetoolspub2.exe

pid process

2640 AppLaunch.exe
2864 toolspub2.exe

pid	process
1192

pid	process
464

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

previewer.exepreviewer.exekos.exeBCC2.exe31839b57a4f11171d6abc8bbc4451ee4.exevbc.execsrss.exesc.exe

description	pid	process
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeDebugPrivilege	2768	previewer.exe
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeDebugPrivilege	1140	previewer.exe
Token: SeDebugPrivilege	1584	kos.exe
Token: SeDebugPrivilege	968	BCC2.exe
Token: SeDebugPrivilege	1844	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	1844	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	2292	vbc.exe
Token: SeSystemEnvironmentPrivilege	2020	csrss.exe
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeShutdownPrivilege	1192
Token: SeSecurityPrivilege	308	sc.exe
Token: SeSecurityPrivilege	308	sc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe8B8D.exex4835485.exex5615539.exex1377404.exe8EB9.exe

description	pid	process	target process
PID 2024 wrote to memory of 2752	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2752	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2752	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2752	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2752	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2752	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2752	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2640	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2640	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2640	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2640	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2640	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2640	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2640	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2640	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2640	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 2640	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	AppLaunch.exe
PID 2024 wrote to memory of 3004	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	WerFault.exe
PID 2024 wrote to memory of 3004	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	WerFault.exe
PID 2024 wrote to memory of 3004	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	WerFault.exe
PID 2024 wrote to memory of 3004	2024	473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe	WerFault.exe
PID 1192 wrote to memory of 2732	1192		8B8D.exe
PID 1192 wrote to memory of 2732	1192		8B8D.exe
PID 1192 wrote to memory of 2732	1192		8B8D.exe
PID 1192 wrote to memory of 2732	1192		8B8D.exe
PID 1192 wrote to memory of 2732	1192		8B8D.exe
PID 1192 wrote to memory of 2732	1192		8B8D.exe
PID 1192 wrote to memory of 2732	1192		8B8D.exe
PID 2732 wrote to memory of 2712	2732	8B8D.exe	x4835485.exe
PID 2732 wrote to memory of 2712	2732	8B8D.exe	x4835485.exe
PID 2732 wrote to memory of 2712	2732	8B8D.exe	x4835485.exe
PID 2732 wrote to memory of 2712	2732	8B8D.exe	x4835485.exe
PID 2732 wrote to memory of 2712	2732	8B8D.exe	x4835485.exe
PID 2732 wrote to memory of 2712	2732	8B8D.exe	x4835485.exe
PID 2732 wrote to memory of 2712	2732	8B8D.exe	x4835485.exe
PID 1192 wrote to memory of 2760	1192		8EB9.exe
PID 1192 wrote to memory of 2760	1192		8EB9.exe
PID 1192 wrote to memory of 2760	1192		8EB9.exe
PID 1192 wrote to memory of 2760	1192		8EB9.exe
PID 2712 wrote to memory of 2452	2712	x4835485.exe	x5615539.exe
PID 2712 wrote to memory of 2452	2712	x4835485.exe	x5615539.exe
PID 2712 wrote to memory of 2452	2712	x4835485.exe	x5615539.exe
PID 2712 wrote to memory of 2452	2712	x4835485.exe	x5615539.exe
PID 2712 wrote to memory of 2452	2712	x4835485.exe	x5615539.exe
PID 2712 wrote to memory of 2452	2712	x4835485.exe	x5615539.exe
PID 2712 wrote to memory of 2452	2712	x4835485.exe	x5615539.exe
PID 1192 wrote to memory of 1728	1192		cmd.exe
PID 1192 wrote to memory of 1728	1192		cmd.exe
PID 1192 wrote to memory of 1728	1192		cmd.exe
PID 2452 wrote to memory of 2440	2452	x5615539.exe	x1377404.exe
PID 2452 wrote to memory of 2440	2452	x5615539.exe	x1377404.exe
PID 2452 wrote to memory of 2440	2452	x5615539.exe	x1377404.exe
PID 2452 wrote to memory of 2440	2452	x5615539.exe	x1377404.exe
PID 2452 wrote to memory of 2440	2452	x5615539.exe	x1377404.exe
PID 2452 wrote to memory of 2440	2452	x5615539.exe	x1377404.exe
PID 2452 wrote to memory of 2440	2452	x5615539.exe	x1377404.exe
PID 2440 wrote to memory of 2636	2440	x1377404.exe	g8676483.exe
PID 2440 wrote to memory of 2636	2440	x1377404.exe	g8676483.exe
PID 2440 wrote to memory of 2636	2440	x1377404.exe	g8676483.exe
PID 2440 wrote to memory of 2636	2440	x1377404.exe	g8676483.exe
PID 2440 wrote to memory of 2636	2440	x1377404.exe	g8676483.exe
PID 2440 wrote to memory of 2636	2440	x1377404.exe	g8676483.exe
PID 2440 wrote to memory of 2636	2440	x1377404.exe	g8676483.exe
PID 2760 wrote to memory of 2120	2760	8EB9.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe
"C:\Users\Admin\AppData\Local\Temp\473c2e724fac8009a33dae7ee8d7c3842ca629958c9553004ff524dfa01e64d7_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 100
2⤵
- Program crash
PID:3004

