dcrat | 84d011e18cec6190e2c79b270e9d2d575bfaa63998f50d13d3f9da147f49b799

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-01-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

7.3MB
MD5

6af4b8b8c8399fca6798e3f2d7df9af5
SHA1

7cc85c826668d6f09b43ea9358ecdc57fecf398b
SHA256

84d011e18cec6190e2c79b270e9d2d575bfaa63998f50d13d3f9da147f49b799
SHA512

05089cf4cedc6f87a08fc2d193e90313e5e8422d3578321fad3af9f4bb97c4647c12b6f1d80bfcdb8c233a2171f895571dfb9047a52c5878f0a29ea02426439b
SSDEEP

196608:pv8GpkVa20mO8hnsSSU/sYE7m/TV38zQF5srpXh+LyDU:zythO+1SNMGcF5svH

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2580-688-0x0000000002BF0000-0x0000000002D18000-memory.dmp	family_fabookie

Detect Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2732-476-0x0000000000230000-0x0000000000260000-memory.dmp	family_vidar_v7
behavioral1/memory/2812-478-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2812-616-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1880-363-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1880-368-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1880-367-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1508-361-0x0000000001D70000-0x0000000001E8B000-memory.dmp	family_djvu
behavioral1/memory/1880-390-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2080-403-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2080-402-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2080-430-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2080-429-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2080-431-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2080-438-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2080-437-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2080-435-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2816-47-0x0000000002AF0000-0x00000000033DB000-memory.dmp	family_glupteba
behavioral1/memory/2816-49-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2816-60-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1360-73-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2816-72-0x0000000002AF0000-0x00000000033DB000-memory.dmp	family_glupteba
behavioral1/memory/1360-157-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1196-161-0x0000000002BB0000-0x000000000349B000-memory.dmp	family_glupteba
behavioral1/memory/1196-162-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1196-296-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1196-323-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1196-326-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1196-395-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1196-420-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2688	bcdedit.exe
2908	bcdedit.exe
2676	bcdedit.exe
2748	bcdedit.exe
2916	bcdedit.exe
2608	bcdedit.exe
328	bcdedit.exe
1920	bcdedit.exe
2848	bcdedit.exe
2088	bcdedit.exe
2360	bcdedit.exe
1748	bcdedit.exe
1756	bcdedit.exe
680	bcdedit.exe

Blocklisted process makes network request 1 IoCs

Processes:

schtasks.exe

flow pid process

12 1136 schtasks.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe

flow	pid	process
12	1136	schtasks.exe

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1864 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

pid	process
1864	netsh.exe

Executes dropped EXE 22 IoCs

Processes:

InstallSetup9.exetoolspub1.exe31839b57a4f11171d6abc8bbc4451ee4.exeBroomSetup.exerty25.exe31839b57a4f11171d6abc8bbc4451ee4.exeschtasks.execsrss.exepatch.exeinjector.exe6FD3.exedsefix.exe83B2.exe83B2.exe83B2.exe83B2.exewindefender.exewindefender.exebuild2.exebuild2.exeF3F.exe14BC.exe

pid	process
2028	InstallSetup9.exe
2824	toolspub1.exe
2816	31839b57a4f11171d6abc8bbc4451ee4.exe
3028	BroomSetup.exe
2580	rty25.exe
1360	31839b57a4f11171d6abc8bbc4451ee4.exe
1136	schtasks.exe
1196	csrss.exe
1896	patch.exe
3068	injector.exe
404	6FD3.exe
2668	dsefix.exe
1508	83B2.exe
1880	83B2.exe
796	83B2.exe
2080	83B2.exe
1964	windefender.exe
2252	windefender.exe
2732	build2.exe
2812	build2.exe
1704	F3F.exe
968	14BC.exe

