dcrat | d722bd3c56605be7c31cd87c183cbbf3a396835f11b5af72686c64116bc2aa36

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8f9ae3dd612caee37ed882aa05b09c3.exe
Size

37KB
MD5

c8f9ae3dd612caee37ed882aa05b09c3
SHA1

6fc4458188027e48b286bfbb342559e75e87d06b
SHA256

d722bd3c56605be7c31cd87c183cbbf3a396835f11b5af72686c64116bc2aa36
SHA512

f0957d7dd60a3960c9ecf64be0256fd056ed80298eb44418e3600f4505c48de0217d88d456a77aa4d4136f87588ca66549844408b2c14aecd8c644fc4054c779
SSDEEP

768:3E45SLnQpEhOB/hAGflc5xOXhr7gvexzv36:3E4EqEhOPNfqStgvexzv3

Malware Config

Extracted

Family

smokeloader

Version

2022

http://185.215.113.68/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:13856

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

stealc

http://5.42.66.57

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.cdqw
offline_id
mMsRxMUuXypapZbGOAfxD9pczHmW8zVRP7Pgjwt1
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-99MNqXMrdS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0840ASdw

rsa_pubkey.plain

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\5B3B.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\5B3B.exe	family_zgrat_v1
behavioral1/memory/2556-21-0x0000000000860000-0x0000000000914000-memory.dmp	family_zgrat_v1

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1196-746-0x0000000002170000-0x000000000228B000-memory.dmp	family_djvu
behavioral1/memory/2152-756-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2152-784-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1296-796-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1296-859-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2864-87-0x0000000002BA0000-0x000000000348B000-memory.dmp	family_glupteba
behavioral1/memory/2864-99-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2864-264-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2864-517-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2864-522-0x0000000002BA0000-0x000000000348B000-memory.dmp	family_glupteba
behavioral1/memory/1484-523-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1484-535-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2116-540-0x0000000002C10000-0x00000000034FB000-memory.dmp	family_glupteba
behavioral1/memory/2116-541-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1692-551-0x0000000140000000-0x00000001405E8000-memory.dmp	family_glupteba
behavioral1/memory/2116-571-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2116-588-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2116-689-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2908-45-0x0000000000400000-0x0000000000490000-memory.dmp	family_redline
behavioral1/memory/2908-63-0x0000000000400000-0x0000000000490000-memory.dmp	family_redline
behavioral1/memory/2908-49-0x0000000000400000-0x0000000000490000-memory.dmp	family_redline
behavioral1/memory/2908-71-0x0000000000400000-0x0000000000490000-memory.dmp	family_redline
behavioral1/memory/2908-84-0x0000000000400000-0x0000000000490000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

1640 netsh.exe
Deletes itself 1 IoCs

Processes:

pid process

1240

pid	process
1640	netsh.exe

pid	process
1240

Executes dropped EXE 22 IoCs

Processes:

4EBC.exe5B3B.exeInstallSetup8.exetoolspub2.exe31839b57a4f11171d6abc8bbc4451ee4.exetoolspub2.exetuc4.exetuc4.tmpetopt.exeBroomSetup.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exepatch.exeinjector.exensz23AA.tmp.exe6D48.exe6D48.exe7093.exe6D48.exe6D48.exebuild2.exebuild2.exe

pid	process
2952	4EBC.exe
2556	5B3B.exe
1716	InstallSetup8.exe
2540	toolspub2.exe
2864	31839b57a4f11171d6abc8bbc4451ee4.exe
1180	toolspub2.exe
940	tuc4.exe
884	tuc4.tmp
2852	etopt.exe
1248	BroomSetup.exe
1484	31839b57a4f11171d6abc8bbc4451ee4.exe
2116	csrss.exe
1692	patch.exe
1884	injector.exe
1624	nsz23AA.tmp.exe
1196	6D48.exe
2152	6D48.exe
1728	7093.exe
2392	6D48.exe
1296	6D48.exe
780	build2.exe
2536	build2.exe

Loads dropped DLL 40 IoCs

Processes:

4EBC.exetoolspub2.exetuc4.exeInstallSetup8.exeetopt.exetuc4.tmp31839b57a4f11171d6abc8bbc4451ee4.exepatch.execsrss.exensz23AA.tmp.exe6D48.exe6D48.exe6D48.exe7093.exe6D48.exe

pid	process
2952	4EBC.exe
2952	4EBC.exe
2952	4EBC.exe
2952	4EBC.exe
2952	4EBC.exe
2540	toolspub2.exe
2952	4EBC.exe
2952	4EBC.exe
940	tuc4.exe
1716	InstallSetup8.exe
1716	InstallSetup8.exe
2852	etopt.exe
884	tuc4.tmp
884	tuc4.tmp
2852	etopt.exe
884	tuc4.tmp
884	tuc4.tmp
1716	InstallSetup8.exe
2852	etopt.exe
1484	31839b57a4f11171d6abc8bbc4451ee4.exe
1484	31839b57a4f11171d6abc8bbc4451ee4.exe
848
1692	patch.exe
1692	patch.exe
2116	csrss.exe
1692	patch.exe
1692	patch.exe
1692	patch.exe
1716	InstallSetup8.exe
1716	InstallSetup8.exe
1716	InstallSetup8.exe
1624	nsz23AA.tmp.exe
1624	nsz23AA.tmp.exe
1196	6D48.exe
2152	6D48.exe
2152	6D48.exe
2392	6D48.exe
1728	7093.exe
1296	6D48.exe
1296	6D48.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3056 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3056	icacls.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

etopt.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{1F440BE6-46DC-39CB-308D-CEC361205EF7}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E440BE6-46DC-39CB-308D-CEC361205EF7}\InProcServer32	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{2E440BE6-46DC-39CB-308D-CEC361205EF7}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F440BE6-46DC-39CB-308D-CEC361205EF7}\InProcServer32	etopt.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6D48.exe31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c65a5506-2ed2-469f-9d15-e74d2f5ade21\\6D48.exe\" --AutoStart"	6D48.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