C:\Users\Admin\AppData\Local\Temp\8B8D.exe
C:\Users\Admin\AppData\Local\Temp\8B8D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4835485.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4835485.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5615539.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5615539.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1377404.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1377404.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2440

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8676483.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8676483.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:1568

C:\Users\Admin\AppData\Local\Temp\8EB9.exe
C:\Users\Admin\AppData\Local\Temp\8EB9.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 36
2⤵
- Loads dropped DLL
- Program crash
PID:2120

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\9021.bat" "
1⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\9447.exe
C:\Users\Admin\AppData\Local\Temp\9447.exe
1⤵
- Executes dropped EXE
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 36
2⤵
- Loads dropped DLL
- Program crash
PID:1592

C:\Users\Admin\AppData\Local\Temp\9B0B.exe
C:\Users\Admin\AppData\Local\Temp\9B0B.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 36
2⤵
- Loads dropped DLL
- Program crash
PID:560

C:\Users\Admin\AppData\Local\Temp\9F70.exe
C:\Users\Admin\AppData\Local\Temp\9F70.exe
1⤵
- Executes dropped EXE
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 36
2⤵
- Loads dropped DLL
- Program crash
PID:2200

C:\Users\Admin\AppData\Local\Temp\B072.exe
C:\Users\Admin\AppData\Local\Temp\B072.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2864

C:\Users\Admin\AppData\Local\Temp\ss41.exe
"C:\Users\Admin\AppData\Local\Temp\ss41.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2236

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2820

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2940

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:396

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1904

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:2388

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:528

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:1768

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:1268

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:1700

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:968

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:1028

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:1624

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:2516

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:1948

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:1344

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:1744

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:1616

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
5⤵
- Modifies boot configuration data using bcdedit
PID:1740

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
5⤵
- Executes dropped EXE
PID:2476

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:2368

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
- Executes dropped EXE
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:2820

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:308

C:\Users\Admin\AppData\Local\Temp\kos1.exe
"C:\Users\Admin\AppData\Local\Temp\kos1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992

C:\Users\Admin\AppData\Local\Temp\set16.exe
"C:\Users\Admin\AppData\Local\Temp\set16.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156

C:\Users\Admin\AppData\Local\Temp\is-9MBAB.tmp\is-J9CTK.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9MBAB.tmp\is-J9CTK.tmp" /SL4 $20214 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1184

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -i
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 8
5⤵
PID:2492

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
6⤵
PID:1912

C:\Program Files (x86)\PA Previewer\previewer.exe
"C:\Program Files (x86)\PA Previewer\previewer.exe" -s
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Users\Admin\AppData\Local\Temp\kos.exe
"C:\Users\Admin\AppData\Local\Temp\kos.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Users\Admin\AppData\Local\Temp\BCC2.exe
C:\Users\Admin\AppData\Local\Temp\BCC2.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Users\Admin\AppData\Local\Temp\C480.exe
C:\Users\Admin\AppData\Local\Temp\C480.exe
1⤵
PID:544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:544

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230928185246.log C:\Windows\Logs\CBS\CbsPersist_20230928185246.cab
2⤵
- Drops file in Windows directory
PID:1660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1018679528553971579273300115135389547310589781561983908961-1928613972-1515112664"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2092

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scripting

T1064

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B8D.exe
Filesize
1.1MB

MD5
11dd5eeddd1c5a8eae4258a5ce11588b

SHA1
4d173b5e48d2a74cc63695b5f7bd1933285aea5d

SHA256
1cf0b6eb2f9c3e4d6260a541e3834d243a3247f2ec2610d955b75f94beb197fb

SHA512
c710bcf98a10285644d500f5b77257a4db745877ae1c79dd6ea877e8e49130ffdf21e0c947e3ac2c8742b163773d32deab6032fdf1ac47beb19f258d5d3db671

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B8D.exe
Filesize
1.1MB

MD5
11dd5eeddd1c5a8eae4258a5ce11588b

SHA1
4d173b5e48d2a74cc63695b5f7bd1933285aea5d

SHA256
1cf0b6eb2f9c3e4d6260a541e3834d243a3247f2ec2610d955b75f94beb197fb

SHA512
c710bcf98a10285644d500f5b77257a4db745877ae1c79dd6ea877e8e49130ffdf21e0c947e3ac2c8742b163773d32deab6032fdf1ac47beb19f258d5d3db671