Loads dropped DLL 37 IoCs

Processes:

tmp.exeInstallSetup9.exe31839b57a4f11171d6abc8bbc4451ee4.execsrss.exeschtasks.exe83B2.exe83B2.exe83B2.exe83B2.exeWerFault.exeWerFault.exe

pid	process
3016	tmp.exe
3016	tmp.exe
3016	tmp.exe
3016	tmp.exe
3016	tmp.exe
2028	InstallSetup9.exe
2028	InstallSetup9.exe
3016	tmp.exe
2028	InstallSetup9.exe
2028	InstallSetup9.exe
2028	InstallSetup9.exe
1360	31839b57a4f11171d6abc8bbc4451ee4.exe
1360	31839b57a4f11171d6abc8bbc4451ee4.exe
860
1196	csrss.exe
1136	schtasks.exe
1136	schtasks.exe
2028	InstallSetup9.exe
1196	csrss.exe
1508	83B2.exe
1880	83B2.exe
1880	83B2.exe
796	83B2.exe
2080	83B2.exe
2080	83B2.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe
2792	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

268 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
268	icacls.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1964-424-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
C:\Windows\windefender.exe	upx
C:\Windows\windefender.exe	upx
behavioral1/memory/1964-428-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2252-427-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
C:\Windows\windefender.exe	upx
behavioral1/memory/2252-442-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\31839b57a4f11171d6abc8bbc4451ee4.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	31839b57a4f11171d6abc8bbc4451ee4.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe83B2.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e4e025d6-5092-4735-a5fa-1ae764491e57\\83B2.exe\" --AutoStart"	83B2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

38 api.2ip.ua
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

14BC.exe

pid process

968 14BC.exe
968 14BC.exe

flow	ioc
38	api.2ip.ua

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

pid	process
968	14BC.exe
968	14BC.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

83B2.exe83B2.exebuild2.exe

description	pid	process	target process
PID 1508 set thread context of 1880	1508	83B2.exe	83B2.exe
PID 796 set thread context of 2080	796	83B2.exe	83B2.exe
PID 2732 set thread context of 2812	2732	build2.exe	build2.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 5 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exemakecab.execsrss.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240129172414.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2764 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2700 2812 WerFault.exe build2.exe
2792 1704 WerFault.exe F3F.exe

pid	process
2764	sc.exe

pid	pid_target	process	target process
2700	2812	WerFault.exe	build2.exe
2792	1704	WerFault.exe	F3F.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe6FD3.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6FD3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6FD3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6FD3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

schtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	schtasks.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	schtasks.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2748 schtasks.exe
2944 schtasks.exe
1136 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1964 timeout.exe

pid	process
2748	schtasks.exe
2944	schtasks.exe
1136	schtasks.exe

pid	process
1964	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exenetsh.exewindefender.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-422 = "Russian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe

Modifies registry class 5 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Modifies system certificate store 2 TTPs 18 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

rty25.execsrss.exepatch.exebuild2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rty25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub1.exe31839b57a4f11171d6abc8bbc4451ee4.exe31839b57a4f11171d6abc8bbc4451ee4.exeschtasks.exeinjector.exe

pid	process
2824	toolspub1.exe
2824	toolspub1.exe
2816	31839b57a4f11171d6abc8bbc4451ee4.exe
1360	31839b57a4f11171d6abc8bbc4451ee4.exe
1360	31839b57a4f11171d6abc8bbc4451ee4.exe
1360	31839b57a4f11171d6abc8bbc4451ee4.exe
1360	31839b57a4f11171d6abc8bbc4451ee4.exe
1360	31839b57a4f11171d6abc8bbc4451ee4.exe
1136	schtasks.exe
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
3068	injector.exe
1140
1140
1140
1140
1140
1140
1140
1140
1140
3068	injector.exe
1140
1140
1140
1140
1140
1140
1140
1140
1140
3068	injector.exe
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
3068	injector.exe
1140
1140
1140
1140
1140
1140
1140
1140
1140
3068	injector.exe
1140
1140

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

480
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

toolspub1.exe6FD3.exe

pid process

2824 toolspub1.exe
404 6FD3.exe

pid	process
480

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.execsrss.exesc.exeexplorer.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2816	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	2816	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeSystemEnvironmentPrivilege	1196	csrss.exe
Token: SeSecurityPrivilege	2764	sc.exe
Token: SeSecurityPrivilege	2764	sc.exe
Token: SeShutdownPrivilege	1140
Token: SeShutdownPrivilege	1140
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe
Token: 33	2200	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2200	AUDIODG.EXE
Token: 33	2200	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2200	AUDIODG.EXE
Token: SeShutdownPrivilege	2108	explorer.exe
Token: SeShutdownPrivilege	2108	explorer.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

explorer.exe

pid	process
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

explorer.exe

pid	process
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe
2108	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