37 api.2ip.ua
43 api.2ip.ua
11 api.ipify.org
36 api.2ip.ua

flow	ioc
37	api.2ip.ua
43	api.2ip.ua
11	api.ipify.org
36	api.2ip.ua

Suspicious use of SetThreadContext 6 IoCs

Processes:

5B3B.exetoolspub2.exe6D48.exe6D48.exe7093.exebuild2.exe

description	pid	process	target process
PID 2556 set thread context of 2908	2556	5B3B.exe	RegAsm.exe
PID 2540 set thread context of 1180	2540	toolspub2.exe	toolspub2.exe
PID 1196 set thread context of 2152	1196	6D48.exe	6D48.exe
PID 2392 set thread context of 1296	2392	6D48.exe	6D48.exe
PID 1728 set thread context of 2460	1728	7093.exe	RegSvcs.exe
PID 780 set thread context of 2536	780	build2.exe	build2.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 64 IoCs

Processes:

etopt.exetuc4.tmp

description	ioc	process
File created	C:\Program Files (x86)\ClocX\Lang\Brazilian Portuguese.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Jagua3rClock.bmp	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Unreal.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Wonderglobe2.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\default.bmp	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-49F15.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-188P1.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\Presets\AJ-CityHall-500-hour.hpng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\DSX4.TXT	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Portuguese.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueBallRoman.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Wall Clock medium-sec.hpng	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\plugins\internal\is-61AJ7.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-GEMEH.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\stuff\is-6M16B.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Estonian.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\hallow.ini	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-BC2N2.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\White_Apple_Clock.bmp	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\cowboy2.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Svenska.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\dsaqua.bmp	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\iToolsClock2.bmp	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\iSink.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\klokje.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Comdex - Omega1.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\GuldKugler.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Jaguar.bmp	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\cowboy2.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\MickeyClock.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\romanold\romanoldmin.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Sounds\clockbell.mp3	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-D4LNN.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-DLA1N.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\Presets\CloQ.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman\romanhour.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Lang\Turkce.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Original.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\earth2.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\iToolsClock.bmp	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\iToolsClock.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Sounds\trumpet.mp3	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-VHM5J.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\stuff\is-CF8F7.tmp	tuc4.tmp
File created	C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\CarpeDiem.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\longhorn.ini	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\plugins\internal\is-J81DG.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Srpski.lng	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Octopye2.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\Uhr.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\iToolsClock2.png	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\weemsplath.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman2\roman2minute.png	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\unins000.dat	tuc4.tmp
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-MGNLL.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\Presets\CarpeDiem.ini	etopt.exe
File created	C:\Program Files (x86)\ClocX\Presets\WidestoneStudios.ini	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-NJIPR.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\Lang\Bulgarian.lng	etopt.exe
File created	C:\Program Files (x86)\DataPumpCRT\bin\x86\is-USGJ2.tmp	tuc4.tmp
File created	C:\Program Files (x86)\ClocX\Presets\DSX4.BMP	etopt.exe

Drops file in Windows directory 3 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exemakecab.exe

description	ioc	process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20231229164720.cab	makecab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2584 2460 WerFault.exe RegSvcs.exe

pid	pid_target	process	target process
2584	2460	WerFault.exe	RegSvcs.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\etopt.exe	nsis_installer_2
C:\Program Files (x86)\ClocX\uninst.exe	nsis_installer_1
C:\Program Files (x86)\ClocX\uninst.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub2.exec8f9ae3dd612caee37ed882aa05b09c3.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c8f9ae3dd612caee37ed882aa05b09c3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c8f9ae3dd612caee37ed882aa05b09c3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c8f9ae3dd612caee37ed882aa05b09c3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nsz23AA.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsz23AA.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsz23AA.tmp.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1512 schtasks.exe

pid	process
1512	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies registry class 10 IoCs

Processes:

etopt.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F440BE6-46DC-39CB-308D-CEC361205EF7}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F440BE6-46DC-39CB-308D-CEC361205EF7}	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E440BE6-46DC-39CB-308D-CEC361205EF7}	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{2E440BE6-46DC-39CB-308D-CEC361205EF7}\InProcServer32	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{1F440BE6-46DC-39CB-308D-CEC361205EF7}\InProcServer32	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{1F440BE6-46DC-39CB-308D-CEC361205EF7}	etopt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E440BE6-46DC-39CB-308D-CEC361205EF7}\InProcServer32	etopt.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\CLSID\{2E440BE6-46DC-39CB-308D-CEC361205EF7}	etopt.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.execsrss.exepatch.exe6D48.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	6D48.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	6D48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	6D48.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c8f9ae3dd612caee37ed882aa05b09c3.exe

pid	process
2204	c8f9ae3dd612caee37ed882aa05b09c3.exe
2204	c8f9ae3dd612caee37ed882aa05b09c3.exe
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240
1240

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

c8f9ae3dd612caee37ed882aa05b09c3.exetoolspub2.exe

pid process

2204 c8f9ae3dd612caee37ed882aa05b09c3.exe
1180 toolspub2.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exeRegAsm.execsrss.exe

description	pid	process
Token: SeShutdownPrivilege	1240
Token: SeShutdownPrivilege	1240
Token: SeShutdownPrivilege	1240
Token: SeShutdownPrivilege	1240
Token: SeShutdownPrivilege	1240
Token: SeShutdownPrivilege	1240
Token: SeShutdownPrivilege	1240
Token: SeDebugPrivilege	2864	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	2864	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	2908	RegAsm.exe
Token: SeSystemEnvironmentPrivilege	2116	csrss.exe
Token: SeShutdownPrivilege	1240