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EB9.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EB9.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\9021.bat
Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\9021.bat
Filesize
79B

MD5
403991c4d18ac84521ba17f264fa79f2

SHA1
850cc068de0963854b0fe8f485d951072474fd45

SHA256
ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f

SHA512
a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

Download Submit
C:\Users\Admin\AppData\Local\Temp\9447.exe
Filesize
1.0MB

MD5
be74b3c2069f72cdefeb4affac42f48e

SHA1
abdcba0be6b67111b4ff184a717ed518c5a3caf6

SHA256
55264d5e8490b7aa90f7e471f66efcc2f472399eb30f3ae7135bdc54288b51fb

SHA512
334febf96f997840023158af43ccd7d25a4710c4f553d305c76dafcba0c3965f8d23d2f839d3236124c2ebeda6c7573d0a16400022c25a99698ee6e9172135ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\9447.exe
Filesize
1.0MB

MD5
be74b3c2069f72cdefeb4affac42f48e

SHA1
abdcba0be6b67111b4ff184a717ed518c5a3caf6

SHA256
55264d5e8490b7aa90f7e471f66efcc2f472399eb30f3ae7135bdc54288b51fb

SHA512
334febf96f997840023158af43ccd7d25a4710c4f553d305c76dafcba0c3965f8d23d2f839d3236124c2ebeda6c7573d0a16400022c25a99698ee6e9172135ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B0B.exe
Filesize
860KB

MD5
6fe9ef544a71f7f994e1f57042c005ad

SHA1
dae887624b2fd2cdfb9f3e9f9fc5fb0f563c2c9d

SHA256
d9ca6bbd8c83a5f220a54c088ec584b2cfb63f9b888e12250674303723bcebdc

SHA512
3be17c4e01bb4c9777ddd091a955147aba26742c3a1c334c5b0313711b7491199b6408c50cd190694c30a7850fe925ebd550d3d473243ec5d71f4830fa0078ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\9B0B.exe
Filesize
860KB

MD5
6fe9ef544a71f7f994e1f57042c005ad

SHA1
dae887624b2fd2cdfb9f3e9f9fc5fb0f563c2c9d

SHA256
d9ca6bbd8c83a5f220a54c088ec584b2cfb63f9b888e12250674303723bcebdc

SHA512
3be17c4e01bb4c9777ddd091a955147aba26742c3a1c334c5b0313711b7491199b6408c50cd190694c30a7850fe925ebd550d3d473243ec5d71f4830fa0078ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\9F70.exe
Filesize
1.0MB

MD5
be74b3c2069f72cdefeb4affac42f48e

SHA1
abdcba0be6b67111b4ff184a717ed518c5a3caf6

SHA256
55264d5e8490b7aa90f7e471f66efcc2f472399eb30f3ae7135bdc54288b51fb

SHA512
334febf96f997840023158af43ccd7d25a4710c4f553d305c76dafcba0c3965f8d23d2f839d3236124c2ebeda6c7573d0a16400022c25a99698ee6e9172135ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\B072.exe
Filesize
6.4MB

MD5
3c81534d635fbe4bfab2861d98422f70

SHA1
9cc995fa42313cd82eacaad9e3fe818cd3805f58

SHA256
88921dad96a51ff9f15a1d93b51910b2ac75589020fbb75956b6f090381d4d4f

SHA512
132fa532fad96b512b795cf4786245cc24bbdbbab433bf34925cf20401a819cab7bed92771e7f0b4c970535804d42f7f1d2887765ed8f999c99a0e15d93a0136

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCC2.exe
Filesize
341KB

MD5
53df0c8b56120e03e1657e366720ecd9

SHA1
a09ccc5dfa35fe46f1203e5e95c3025ff2f0930d

SHA256
bc3a7ba547b8a0f5cc6be6748eb9fa06ae2d09ca4b3c158add5e4868197c72ff

SHA512
b940864beb7a9d300173e98e343a7d21bef9b3aa48f3d198816b8e9909463f35354312ffb699893e27ef312504d1ddcad9288792ec2492086d3716d217c1011b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BCC2.exe
Filesize
341KB

MD5
53df0c8b56120e03e1657e366720ecd9

SHA1
a09ccc5dfa35fe46f1203e5e95c3025ff2f0930d

SHA256
bc3a7ba547b8a0f5cc6be6748eb9fa06ae2d09ca4b3c158add5e4868197c72ff

SHA512
b940864beb7a9d300173e98e343a7d21bef9b3aa48f3d198816b8e9909463f35354312ffb699893e27ef312504d1ddcad9288792ec2492086d3716d217c1011b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C480.exe
Filesize
1.0MB