BroomSetup.exe14BC.exe

pid process

3028 BroomSetup.exe
968 14BC.exe

pid	process
3028	BroomSetup.exe
968	14BC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exeInstallSetup9.exe31839b57a4f11171d6abc8bbc4451ee4.exewindefender.exeBroomSetup.execmd.execsrss.exeschtasks.execonhost.exe

description	pid	process	target process
PID 3016 wrote to memory of 2028	3016	tmp.exe	InstallSetup9.exe
PID 3016 wrote to memory of 2028	3016	tmp.exe	InstallSetup9.exe
PID 3016 wrote to memory of 2028	3016	tmp.exe	InstallSetup9.exe
PID 3016 wrote to memory of 2028	3016	tmp.exe	InstallSetup9.exe
PID 3016 wrote to memory of 2028	3016	tmp.exe	InstallSetup9.exe
PID 3016 wrote to memory of 2028	3016	tmp.exe	InstallSetup9.exe
PID 3016 wrote to memory of 2028	3016	tmp.exe	InstallSetup9.exe
PID 3016 wrote to memory of 2824	3016	tmp.exe	toolspub1.exe
PID 3016 wrote to memory of 2824	3016	tmp.exe	toolspub1.exe
PID 3016 wrote to memory of 2824	3016	tmp.exe	toolspub1.exe
PID 3016 wrote to memory of 2824	3016	tmp.exe	toolspub1.exe
PID 3016 wrote to memory of 2816	3016	tmp.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 3016 wrote to memory of 2816	3016	tmp.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 3016 wrote to memory of 2816	3016	tmp.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 3016 wrote to memory of 2816	3016	tmp.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2028 wrote to memory of 3028	2028	InstallSetup9.exe	BroomSetup.exe
PID 2028 wrote to memory of 3028	2028	InstallSetup9.exe	BroomSetup.exe
PID 2028 wrote to memory of 3028	2028	InstallSetup9.exe	BroomSetup.exe
PID 2028 wrote to memory of 3028	2028	InstallSetup9.exe	BroomSetup.exe
PID 2028 wrote to memory of 3028	2028	InstallSetup9.exe	BroomSetup.exe
PID 2028 wrote to memory of 3028	2028	InstallSetup9.exe	BroomSetup.exe
PID 2028 wrote to memory of 3028	2028	InstallSetup9.exe	BroomSetup.exe
PID 3016 wrote to memory of 2580	3016	tmp.exe	rty25.exe
PID 3016 wrote to memory of 2580	3016	tmp.exe	rty25.exe
PID 3016 wrote to memory of 2580	3016	tmp.exe	rty25.exe
PID 3016 wrote to memory of 2580	3016	tmp.exe	rty25.exe
PID 2028 wrote to memory of 1136	2028	InstallSetup9.exe	schtasks.exe
PID 2028 wrote to memory of 1136	2028	InstallSetup9.exe	schtasks.exe
PID 2028 wrote to memory of 1136	2028	InstallSetup9.exe	schtasks.exe
PID 2028 wrote to memory of 1136	2028	InstallSetup9.exe	schtasks.exe
PID 1360 wrote to memory of 1964	1360	31839b57a4f11171d6abc8bbc4451ee4.exe	windefender.exe
PID 1360 wrote to memory of 1964	1360	31839b57a4f11171d6abc8bbc4451ee4.exe	windefender.exe
PID 1360 wrote to memory of 1964	1360	31839b57a4f11171d6abc8bbc4451ee4.exe	windefender.exe
PID 1360 wrote to memory of 1964	1360	31839b57a4f11171d6abc8bbc4451ee4.exe	windefender.exe
PID 1964 wrote to memory of 1864	1964	windefender.exe	netsh.exe
PID 1964 wrote to memory of 1864	1964	windefender.exe	netsh.exe
PID 1964 wrote to memory of 1864	1964	windefender.exe	netsh.exe
PID 1360 wrote to memory of 1196	1360	31839b57a4f11171d6abc8bbc4451ee4.exe	csrss.exe
PID 1360 wrote to memory of 1196	1360	31839b57a4f11171d6abc8bbc4451ee4.exe	csrss.exe
PID 1360 wrote to memory of 1196	1360	31839b57a4f11171d6abc8bbc4451ee4.exe	csrss.exe
PID 1360 wrote to memory of 1196	1360	31839b57a4f11171d6abc8bbc4451ee4.exe	csrss.exe
PID 3028 wrote to memory of 2844	3028	BroomSetup.exe	cmd.exe
PID 3028 wrote to memory of 2844	3028	BroomSetup.exe	cmd.exe
PID 3028 wrote to memory of 2844	3028	BroomSetup.exe	cmd.exe
PID 3028 wrote to memory of 2844	3028	BroomSetup.exe	cmd.exe
PID 2844 wrote to memory of 2688	2844	cmd.exe	bcdedit.exe
PID 2844 wrote to memory of 2688	2844	cmd.exe	bcdedit.exe
PID 2844 wrote to memory of 2688	2844	cmd.exe	bcdedit.exe
PID 2844 wrote to memory of 2688	2844	cmd.exe	bcdedit.exe
PID 2844 wrote to memory of 2748	2844	cmd.exe	bcdedit.exe
PID 2844 wrote to memory of 2748	2844	cmd.exe	bcdedit.exe
PID 2844 wrote to memory of 2748	2844	cmd.exe	bcdedit.exe
PID 2844 wrote to memory of 2748	2844	cmd.exe	bcdedit.exe
PID 1196 wrote to memory of 3068	1196	csrss.exe	injector.exe
PID 1196 wrote to memory of 3068	1196	csrss.exe	injector.exe
PID 1196 wrote to memory of 3068	1196	csrss.exe	injector.exe
PID 1196 wrote to memory of 3068	1196	csrss.exe	injector.exe
PID 1136 wrote to memory of 1728	1136	schtasks.exe	conhost.exe
PID 1136 wrote to memory of 1728	1136	schtasks.exe	conhost.exe
PID 1136 wrote to memory of 1728	1136	schtasks.exe	conhost.exe
PID 1136 wrote to memory of 1728	1136	schtasks.exe	conhost.exe
PID 1728 wrote to memory of 1964	1728	conhost.exe	windefender.exe
PID 1728 wrote to memory of 1964	1728	conhost.exe	windefender.exe
PID 1728 wrote to memory of 1964	1728	conhost.exe	windefender.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:2688