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

tuc4.tmp

pid process

884 tuc4.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BroomSetup.exe

pid process

1248 BroomSetup.exe

pid	process
884	tuc4.tmp

pid	process
1248	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4EBC.exe5B3B.exetoolspub2.exetuc4.exeInstallSetup8.exe

description	pid	process	target process
PID 1240 wrote to memory of 2952	1240		4EBC.exe
PID 1240 wrote to memory of 2952	1240		4EBC.exe
PID 1240 wrote to memory of 2952	1240		4EBC.exe
PID 1240 wrote to memory of 2952	1240		4EBC.exe
PID 1240 wrote to memory of 2556	1240		5B3B.exe
PID 1240 wrote to memory of 2556	1240		5B3B.exe
PID 1240 wrote to memory of 2556	1240		5B3B.exe
PID 1240 wrote to memory of 2556	1240		5B3B.exe
PID 2952 wrote to memory of 1716	2952	4EBC.exe	InstallSetup8.exe
PID 2952 wrote to memory of 1716	2952	4EBC.exe	InstallSetup8.exe
PID 2952 wrote to memory of 1716	2952	4EBC.exe	InstallSetup8.exe
PID 2952 wrote to memory of 1716	2952	4EBC.exe	InstallSetup8.exe
PID 2952 wrote to memory of 1716	2952	4EBC.exe	InstallSetup8.exe
PID 2952 wrote to memory of 1716	2952	4EBC.exe	InstallSetup8.exe
PID 2952 wrote to memory of 1716	2952	4EBC.exe	InstallSetup8.exe
PID 2952 wrote to memory of 2540	2952	4EBC.exe	toolspub2.exe
PID 2952 wrote to memory of 2540	2952	4EBC.exe	toolspub2.exe
PID 2952 wrote to memory of 2540	2952	4EBC.exe	toolspub2.exe
PID 2952 wrote to memory of 2540	2952	4EBC.exe	toolspub2.exe
PID 2556 wrote to memory of 2908	2556	5B3B.exe	RegAsm.exe
PID 2556 wrote to memory of 2908	2556	5B3B.exe	RegAsm.exe
PID 2556 wrote to memory of 2908	2556	5B3B.exe	RegAsm.exe
PID 2556 wrote to memory of 2908	2556	5B3B.exe	RegAsm.exe
PID 2556 wrote to memory of 2908	2556	5B3B.exe	RegAsm.exe
PID 2556 wrote to memory of 2908	2556	5B3B.exe	RegAsm.exe
PID 2556 wrote to memory of 2908	2556	5B3B.exe	RegAsm.exe
PID 2556 wrote to memory of 2908	2556	5B3B.exe	RegAsm.exe
PID 2556 wrote to memory of 2908	2556	5B3B.exe	RegAsm.exe
PID 2556 wrote to memory of 2908	2556	5B3B.exe	RegAsm.exe
PID 2952 wrote to memory of 2864	2952	4EBC.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2952 wrote to memory of 2864	2952	4EBC.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2952 wrote to memory of 2864	2952	4EBC.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2952 wrote to memory of 2864	2952	4EBC.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2556 wrote to memory of 2908	2556	5B3B.exe	RegAsm.exe
PID 2540 wrote to memory of 1180	2540	toolspub2.exe	toolspub2.exe
PID 2540 wrote to memory of 1180	2540	toolspub2.exe	toolspub2.exe
PID 2540 wrote to memory of 1180	2540	toolspub2.exe	toolspub2.exe
PID 2540 wrote to memory of 1180	2540	toolspub2.exe	toolspub2.exe
PID 2540 wrote to memory of 1180	2540	toolspub2.exe	toolspub2.exe
PID 2540 wrote to memory of 1180	2540	toolspub2.exe	toolspub2.exe
PID 2556 wrote to memory of 2908	2556	5B3B.exe	RegAsm.exe
PID 2540 wrote to memory of 1180	2540	toolspub2.exe	toolspub2.exe
PID 2952 wrote to memory of 940	2952	4EBC.exe	tuc4.exe
PID 2952 wrote to memory of 940	2952	4EBC.exe	tuc4.exe
PID 2952 wrote to memory of 940	2952	4EBC.exe	tuc4.exe
PID 2952 wrote to memory of 940	2952	4EBC.exe	tuc4.exe
PID 2952 wrote to memory of 940	2952	4EBC.exe	tuc4.exe
PID 2952 wrote to memory of 940	2952	4EBC.exe	tuc4.exe
PID 2952 wrote to memory of 940	2952	4EBC.exe	tuc4.exe
PID 2952 wrote to memory of 2852	2952	4EBC.exe	etopt.exe
PID 2952 wrote to memory of 2852	2952	4EBC.exe	etopt.exe
PID 2952 wrote to memory of 2852	2952	4EBC.exe	etopt.exe
PID 2952 wrote to memory of 2852	2952	4EBC.exe	etopt.exe
PID 940 wrote to memory of 884	940	tuc4.exe	tuc4.tmp
PID 940 wrote to memory of 884	940	tuc4.exe	tuc4.tmp
PID 940 wrote to memory of 884	940	tuc4.exe	tuc4.tmp
PID 940 wrote to memory of 884	940	tuc4.exe	tuc4.tmp
PID 940 wrote to memory of 884	940	tuc4.exe	tuc4.tmp
PID 940 wrote to memory of 884	940	tuc4.exe	tuc4.tmp
PID 940 wrote to memory of 884	940	tuc4.exe	tuc4.tmp
PID 1716 wrote to memory of 1248	1716	InstallSetup8.exe	BroomSetup.exe
PID 1716 wrote to memory of 1248	1716	InstallSetup8.exe	BroomSetup.exe
PID 1716 wrote to memory of 1248	1716	InstallSetup8.exe	BroomSetup.exe
PID 1716 wrote to memory of 1248	1716	InstallSetup8.exe	BroomSetup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c8f9ae3dd612caee37ed882aa05b09c3.exe
"C:\Users\Admin\AppData\Local\Temp\c8f9ae3dd612caee37ed882aa05b09c3.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2204