MD5
31c3b0ab9b83cafb8eb3a7890e2d05ca

SHA1
5ae01358b1c88a6a0ef5d240abdc756835fdb572

SHA256
35f7e6ac149538b9ec2b1286dd43d4fb9e78aa78a4b74c64cd4194d7bc5cb215

SHA512
b727cf5777a7e4fe338ed81ce66bdec626ffd3226a332157a780cc1ff499cb0b17b8f339c21f7d99f42bc7ddc951d3ac5139d05e34c2f7e81582ec84f3989e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\C480.exe
Filesize
1.0MB

MD5
31c3b0ab9b83cafb8eb3a7890e2d05ca

SHA1
5ae01358b1c88a6a0ef5d240abdc756835fdb572

SHA256
35f7e6ac149538b9ec2b1286dd43d4fb9e78aa78a4b74c64cd4194d7bc5cb215

SHA512
b727cf5777a7e4fe338ed81ce66bdec626ffd3226a332157a780cc1ff499cb0b17b8f339c21f7d99f42bc7ddc951d3ac5139d05e34c2f7e81582ec84f3989e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD4ED.tmp
Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4835485.exe
Filesize
1.0MB

MD5
2070369b448cae3833a28d0cbc099123

SHA1
be0e0c90bd1f6b764b0be2b10eb47a4fd1d3d623

SHA256
8763824be645d79f08f5c788c52e0ee02676024f70488791fc79e91875108f77

SHA512
d868206ca468ba46eafc3575ad7ef4815211aad5ce3d0658b097878fddbf8c33fd6b5443d23232e8ce568c35b33e0a6f29f714da911324b8b91f809e2b49479d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4835485.exe
Filesize
1.0MB

MD5
2070369b448cae3833a28d0cbc099123

SHA1
be0e0c90bd1f6b764b0be2b10eb47a4fd1d3d623

SHA256
8763824be645d79f08f5c788c52e0ee02676024f70488791fc79e91875108f77

SHA512
d868206ca468ba46eafc3575ad7ef4815211aad5ce3d0658b097878fddbf8c33fd6b5443d23232e8ce568c35b33e0a6f29f714da911324b8b91f809e2b49479d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5615539.exe
Filesize
675KB

MD5
6b4e32f26ea7058ca96e0864081ca6c8

SHA1
8242f15d37ce2f148871ca512f37a3ea960f2455

SHA256
3d87dbb059f2c6c808715784b0419e88373d2af5e4e6b85211b1b0cffaa9f910

SHA512
f1d3b4183d311a5c8662f618f20e38b7818459131ababcfc590b58a26d51f17396e538333728958a2aa1973dc3ce1cbaa9dadbfc8c2ac4c7c293c0f536ebba45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5615539.exe
Filesize
675KB

MD5
6b4e32f26ea7058ca96e0864081ca6c8

SHA1
8242f15d37ce2f148871ca512f37a3ea960f2455

SHA256
3d87dbb059f2c6c808715784b0419e88373d2af5e4e6b85211b1b0cffaa9f910

SHA512
f1d3b4183d311a5c8662f618f20e38b7818459131ababcfc590b58a26d51f17396e538333728958a2aa1973dc3ce1cbaa9dadbfc8c2ac4c7c293c0f536ebba45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1377404.exe
Filesize
509KB

MD5
aa9fbc8bd6bb361cddf31396a6ce068d

SHA1
f7e40930b9112f97ab1a621628528cbd7c8af4fd

SHA256
865ae94a056ef600f73c201a68dc4b98f1ef0729c3d17abd406d46a250bd811d

SHA512
11755cd5c2d396fd109b64db809eb9c23d2d8251ae2971f02554eda2e66041342090968ab4b49587210943514e2daf4950be2b0a409251d3d30e59a432df651c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1377404.exe
Filesize
509KB

MD5
aa9fbc8bd6bb361cddf31396a6ce068d

SHA1
f7e40930b9112f97ab1a621628528cbd7c8af4fd

SHA256
865ae94a056ef600f73c201a68dc4b98f1ef0729c3d17abd406d46a250bd811d

SHA512
11755cd5c2d396fd109b64db809eb9c23d2d8251ae2971f02554eda2e66041342090968ab4b49587210943514e2daf4950be2b0a409251d3d30e59a432df651c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8676483.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8676483.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize
395KB

MD5
5da3a881ef991e8010deed799f1a5aaf

SHA1
fea1acea7ed96d7c9788783781e90a2ea48c1a53

SHA256
f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4

SHA512
24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDC02.tmp
Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe
Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\ss41.exe
Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
7ea584dc49967de03bebdacec829b18d