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
5⤵
- Creates scheduled task(s)
PID:2748

C:\Users\Admin\AppData\Local\Temp\nst1B21.tmp
C:\Users\Admin\AppData\Local\Temp\nst1B21.tmp
3⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nst1B21.tmp" & del "C:\ProgramData\*.dll"" & exit
4⤵
PID:1728

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:1964

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2824

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:1964

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1864

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1896

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:2688

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:2908

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:2748

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:2916

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:2608

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:328

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:1920

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:2848

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:2088

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:2360

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:1748

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:1756

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:680

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:2944

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
5⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
5⤵
- Modifies boot configuration data using bcdedit
PID:2676

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Creates scheduled task(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2580

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240129172414.log C:\Windows\Logs\CBS\CbsPersist_20240129172414.cab
1⤵
- Drops file in Windows directory
PID:1656

C:\Users\Admin\AppData\Local\Temp\6FD3.exe
C:\Users\Admin\AppData\Local\Temp\6FD3.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:404

C:\Users\Admin\AppData\Local\Temp\83B2.exe
C:\Users\Admin\AppData\Local\Temp\83B2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1880

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e4e025d6-5092-4735-a5fa-1ae764491e57" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:268

C:\Users\Admin\AppData\Local\Temp\83B2.exe
"C:\Users\Admin\AppData\Local\Temp\83B2.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:796

C:\Users\Admin\AppData\Local\Temp\83B2.exe
"C:\Users\Admin\AppData\Local\Temp\83B2.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080

C:\Users\Admin\AppData\Local\58544b98-8643-494d-85c7-b36f2c86c376\build2.exe
"C:\Users\Admin\AppData\Local\58544b98-8643-494d-85c7-b36f2c86c376\build2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2732