C:\Users\Admin\AppData\Local\Temp\4EBC.exe
C:\Users\Admin\AppData\Local\Temp\4EBC.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1248

C:\Users\Admin\AppData\Local\Temp\nsz23AA.tmp.exe
C:\Users\Admin\AppData\Local\Temp\nsz23AA.tmp.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1624

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1180

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2220

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1640

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1692

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:1884

C:\Users\Admin\AppData\Local\Temp\etopt.exe
"C:\Users\Admin\AppData\Local\Temp\etopt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:2852

C:\Users\Admin\AppData\Local\Temp\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\5B3B.exe
C:\Users\Admin\AppData\Local\Temp\5B3B.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Users\Admin\AppData\Local\Temp\is-7D2UJ.tmp\tuc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7D2UJ.tmp\tuc4.tmp" /SL5="$9011E,7884275,54272,C:\Users\Admin\AppData\Local\Temp\tuc4.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:884

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231229164720.log C:\Windows\Logs\CBS\CbsPersist_20231229164720.cab
1⤵
- Drops file in Windows directory
PID:1604

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\1650.bat" "
1⤵
PID:436

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:1636

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\23F8.bat" "
1⤵
PID:2008

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\6D48.exe
C:\Users\Admin\AppData\Local\Temp\6D48.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1196

C:\Users\Admin\AppData\Local\Temp\6D48.exe
C:\Users\Admin\AppData\Local\Temp\6D48.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
PID:2152

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c65a5506-2ed2-469f-9d15-e74d2f5ade21" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:3056

C:\Users\Admin\AppData\Local\Temp\6D48.exe
"C:\Users\Admin\AppData\Local\Temp\6D48.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2392

C:\Users\Admin\AppData\Local\Temp\6D48.exe
"C:\Users\Admin\AppData\Local\Temp\6D48.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296

C:\Users\Admin\AppData\Local\4dfac5d6-9cf9-458a-8eea-8724faf8f7b6\build2.exe
"C:\Users\Admin\AppData\Local\4dfac5d6-9cf9-458a-8eea-8724faf8f7b6\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:780

C:\Users\Admin\AppData\Local\4dfac5d6-9cf9-458a-8eea-8724faf8f7b6\build2.exe
"C:\Users\Admin\AppData\Local\4dfac5d6-9cf9-458a-8eea-8724faf8f7b6\build2.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2536

C:\Users\Admin\AppData\Local\Temp\7093.exe
C:\Users\Admin\AppData\Local\Temp\7093.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 88
3⤵
- Program crash
PID:2584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ClocX\uninst.exe
Filesize
52KB

MD5
3387961372fe91c2cc69b53180cbfee4

SHA1
ede6fb0d2319536efca218d461425d2addffd88e

SHA256
dad57975be6833c50d32ee77212addf11a80195d82365ade6042234e492bd845

SHA512
f6551803b90934a5555587bc81b4758b21fc8bad1653f298846e2195c797932893d761249f9cf527e95809ffc0bfd785872f0b42f56e8adc64bdb06c63f09c5c

Download Submit
C:\Users\Admin\AppData\Local\4dfac5d6-9cf9-458a-8eea-8724faf8f7b6\build2.exe
Filesize
216KB

MD5
a187125322e7072de3196b7ae5684f65

SHA1
c2563b181c8d7a84bb9a758994d4b5fe644315ce

SHA256
69941676bb04f17207d351806d67e888a0b0e064624dd4b72330d81726ef31e3

SHA512
c46831c360acbd942a2dbdd34d400f3309525b2c22df9394ebb9f18a36a5d738471d60e15b8997eb7f8d77a4ba9947209171a796a52bdac67566a51eccd4138e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1650.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.2MB

MD5
1e40d9a53d79aa807eb8af132f417e53

SHA1
9cb867a33a7115138606479baa740632f748ba81

SHA256
d803a1507ae95b77349968fa40c8b1a217c23ce7e54cce2e5ef6ce73f7f576ca

SHA512
99b9ac8390d5fd7ec87aec16e866db0011ab8ce56d8a5cf54fea97b257a5f3d2520726ce4fb238d57590a412f13d80f1bca24ab5e4250ee23bbf86f3c82925eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
4.0MB

MD5
079d0c7dc1afd44ae4abb90da206eb1b

SHA1
f476a2731cc671fdaa0ba457ed465005a42c8f36

SHA256
4a68a7199ef9f74f490f3e16f58cc5be2c1b6096e009b3511c0c23efbaeebceb

SHA512
d992645c54af611aa655e93d537fb9ebb94937f8ecf8bcca0d06abda0976ef95b786a25bb54c783f19c108a2c1da2998ce17c2633d44b82f7aef94940881cb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
2.2MB

MD5
acc0a6df4e5ce7edb97ce4c89c44e6ac

SHA1
402c9c49df7da798eb2f244e5439b61f8a04dded

SHA256
e0c39a04748c6af0b704ec85061aaf266266177dde953a554bd2e301ec9bccf4

SHA512
28948cc12c46bcd6c413813c9f0bf9f77ff60846b4b80fb1b8e4d0bdd69f509dfbd90bf4c331a98df044b03f5cc8c2e3c7f59a7377f7afea7d10e3737c5961bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
3.2MB

MD5
cf7742bf789b5d61aac82978a6695e95

SHA1
87b00c937d26f29eec8f5b40a68aaa9eedce4348

SHA256
18f1aeaa6176a9fa720f12dcc44b232b34c325a5b02087c74c63e98acb5cefa1

SHA512
f180f2a147ef8623ac4fd0dc7c38010fe8430694769c33f1247fb46854e24e96e6156a4c520e081aa6123948f88cd4ba1d5b1dea6a296b13d43f7dbc15ca8e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4EBC.exe
Filesize
7.8MB