SHA1
3d47f0e88c7473bedeed2f14d7a8db1318b93852

SHA256
79232c763bddf5c7fc4ca2e1597b8a5cd38902241d689ac1e69f7418a8077a53

SHA512
ed57aca6b892cb0229708690df16739e0a976ce28112128c9b4f4e4f06019c4fbe6675cb82a639837ae3374acdc0ee9fdb86b5b28151ccc8c7ed2aeff350fcb0

Download Submit
\Users\Admin\AppData\Local\Temp\8B8D.exe
Filesize
1.1MB

MD5
11dd5eeddd1c5a8eae4258a5ce11588b

SHA1
4d173b5e48d2a74cc63695b5f7bd1933285aea5d

SHA256
1cf0b6eb2f9c3e4d6260a541e3834d243a3247f2ec2610d955b75f94beb197fb

SHA512
c710bcf98a10285644d500f5b77257a4db745877ae1c79dd6ea877e8e49130ffdf21e0c947e3ac2c8742b163773d32deab6032fdf1ac47beb19f258d5d3db671

Download Submit
\Users\Admin\AppData\Local\Temp\8EB9.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
\Users\Admin\AppData\Local\Temp\8EB9.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
\Users\Admin\AppData\Local\Temp\8EB9.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
\Users\Admin\AppData\Local\Temp\8EB9.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
\Users\Admin\AppData\Local\Temp\9447.exe
Filesize
1.0MB

MD5
be74b3c2069f72cdefeb4affac42f48e

SHA1
abdcba0be6b67111b4ff184a717ed518c5a3caf6

SHA256
55264d5e8490b7aa90f7e471f66efcc2f472399eb30f3ae7135bdc54288b51fb

SHA512
334febf96f997840023158af43ccd7d25a4710c4f553d305c76dafcba0c3965f8d23d2f839d3236124c2ebeda6c7573d0a16400022c25a99698ee6e9172135ee

Download Submit
\Users\Admin\AppData\Local\Temp\9447.exe
Filesize
1.0MB

MD5
be74b3c2069f72cdefeb4affac42f48e

SHA1
abdcba0be6b67111b4ff184a717ed518c5a3caf6

SHA256
55264d5e8490b7aa90f7e471f66efcc2f472399eb30f3ae7135bdc54288b51fb

SHA512
334febf96f997840023158af43ccd7d25a4710c4f553d305c76dafcba0c3965f8d23d2f839d3236124c2ebeda6c7573d0a16400022c25a99698ee6e9172135ee

Download Submit
\Users\Admin\AppData\Local\Temp\9447.exe
Filesize
1.0MB

MD5
be74b3c2069f72cdefeb4affac42f48e

SHA1
abdcba0be6b67111b4ff184a717ed518c5a3caf6

SHA256
55264d5e8490b7aa90f7e471f66efcc2f472399eb30f3ae7135bdc54288b51fb

SHA512
334febf96f997840023158af43ccd7d25a4710c4f553d305c76dafcba0c3965f8d23d2f839d3236124c2ebeda6c7573d0a16400022c25a99698ee6e9172135ee

Download Submit
\Users\Admin\AppData\Local\Temp\9447.exe
Filesize
1.0MB

MD5
be74b3c2069f72cdefeb4affac42f48e

SHA1
abdcba0be6b67111b4ff184a717ed518c5a3caf6

SHA256
55264d5e8490b7aa90f7e471f66efcc2f472399eb30f3ae7135bdc54288b51fb

SHA512
334febf96f997840023158af43ccd7d25a4710c4f553d305c76dafcba0c3965f8d23d2f839d3236124c2ebeda6c7573d0a16400022c25a99698ee6e9172135ee

Download Submit
\Users\Admin\AppData\Local\Temp\9B0B.exe
Filesize
860KB

MD5
6fe9ef544a71f7f994e1f57042c005ad

SHA1
dae887624b2fd2cdfb9f3e9f9fc5fb0f563c2c9d

SHA256
d9ca6bbd8c83a5f220a54c088ec584b2cfb63f9b888e12250674303723bcebdc

SHA512
3be17c4e01bb4c9777ddd091a955147aba26742c3a1c334c5b0313711b7491199b6408c50cd190694c30a7850fe925ebd550d3d473243ec5d71f4830fa0078ab

Download Submit
\Users\Admin\AppData\Local\Temp\9B0B.exe
Filesize
860KB

MD5
6fe9ef544a71f7f994e1f57042c005ad

SHA1
dae887624b2fd2cdfb9f3e9f9fc5fb0f563c2c9d

SHA256
d9ca6bbd8c83a5f220a54c088ec584b2cfb63f9b888e12250674303723bcebdc

SHA512
3be17c4e01bb4c9777ddd091a955147aba26742c3a1c334c5b0313711b7491199b6408c50cd190694c30a7850fe925ebd550d3d473243ec5d71f4830fa0078ab