C:\Users\Admin\AppData\Local\58544b98-8643-494d-85c7-b36f2c86c376\build2.exe
"C:\Users\Admin\AppData\Local\58544b98-8643-494d-85c7-b36f2c86c376\build2.exe"
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1416
6⤵
- Loads dropped DLL
- Program crash
PID:2700

C:\Users\Admin\AppData\Local\Temp\83B2.exe
C:\Users\Admin\AppData\Local\Temp\83B2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1508

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2252

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-389522325685124887-1729017817-1725902032026052705-1269196913-9118414-1096165260"
1⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\F3F.exe
C:\Users\Admin\AppData\Local\Temp\F3F.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 96
2⤵
- Loads dropped DLL
- Program crash
PID:2792

C:\Users\Admin\AppData\Local\Temp\14BC.exe
C:\Users\Admin\AppData\Local\Temp\14BC.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:968

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x478
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
499359e82a27b14b369650a30d095366

SHA1
813c2e5519a3ea085fe2d124cf34fe6df310c7fd

SHA256
219adac68781731fb2f2b19b3ea3c0585695faf08e58fc5d5f184e7df11f8212

SHA512
6a8aa9ef0442aa663a487616e37adc8b49490f760d2e7d25c14cf496552622a9bf1ace274b7ff0822c0b693315ffdf592692f90cc2f8855f2e2ba49722971637

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
c7fc1bf787a4f17ec70a38a642e86f15

SHA1
f07b13fd01c537e65900289d98267f65a1d16a3a

SHA256
8cd77c4d681b85357ba57a5be3d175686158d2226a350e34f280ae4cff301419

SHA512
26cdf37ebcec120f16488da5633b60e114493d4aae7c080088a2ab1120a766528ca509cf5e97d607a53c60dddec471a276889df188685b9bb7bc6e43acbae159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
55f2164783bbefd55a599ad6509bf211

SHA1
29629887848cb8af0431765d5d107eb26b1a3c73

SHA256
553cfd75d2a90720c91f8a2ad684dbebb9b4a192d47f973549afd077525e8414

SHA512
41fcd3fb516ce98fc48f4bb44a9d0324e7e81e8376ef734f4a2f56beed463ca3e31059f7f2b0b1d32e75bbfe1abca33dfa86e2e291ef317715b2f8bb6305f61e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
006ca3dc6196dba4a550338db707429e

SHA1
e01ec1824d43d764c40f72a2d323714da8703c2a

SHA256
74e22e7df716f08ed5dc3915898c6c57855a0de90a2ac7b6690ee5410c7bfba7

SHA512
899d88c43484b62f647f73e0bf8d8fc6cf1cd2509a0d81818247090ae90db18d1df3a4390b906ad2daf78c55e3d523bea790ee495126600cecb016035695f7e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
79b7ff595c63a0cffb3847eed3658cbe

SHA1
ae111625cc501ad49d111ff76f11bddde09f2c71

SHA256
4d872bc5618b31aa9369f18cfae660452333725ec5052efe511d123850fe61ab

SHA512
f1f44ca2e5b9cc8b09fa05a72cc6e8ae772a554d2d8b7b49c339722392231fe4ac0aa7acc85f11ab51fa1755e171ceb5040bfbf6fe6162fe55951e664c1964d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
7bf22256ff276b2bbe1ca2031d97a40f

SHA1
b69d3f9bad7741ed5722fb123096c2b2c9fb2e57

SHA256
82035dc4829ced7eb84cda8960b1aa8b11a9828154631af5e6fa6cd4589b8d2b

SHA512
9349fae649e5837bcc639f9e7e00f4628f2672be2b6c6d5858ea0870446cdc978d02d91503c011890548b54b16a49755750babaec1ea8e97ec4aeb91a23d9980

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
132KB

MD5
4ea356c073fb9997b92f9ca813960db8

SHA1
d1cc5d0e0f7df9a821181e0700a66d81b7193949

SHA256
0f03f80924d526f923addb3df14c3d5d4995c6aa06adea2567f0dd32baa35bbe

SHA512
7daeef0f08bda3f5ba443088577362f23fb112b32cce72ee7b67037f342762e5d78d28867f79f40d08d93e60f4c616523cb4ddbffb9f35c25edbf10c569c9f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
187KB