MD5
372c6fd0b2c5f080d67a1c9759bafada

SHA1
e18626f95951aa1f7ba8b4a683ca59273c5cc796

SHA256
4321fc4e5743346121e38a0e7bdfcc8dc041bcda1229622bd47601f0959b590e

SHA512
6c8cca69b18aaa3b23584fe602d78be6fed4427b8e511f185a76f956026c674c5db9fd214668fadfa2acc20757799e190eb37f7411fa709b19ec66e48bebc11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4EBC.exe
Filesize
14.0MB

MD5
b4891e7e49299207a6516f10bbb70401

SHA1
2b6cca9939dbeffda9f77e5e5ddd3d85b99d98b1

SHA256
8be3a5f402c9a7574393c58dbe5feb417b4c5f1950fa7a1b0e01fef3877f2de2

SHA512
3a6de8a0953ca036cf0d3c2214e0e0b38334420a25ec5a299ca5b8084bc1b614162b22f484acb9bebc8fdf99753417aedfb27254354fda1450efc8d271f290f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B3B.exe
Filesize
640KB

MD5
1da56dd25fda337f220bb18334e5f507

SHA1
2d79736699ad76ed8a1b5f858687f0c4e81cb9f3

SHA256
646d7c768e59a9d95f326dd0f6c489ca599a51ec9bfb818bccf9851e28706673

SHA512
ba9f62c1cce9da9758980d403075a373fc7d0ea4df8c2b191bc15d01afc2aabcdcf61a4a728e681ed20bf9993906757d106900d08754a7d1167b5287cd9d3f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B3B.exe
Filesize
697KB

MD5
fa5b5185d1bc3f18172cc45d57a90352

SHA1
17d480fb1368ff4f1abdaeb0ed3c8198801d13fb

SHA256
2b6d7f851db5cd7965b0f7cad998dcfc12702ecd42fddbe4062f6dde07b49c00

SHA512
37cedae765bfdb0bddf9d8b12759299a51f89cbc7afb90201638cc327f3d5ad7d0aefe058b49d5c2db9d49ee898581aba87bdeeb85928fcc91e93a0689ed7f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D48.exe
Filesize
683KB

MD5
2950cf3e600789b6045b872e19471b0c

SHA1
2aabfb0a893aad067f2dd8ec2bad8bcadb17bfae

SHA256
daa8db2383e3d9fe6cc680385e04fd9aeecee60bc13a4d7c75e55d8d40258d58

SHA512
32653a28155efbcca6a882535c092cf70c9791dd938093369703e883c3a56a782e1e73911068f1c924777892888cf5f4d96ffed3060dc13c3cc07ad2e6491636

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2EEF.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
2.1MB

MD5
5ca6995ca799c73982cdbae116915c7a

SHA1
023f5b7db1b29d03373958ac9a2ccbd2e7b7c869

SHA256
13e6edf45392d5ea83cdccbffee203870677aa735401c4ff3f86dcdee448a8fe

SHA512
7d49af56bc5bfab92824ecdd03aedcdf11633b4eeac645a5dad44ae9e2f37df23ff5e0b37c26f124e514f50104375ad4a5715013e01dfc70cf43a3423f7b73d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
1024KB

MD5
b596daff3d6741203ce409af1fe316f9

SHA1
af9e1a93b00074ef63d0add66c918cab5b765e95

SHA256
c919c6a1e0957f4402446b88cd4ad803f1fe4bd5fef03d749d0f72139311fcf2

SHA512
400edc62e59c12deb7233ed2406856d4ac1456146f3683ab6219230c05506f35c99724bb96327eec2ca5dc87678240ce60e5df324603ff59612c7ac5da35554d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar300B.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
384KB

MD5
d477582af9800b2b6c5201ec645a3bfb

SHA1
a2d7545d425a5afc6fb386795d0ab3b1ee0e5980

SHA256
360061e9ad74f376b076403732ab2faa4648eec5fd0cd03f9c449282e3cf6750

SHA512
25510522a929205882d429b4ca1593a2a40a982445342813291cf45df230f1595c5c96afa72b14c7e4795acb0e19e5d12b5a45028a36bc617a1f58c25ba808d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
320KB

MD5
20bd7024faaa8d1133d0c32a4774ea4f

SHA1
aeeda1c1714700265d2bb13a6b0cf5eb3f62552d

SHA256
d88066d261fc7932117d77be379f66abefb482d6090a619b17782fc7da5616ea

SHA512
8a36fa1ddefe78d2666a169f2551da66e943e9da0026f73e2a7265a41ca7e294f5aa282d87c0cc9bcd5a893215ddf813c0dfec43820a5107dc889656266134c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7D2UJ.tmp\tuc4.tmp
Filesize
384KB

MD5
5828aca657ac6fc1162baca8bdb9af8a

SHA1
dcef8ebd291ac6aee0b5ca8d5f72f134349d399a

SHA256
b074e451162ae783800f492812b27168fe9d485495ee799df5368dc1681f61bb

SHA512
dc8593f55c3085e08d365fce27ca262a03a91cd1f22384969c1c47d67385380b6d68fd3f6907cda5bf47baf63df271728d2a815883e2442afef7697498fa63b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse7A11.tmp\Checker.dll
Filesize
41KB

MD5
8dcc038ce15a235ea9e22fc9663e4c40

SHA1
cc702c128e3035d42220bd504d6c061967d3726f

SHA256
64b23aa5ca4e2e516fae3d2480957d6f1065c91caa930e0ffac2bda1cadea76a

SHA512
bf81fee736e02680b2d5cd23dd360430b9bd97ad1f75ae9485e82b548f61b83a092c5e17a4d537a06ece6384003aeb9b7b9e7eac4a7ffb2b371160570bce6b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse7A11.tmp\Zip.dll
Filesize
76KB