Download Submit
\Users\Admin\AppData\Local\Temp\9B0B.exe
Filesize
860KB

MD5
6fe9ef544a71f7f994e1f57042c005ad

SHA1
dae887624b2fd2cdfb9f3e9f9fc5fb0f563c2c9d

SHA256
d9ca6bbd8c83a5f220a54c088ec584b2cfb63f9b888e12250674303723bcebdc

SHA512
3be17c4e01bb4c9777ddd091a955147aba26742c3a1c334c5b0313711b7491199b6408c50cd190694c30a7850fe925ebd550d3d473243ec5d71f4830fa0078ab

Download Submit
\Users\Admin\AppData\Local\Temp\9B0B.exe
Filesize
860KB

MD5
6fe9ef544a71f7f994e1f57042c005ad

SHA1
dae887624b2fd2cdfb9f3e9f9fc5fb0f563c2c9d

SHA256
d9ca6bbd8c83a5f220a54c088ec584b2cfb63f9b888e12250674303723bcebdc

SHA512
3be17c4e01bb4c9777ddd091a955147aba26742c3a1c334c5b0313711b7491199b6408c50cd190694c30a7850fe925ebd550d3d473243ec5d71f4830fa0078ab

Download Submit
\Users\Admin\AppData\Local\Temp\9F70.exe
Filesize
1.0MB

MD5
be74b3c2069f72cdefeb4affac42f48e

SHA1
abdcba0be6b67111b4ff184a717ed518c5a3caf6

SHA256
55264d5e8490b7aa90f7e471f66efcc2f472399eb30f3ae7135bdc54288b51fb

SHA512
334febf96f997840023158af43ccd7d25a4710c4f553d305c76dafcba0c3965f8d23d2f839d3236124c2ebeda6c7573d0a16400022c25a99698ee6e9172135ee

Download Submit
\Users\Admin\AppData\Local\Temp\9F70.exe
Filesize
1.0MB

MD5
be74b3c2069f72cdefeb4affac42f48e

SHA1
abdcba0be6b67111b4ff184a717ed518c5a3caf6

SHA256
55264d5e8490b7aa90f7e471f66efcc2f472399eb30f3ae7135bdc54288b51fb

SHA512
334febf96f997840023158af43ccd7d25a4710c4f553d305c76dafcba0c3965f8d23d2f839d3236124c2ebeda6c7573d0a16400022c25a99698ee6e9172135ee

Download Submit
\Users\Admin\AppData\Local\Temp\9F70.exe
Filesize
1.0MB

MD5
be74b3c2069f72cdefeb4affac42f48e

SHA1
abdcba0be6b67111b4ff184a717ed518c5a3caf6

SHA256
55264d5e8490b7aa90f7e471f66efcc2f472399eb30f3ae7135bdc54288b51fb

SHA512
334febf96f997840023158af43ccd7d25a4710c4f553d305c76dafcba0c3965f8d23d2f839d3236124c2ebeda6c7573d0a16400022c25a99698ee6e9172135ee

Download Submit
\Users\Admin\AppData\Local\Temp\9F70.exe
Filesize
1.0MB

MD5
be74b3c2069f72cdefeb4affac42f48e

SHA1
abdcba0be6b67111b4ff184a717ed518c5a3caf6

SHA256
55264d5e8490b7aa90f7e471f66efcc2f472399eb30f3ae7135bdc54288b51fb

SHA512
334febf96f997840023158af43ccd7d25a4710c4f553d305c76dafcba0c3965f8d23d2f839d3236124c2ebeda6c7573d0a16400022c25a99698ee6e9172135ee

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4835485.exe
Filesize
1.0MB

MD5
2070369b448cae3833a28d0cbc099123

SHA1
be0e0c90bd1f6b764b0be2b10eb47a4fd1d3d623

SHA256
8763824be645d79f08f5c788c52e0ee02676024f70488791fc79e91875108f77

SHA512
d868206ca468ba46eafc3575ad7ef4815211aad5ce3d0658b097878fddbf8c33fd6b5443d23232e8ce568c35b33e0a6f29f714da911324b8b91f809e2b49479d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4835485.exe
Filesize
1.0MB

MD5
2070369b448cae3833a28d0cbc099123

SHA1
be0e0c90bd1f6b764b0be2b10eb47a4fd1d3d623

SHA256
8763824be645d79f08f5c788c52e0ee02676024f70488791fc79e91875108f77

SHA512
d868206ca468ba46eafc3575ad7ef4815211aad5ce3d0658b097878fddbf8c33fd6b5443d23232e8ce568c35b33e0a6f29f714da911324b8b91f809e2b49479d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5615539.exe
Filesize
675KB