MD5
0f459c2bd249a8b1f4b1b598d8e5299d

SHA1
ca47103107cd686d002cb1c3f362efc5750bfeb4

SHA256
acd3d2b809c320bb8b93385212bac23536bd6894e8e2638a5e85468ccd54fb3b

SHA512
1a7e6e48ee9d966a59082f2ad3b6405d8bbdc1a45f54dec1de9fd1a16b34bb0dc422683ecffd5dfb484db3c5c42caea410d49debeae50ba3979520834212afe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.8MB

MD5
c41c3be9c15587a82952179c1c4467e3

SHA1
4015bd6d980e260c3bf759c37ef1463fd4d88bc2

SHA256
ab3ca69ff0282d028f4b8460e921d37553e98ebf12c6a9f8c6741875d889e9d3

SHA512
17c69a1d66c53d82036806e82fe849570052853839eeefde1f9cb4ec5e3628ed7dc3d06d453b9f35fd7cf51abb8006c78322841ad37829d6b87638fc7060f4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
1.1MB

MD5
f7699cb4862b387069358a657ef9ecfe

SHA1
b2f07481cf47d3700f24aa3a2b3331aea6a1e1bc

SHA256
4fa58ede79c3284dfac0f2df931eabf83656bf919f9a9e0b699200552aed427a

SHA512
dafbaa2d30615e1b776962fe90d520b3e2899ae2380096c828720c91e3951b81366b65650a9be530fca4bf2ddf4e77502cc146612ca94df34022df864c5f4e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
832KB

MD5
d21d88f2230f668b6cda380ae6aebebe

SHA1
835b3d2109c4226b9b617c5e4c7ef7c129bcc186

SHA256
706fbe28a5b26cb49551ce9c5b47c309e8bf2bfca68e585c437498d663e6cf6f

SHA512
ea3416b49ba3178f389709e76e6ca19ccc081175af1bd6add300e80e1bcae4350a3e062c6dcb590c47da054099d8ede2993283b9309a0d610e06d5fe97bf81b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\ClocX.lnk
Filesize
1010B

MD5
c7af15abbe42dd64ac594e7eaf904218

SHA1
07d0015f0a748bad0a9088d673fa9a0a06a38f84

SHA256
d6aaa631d1124b3106edc2e99830aea876714e071dfdc7e6cd7a0e9893de37d4

SHA512
8e6be501b3dce1dc7b3ab7369e58d79e8adbc819211151446b2396e487ed2c8a66001b09c1023a69ba246e520dd88c473a8adaccf926fe92cbd481a6e216ac61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ClocX\Uninstall.lnk
Filesize
798B

MD5
d8578ef87a039e45a361d009355342eb

SHA1
155f690da27c4d248ed32f5560276df06cabf120

SHA256
24e4244ffed255b1673246e93f211de946aaabbcd5b4eff7ad8a178af0caa9e5

SHA512
c37486d79957948e2d957e373d94f81ac85378d06601e1ec097ff72abf382855152e952013f4ccb86ad1c43b15a7648ea94d232f83d2948a289bee7cd890a64a

Download Submit
C:\Windows\rss\csrss.exe
Filesize
1.1MB

MD5
9098f68dca5d0333f46de1d35ca84346

SHA1
8fd4139c71a9ed6b039e2d5040db945380582c9a

SHA256
eca53a5539714a35ab15e97a542a1e8284204d0c88a12381197bdd1f84b6660c

SHA512
d8fa352a646607c80425f367f7c3e212d01cf8f17c9e916ddb3260adf9efebbe396759da1d0952b006aa3086414eebbc7da8eb3e676ff58e966124cd10bae993

Download Submit
C:\Windows\rss\csrss.exe
Filesize
3.9MB

MD5
486f0e785fe6701a99a4a111a06f35ef

SHA1
089a7b749a423d66bee6b3e454bfe8e539a0f057

SHA256
9b5c2175c3ca3b5c8d7863242c3668bdcc91d31c074653ce920a7f3a5f818806

SHA512
36650351600988f64c7b70703c34dc981651cc907beb6412a5fccdde7cdf703abdddb80dd1e7fe8094a36b853b3f7afe77c8e3f3d08a858463bb9c3ae25694d5

Download Submit
\??\c:\users\admin\appdata\local\temp\is-7d2uj.tmp\tuc4.tmp
Filesize
192KB

MD5
24c64497bc44c6f1b909be4bc88d654c

SHA1
817e8bb4017c604b7578ef248c7fbea120629c1c

SHA256
73881aa1a1ab32fd4ff87b73b4a4774aa15014248d2642e18ae5bf74db6255fa

SHA512
746d888c924d6d5ae83bb4742f8bd096395f5276f09243ad135949ed2bb0436aa040dd01c2ec4b43b9deea7135d1df444dcfe4fc4e736418a5b80ab5e381623d

Download Submit
\Program Files (x86)\ClocX\ClocX.exe
Filesize
2.0MB

MD5
2943a5a31664a8183e993d480b8709bc

SHA1
e7c28c1692073cf3769b61a8b298d09497d2a635

SHA256
282397f5efc6b5a517881350736901620649c3cf0a692423cf77b9093f933e8b

SHA512
f6dfa47d02dc9d1d874b5618c354961ea70e7c5223c27efeb530dbcead610aa8255dfeefe3a68325db9b00ac9df6a5519c885f91ecb82e582bbfa34364cd3518

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
2.4MB

MD5
d0ddd0f8b4d0f786b60a89f9480caa20

SHA1
8c433728661e35db9fe8088a3f55fb6fccb74614

SHA256
999c7c2aa6a87a70ce4d53ce406d445ce74b2937e625810d1b3775757f8f6091

SHA512
7eb50df4a3b4ac593c16a06096aa8e98548f9a5a0c9cc6902da87da39b27727a49c472ca53efa9551f3fd59ad5e816b4fe9dc63efbb84d111bea3f4dc69ef48b

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
2.3MB

MD5
93611573d71322aae46496a3d5ceda17

SHA1
7dfaffc670f324c55ac9b9ba0a604c5d37b89b3e

SHA256
83b5e1d37a3a8de2ea6e49709b16e2478cdff558c0334fec937ccf48b2ceebac

SHA512
48b867e69329555fd6834a67fbb98e606a0f0887e0004ba965b7f1ea683be0a973c10564e38dfb9588bfb61b654d1e0fcf56fdbb6a0b57f16f5a6c032f4dd00d

Download Submit
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
Filesize
2.2MB

MD5
2455035a5016a9754a31cb3bdfe2c4d3

SHA1
9502b1af5a42cd432b98f4838f146fd536b7ae1f

SHA256
2ab364fd20d2ab817d94cd210e7396ea37dd4c2aaa8fa6a60b2c9992ee95981f

SHA512
5b7f5f25619a17e17acfa12a83ad0848b9245d1bd17923561e6e411dcf4719e257e097eebe06f37548a541199598ac814dfc3355dd5da674a570aa7fcb65ff29

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\etopt.exe
Filesize
64KB

MD5
68d7f2188f1b8f728f54452f61429fa4

SHA1
33b0ee803ac69e307c0f51d177380e0349e02b28

SHA256
bd3319cec648942934e964a44f2e34686713348b2b6b47693b6ff9fe5dcfa0b0

SHA512
11aa4780ebb3a5a3255b2a2977218b7edd33b1f08dd22d176b42c95c9b8da1212077dbd203ac17391247ee4ef53a3b87634dc475ccd71a8070199b55b8190d8f

Download Submit
\Users\Admin\AppData\Local\Temp\is-7D2UJ.tmp\tuc4.tmp
Filesize
512KB

MD5
3da573317b16d86521ffb95041d9c6bf

SHA1
5292685806d6f02a15303e22146e528d43675fce

SHA256
4626b61c2b068ecee14c274eea074027ddf3a9a00047abc1a2aef496a17a3465

SHA512
e294327cdb6317ec80f1d3967463e923497fa31f3bd542dcec573e100f07c7fc47cb9a6f90452fba906febfb2f29d111c6312842f1130d28abf115d60bb99369

Download Submit
\Users\Admin\AppData\Local\Temp\is-PKDBU.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-PKDBU.tmp\_isetup\_isdecmp.dll
Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-PKDBU.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\nse7A60.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nse7A60.tmp\INetC.dll
Filesize
9KB

MD5
2f5c2b47a592e4bef97829395d38e602

SHA1
72fe399d4ad92668db1c1f5148044c433936142a

SHA256
c122f80fd4088e147a1b2cb4c93a1f146c72fca418a0d4e50d7c371c000ff257

SHA512
6e4a5c79fa7eebe8ad34cbdbe9483ce8b7a011e2414bb7e82241343a4a481cf311159452f2e9314ec40d33b5adeb934e4d565fce79c39df047105cb70a49b961

Download Submit
\Users\Admin\AppData\Local\Temp\nsz23AA.tmp.exe
Filesize
189KB

MD5
a489451e7885c377550df325bc4ca9ae

SHA1
21c72370f35211453e7a138a2e3aadf1f3c5fe1d

SHA256
e1a43c5dade2825c2dfa9ef9c41c552709f15875174c97af87d1884ca5575e2a

SHA512
5afb5e509f9825eee48e6f444d74ad8eada8ba8f7a6215748c6c984d5a4d0e52420d779f24ef9253754a1ce1f59a1d219d80441bb15cb11046ca75e48c414022

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
3.7MB

MD5
8dd96c17c6396489bfcbf6264b877612

SHA1
e6fe009ba5a1c4bb53a599ac8b485ccb313e683d

SHA256
cb59a5dbbfd8730b4509a83406dc22451cda8083c1b9e255e9b789ada16e5f90

SHA512
76da27615d4318d29c1529738a992f4ce8e3c8907a2a14bd64aa682d66cb48e82252dad1c2c6f9b78adb9ac95cd2303bb95f8f6f76d157bd18201339b343d4dd

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
1.9MB

MD5
71f6ec4bf5b766f63788a7b37dc472ed

SHA1
889f7096dbcd8202e088340a67c0b7eeb6a88023

SHA256
256a11da83914adadf7d53fd7abafe68d2ab97d4bf3972a23ab8cc5748f00b5f

SHA512
cb2c62e9258805ff7280fd8ba2d49f0bf77e82dc64386c10b73f5af5afd722d36e4b4e823df43a2a917fdfd29e536b41b0a92b84dac190d2917910aeb0055ff1

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
3.6MB

MD5
170d66f9d75e64f50a295116ca704c25

SHA1
db0854fd1c8c705d62411aa8f13be7d2ebe2e476

SHA256
f6de5ced2a6adeb6c8422030a373c0a25756c5c79c5b066d9999a03ad9c04fd7

SHA512
d51b5ae12e52adf56941e8c4fadedaa6683fc013f6aa6a8c431db72fbf882d74ae75a940f53e7b793bf11e0740cc68eee3715e33eb526c4bdef42b51b74062c9

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
283KB

MD5
2d24e3baa2a16e47bee10e91381e6391

SHA1
013b59b2cd69e93694196dfb34fddc8684cfd619

SHA256
ff2e975c649d66476c48ac9fe64455eb0727fede676d000728d09d62d2dc6db4

SHA512
be515895b29390e1c9c44620f7b18c8ae57d08627b8bbf7484b551ccf079011f95baa78e71c1a2a6280b544dd06444b509b7c9ba126b525d813afd68010b03e7

Download Submit
\Users\Admin\AppData\Local\Temp\tuc4.exe
Filesize
1.2MB

MD5
eb3cc9573f7bd60d863f7e9a4af7b705

SHA1
5fc4e828097f580d5d4708e860662c92ca2702d9

SHA256
f5be61a930bb3183ae31a41b7e5c1152be90b7fcb116a45ec751a6205899ef22

SHA512
b01116bae1153d233f9d50c851ed9be1103cc6df1ab56082bb84cdd0cac4a8121f0e6857acd2d4e6cfbc504f633d8431c0a46c4f7e36c62f434c428e905374be