MD5
6b4e32f26ea7058ca96e0864081ca6c8

SHA1
8242f15d37ce2f148871ca512f37a3ea960f2455

SHA256
3d87dbb059f2c6c808715784b0419e88373d2af5e4e6b85211b1b0cffaa9f910

SHA512
f1d3b4183d311a5c8662f618f20e38b7818459131ababcfc590b58a26d51f17396e538333728958a2aa1973dc3ce1cbaa9dadbfc8c2ac4c7c293c0f536ebba45

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5615539.exe
Filesize
675KB

MD5
6b4e32f26ea7058ca96e0864081ca6c8

SHA1
8242f15d37ce2f148871ca512f37a3ea960f2455

SHA256
3d87dbb059f2c6c808715784b0419e88373d2af5e4e6b85211b1b0cffaa9f910

SHA512
f1d3b4183d311a5c8662f618f20e38b7818459131ababcfc590b58a26d51f17396e538333728958a2aa1973dc3ce1cbaa9dadbfc8c2ac4c7c293c0f536ebba45

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1377404.exe
Filesize
509KB

MD5
aa9fbc8bd6bb361cddf31396a6ce068d

SHA1
f7e40930b9112f97ab1a621628528cbd7c8af4fd

SHA256
865ae94a056ef600f73c201a68dc4b98f1ef0729c3d17abd406d46a250bd811d

SHA512
11755cd5c2d396fd109b64db809eb9c23d2d8251ae2971f02554eda2e66041342090968ab4b49587210943514e2daf4950be2b0a409251d3d30e59a432df651c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1377404.exe
Filesize
509KB

MD5
aa9fbc8bd6bb361cddf31396a6ce068d

SHA1
f7e40930b9112f97ab1a621628528cbd7c8af4fd

SHA256
865ae94a056ef600f73c201a68dc4b98f1ef0729c3d17abd406d46a250bd811d

SHA512
11755cd5c2d396fd109b64db809eb9c23d2d8251ae2971f02554eda2e66041342090968ab4b49587210943514e2daf4950be2b0a409251d3d30e59a432df651c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8676483.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8676483.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8676483.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8676483.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8676483.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8676483.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8676483.exe
Filesize
1016KB

MD5
f6dd0acbd8878a7733fe9406c640dae7

SHA1
13d258d04038e91059aceb86a024e25c426ffa26

SHA256
584cc7470b9cbbf5045d7e2bee8d6d535e4f50a509eaa2eb34409a5bb1ab89f9

SHA512
1a9ade14b6e99956a01fb3c0f21e92341a9f878ee51ae774dfe701f835a6c94c17cd444d78808afec84ce0ddca6e9bcd2981677f0ce3746d400b32e344117bff

Download Submit
\Users\Admin\AppData\Local\Temp\kos1.exe
Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
\Users\Admin\AppData\Local\Temp\ss41.exe
Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
\Users\Admin\AppData\Local\Temp\ss41.exe
Filesize
416KB

MD5
83330cf6e88ad32365183f31b1fd3bda

SHA1
1c5b47be2b8713746de64b39390636a81626d264

SHA256
7ce942cdc58ba5fa628d97f991c8a794294c2acfb724efbf0ac887c47942a31e

SHA512
e28a9c47f690b0b0f0dd3b946d9cd59c761803f3826a382208a5b92be1293067b37a39f1141ddda13247b96138a108ce2f85b83de0143d48d4acc94f69a11908

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
338KB

MD5
528b5dc5ede359f683b73a684b9c19f6

SHA1
8bff4feae6dbdaafac1f9f373f15850d08e0a206

SHA256
3a53bd59537190f8dc2c1ce266eb3b6c699c96ee929e2d4f90555fea5c6441f9

SHA512
87cb867d3f47346730ee04b8b611afeac60616040a84c85b1369b739df217a528aa148a807d653d543bcb4ed25dac42ab98ad38d705331725a71ec2d6f010cbb

Download Submit
memory/544-189-0x0000000000E50000-0x0000000000FAD000-memory.dmp

Filesize
1.4MB

Download
memory/544-186-0x0000000000E50000-0x0000000000FAD000-memory.dmp

Filesize
1.4MB

Download
memory/544-209-0x0000000000E50000-0x0000000000FAD000-memory.dmp

Filesize
1.4MB

Download
memory/968-174-0x0000000000F50000-0x0000000000FAA000-memory.dmp

Filesize
360KB

Download
memory/968-178-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/968-211-0x00000000071A0000-0x00000000071E0000-memory.dmp

Filesize
256KB

Download
memory/968-366-0x00000000071A0000-0x00000000071E0000-memory.dmp

Filesize
256KB

Download
memory/968-409-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/968-356-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/1140-491-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1140-508-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1140-525-0x00000000021B0000-0x00000000021F9000-memory.dmp

Filesize
292KB

Download
memory/1140-379-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1140-484-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1140-371-0x0000000000CB0000-0x0000000000EA1000-memory.dmp

Filesize
1.9MB

Download
memory/1140-429-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1140-335-0x0000000000CB0000-0x0000000000EA1000-memory.dmp

Filesize
1.9MB

Download
memory/1140-533-0x00000000021B0000-0x00000000021F9000-memory.dmp

Filesize
292KB

Download
memory/1140-333-0x0000000000CB0000-0x0000000000EA1000-memory.dmp

Filesize
1.9MB

Download
memory/1140-353-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1140-407-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1140-332-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1184-348-0x0000000003710000-0x0000000003901000-memory.dmp

Filesize
1.9MB

Download
memory/1184-373-0x0000000003710000-0x0000000003901000-memory.dmp

Filesize
1.9MB

Download
memory/1184-349-0x0000000003710000-0x0000000003901000-memory.dmp

Filesize
1.9MB

Download
memory/1184-354-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1192-191-0x0000000002A10000-0x0000000002A26000-memory.dmp

Filesize
88KB

Download
memory/1192-5-0x00000000029E0000-0x00000000029F6000-memory.dmp

Filesize
88KB

Download
memory/1584-329-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Filesize
9.9MB

Download
memory/1584-336-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/1584-368-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Filesize
9.9MB

Download
memory/1584-369-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/1584-259-0x0000000001240000-0x0000000001248000-memory.dmp

Filesize
32KB

Download
memory/1844-357-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/1844-358-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/1844-226-0x0000000004440000-0x0000000004838000-memory.dmp

Filesize
4.0MB

Download
memory/1844-375-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/1844-330-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/1844-355-0x0000000004840000-0x000000000512B000-memory.dmp

Filesize
8.9MB

Download
memory/1844-376-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/1844-167-0x0000000004440000-0x0000000004838000-memory.dmp

Filesize
4.0MB

Download
memory/1844-179-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/1844-157-0x0000000004440000-0x0000000004838000-memory.dmp

Filesize
4.0MB

Download
memory/1844-168-0x0000000004840000-0x000000000512B000-memory.dmp

Filesize
8.9MB

Download
memory/1904-420-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1904-430-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2020-408-0x00000000045B0000-0x0000000004E9B000-memory.dmp

Filesize
8.9MB

Download
memory/2020-443-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2020-394-0x00000000041B0000-0x00000000045A8000-memory.dmp

Filesize
4.0MB

Download
memory/2020-406-0x00000000041B0000-0x00000000045A8000-memory.dmp

Filesize
4.0MB

Download
memory/2020-512-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2020-490-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2020-410-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2020-414-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2020-483-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2020-431-0x00000000041B0000-0x00000000045A8000-memory.dmp

Filesize
4.0MB

Download
memory/2092-153-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2092-152-0x00000000026E0000-0x00000000027E0000-memory.dmp

Filesize
1024KB

Download
memory/2152-541-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2156-199-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2156-331-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2236-362-0x0000000003560000-0x0000000003691000-memory.dmp

Filesize
1.2MB

Download
memory/2236-361-0x0000000003340000-0x00000000034B1000-memory.dmp

Filesize
1.4MB

Download
memory/2236-141-0x00000000FF4C0000-0x00000000FF52A000-memory.dmp

Filesize
424KB

Download
memory/2236-380-0x0000000003560000-0x0000000003691000-memory.dmp

Filesize
1.2MB

Download
memory/2292-190-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2292-222-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/2292-367-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/2292-258-0x0000000000350000-0x0000000000356000-memory.dmp

Filesize
24KB

Download
memory/2292-204-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2292-452-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/2292-188-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2292-352-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/2292-374-0x0000000004A70000-0x0000000004AB0000-memory.dmp

Filesize
256KB

Download
memory/2292-212-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2292-215-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2432-543-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2432-540-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2472-377-0x0000000004280000-0x0000000004678000-memory.dmp

Filesize
4.0MB

Download
memory/2472-392-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2472-378-0x0000000004280000-0x0000000004678000-memory.dmp

Filesize
4.0MB

Download
memory/2472-381-0x0000000000400000-0x000000000298D000-memory.dmp

Filesize
37.6MB

Download
memory/2640-3-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-0-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-4-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-1-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2640-2-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2768-296-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2768-298-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2864-161-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2864-166-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2864-156-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2864-195-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2992-185-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-175-0x00000000002D0000-0x0000000000444000-memory.dmp

Filesize
1.5MB

Download
memory/2992-257-0x0000000073AA0000-0x000000007418E000-memory.dmp

Filesize
6.9MB

Download