Download Submit
\Windows\rss\csrss.exe
Filesize
2.5MB

MD5
4daafaa1f3f30dd27db073ec6faa542c

SHA1
7b1f99e417a2c0324e3f541f479514ea1e22d57c

SHA256
313ddcece5f025fcae389e162b24011193c5a9526450deb7fb3fae03024f9251

SHA512
a782f751e58b1c91550bb49eba4ac7e53257c5dea0949b7e666faef7142e4b1b37f9a8504348fa39af15a1730394a0e41ed687e4085d2dfcbff9052527f25f29

Download Submit
\Windows\rss\csrss.exe
Filesize
3.7MB

MD5
9858d87535b2b86433574184a1f26342

SHA1
4940595827d9a6bedba6ba041898b6ec44bb0c3c

SHA256
10f9e23eef912f50655ac5f832ca6e0dec71cc31adcd96acf871f79aef4f4155

SHA512
35146271c2ce53675b57cd111daf699641a0ccbe500586817c540010220aa09924c349d4dbad71789530f8cf968f34cd7782d2ca7e1b6aef7b9c92f0bedef003

Download Submit
memory/884-122-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/884-538-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/884-338-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/940-267-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/940-88-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/940-82-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1180-73-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1180-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1180-69-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1180-187-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1196-746-0x0000000002170000-0x000000000228B000-memory.dmp

Filesize
1.1MB

Download
memory/1196-754-0x00000000002B0000-0x0000000000341000-memory.dmp

Filesize
580KB

Download
memory/1196-745-0x00000000002B0000-0x0000000000341000-memory.dmp

Filesize
580KB

Download
memory/1240-1-0x0000000002550000-0x0000000002566000-memory.dmp

Filesize
88KB

Download
memory/1240-138-0x00000000029A0000-0x00000000029B6000-memory.dmp

Filesize
88KB

Download
memory/1248-270-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1248-342-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/1248-543-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1296-796-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1296-859-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1484-535-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1484-519-0x00000000026C0000-0x0000000002AB8000-memory.dmp

Filesize
4.0MB

Download
memory/1484-536-0x00000000026C0000-0x0000000002AB8000-memory.dmp

Filesize
4.0MB

Download
memory/1484-518-0x00000000026C0000-0x0000000002AB8000-memory.dmp

Filesize
4.0MB

Download
memory/1484-523-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1624-669-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1624-613-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download
memory/1624-614-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1624-615-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/1624-759-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download
memory/1624-760-0x0000000000400000-0x0000000000851000-memory.dmp

Filesize
4.3MB

Download
memory/1692-572-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1692-551-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1728-761-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/1728-835-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1728-762-0x0000000000A30000-0x0000000000F6E000-memory.dmp

Filesize
5.2MB

Download
memory/1728-764-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1728-825-0x0000000005410000-0x00000000056C0000-memory.dmp

Filesize
2.7MB

Download
memory/1728-826-0x00000000066C0000-0x0000000006852000-memory.dmp

Filesize
1.6MB

Download
memory/1728-830-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1728-871-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1728-841-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1728-840-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1728-831-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1728-838-0x0000000006DA0000-0x0000000006EA0000-memory.dmp

Filesize
1024KB

Download
memory/1728-837-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1728-836-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1728-834-0x0000000004DF0000-0x0000000004E30000-memory.dmp

Filesize
256KB

Download
memory/1728-832-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/1728-833-0x0000000074860000-0x0000000074F4E000-memory.dmp

Filesize
6.9MB

Download
memory/2116-689-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2116-588-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2116-589-0x0000000002810000-0x0000000002C08000-memory.dmp

Filesize
4.0MB

Download
memory/2116-537-0x0000000002810000-0x0000000002C08000-memory.dmp

Filesize
4.0MB

Download
memory/2116-571-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2116-541-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2116-540-0x0000000002C10000-0x00000000034FB000-memory.dmp

Filesize
8.9MB

Download
memory/2116-539-0x0000000002810000-0x0000000002C08000-memory.dmp

Filesize
4.0MB

Download
memory/2152-784-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2152-756-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2204-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2204-2-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2392-787-0x0000000000290000-0x0000000000321000-memory.dmp

Filesize
580KB

Download
memory/2540-48-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2540-55-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2556-37-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/2556-25-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2556-66-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2556-41-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2556-38-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2556-70-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2556-21-0x0000000000860000-0x0000000000914000-memory.dmp

Filesize
720KB

Download
memory/2852-141-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/2852-247-0x0000000003E90000-0x0000000004AB8000-memory.dmp

Filesize
12.2MB

Download
memory/2852-140-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2852-263-0x0000000002D50000-0x0000000002D8A000-memory.dmp

Filesize
232KB

Download
memory/2864-520-0x00000000027A0000-0x0000000002B98000-memory.dmp

Filesize
4.0MB

Download
memory/2864-78-0x00000000027A0000-0x0000000002B98000-memory.dmp

Filesize
4.0MB

Download
memory/2864-264-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2864-517-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2864-99-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2864-81-0x00000000027A0000-0x0000000002B98000-memory.dmp

Filesize
4.0MB

Download
memory/2864-87-0x0000000002BA0000-0x000000000348B000-memory.dmp

Filesize
8.9MB

Download
memory/2864-522-0x0000000002BA0000-0x000000000348B000-memory.dmp

Filesize
8.9MB

Download
memory/2908-71-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2908-43-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2908-84-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2908-57-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2908-42-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2908-45-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2908-49-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2908-63-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2952-97-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-18-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2952-13-0x0000000000C90000-0x0000000001F6E000-memory.dmp

Filesize
18.9MB

Download