MD5
6ad80059820a2f3181ab8951dddb3838

SHA1
e8eb35dd63b904ffc03d1e69a2df43c8f4aa9c1e

SHA256
3fc08f765c02828a0995edadf1f33370b05c00994cf6cdd5bc7545440aa9ee7e

SHA512
3b6cdd13e8d4d87c40790b42b07bf600064525594b69ebe2602dbb7cb5cea6353bac648d06f002f16ebec7c5af6e1d058ca4ff8909f4d2d0567c682b3b54be49

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
164KB

MD5
68d6b62dc28edaad85aa5c7def725218

SHA1
d22f186f2227f47cbd09b8db1113fd2184f7c389

SHA256
93fae8c7941baba4d7ea5af1eb922e1e233f9de7be963ea82167f59a49da5497

SHA512
2e4b29965817101044682302d6ffcc8735e6ec3062f4581b30e57134260737b223153e3d0e46e23587bebc135bbaaa6d8a2aff0c9debacbb5a12235bcd9d41a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
318KB

MD5
7399413b99f1efaecdd25382fb21ee71

SHA1
8ea1b57b329e70c800d2691006ff7122e2ad076b

SHA256
fea6e07bd93c42678c0a50e88f9bdc2bee2f1da4544eab3f0c3331e112d6ca61

SHA512
2afe9ac5d2876e2fc81cce194b7e6d4e3f5c0d07ee859554c1a25f2b7d78cf7be00d62a7e91bc332e11c10c9471db7629c396a2220d1146a78bc04f020467c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6FD3.exe
Filesize
305KB

MD5
33ef44779584b873973b077c87de99b0

SHA1
afd7ab1b5755817dc7c59dd4f1e8dd9a51ab7a80

SHA256
115b51f7652db5d3c36e4a32ece49a4aea0fb8c7e5eda6d9876feed15dc6002e

SHA512
59e22a103c8af2730637906e9b45e24c75ed49330e5656d4dcbbf851bb999d736b76a0428980f37053e8997c3769e7d46c3f3a4ce495b945199ef5b7850c61c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\83B2.exe
Filesize
45KB

MD5
8972eb458fd5ee6babf172d14ce84892

SHA1
84a19fa86228888f5a2461f5e7163eb9de75ed6e

SHA256
959bad0ee6ef0ef84ffa5de75b47e620c6f7d71b04b5517ffcd37d989be388c1

SHA512
9929e30a22817ea01f7c0bf73598ec47340d76524f90e8a0d2d44e6c6236f31e279b486f75dd90248288bc6ca1483516a09030818f7516c5bfc1fbd1682df386

Download Submit
C:\Users\Admin\AppData\Local\Temp\83B2.exe
Filesize
17KB

MD5
d148fb5ce9a3b73e45640504178404bd

SHA1
61831ce683e8d41ac76e1e73f105e451f515c269

SHA256
4c355b03b88e7e2c135cb24711659057b1e96365827bf60831ca59772d03cda3

SHA512
53973df6e747a7c6eb3eb7c604b88082d063cf28a17320e8a60ec26ba4ef9e0120bb023ca6403000dc8de2c939acbee4441ddd3023f3013e546b99ce865fc497

Download Submit
C:\Users\Admin\AppData\Local\Temp\83B2.exe
Filesize
16KB

MD5
9199d95811f08046d21a5c67788e93b5

SHA1
889e47c4db58103401bc94956edf67bd7f003704

SHA256
509a4e57fcf00d8166ce262d5c44f059fbf6d50b957698c68f327d0a61040d32

SHA512
89c64c458f3e49ce823a8b783d4453e8638837df697adf4054f466d7c0d207f8d44d028f70bde91a27db50f9bc7a643e5fa9946f77193c10eddd2abd01a8aee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\83B2.exe
Filesize
46KB

MD5
cf5167369547bbbf87ed8cdc066b930e

SHA1
f57a78694ca19ce0185e80174f74f5da9d2becc8

SHA256
bfcbbddfa9f5df0c85aa25d8c7691cb880b61e27b6f87a2647eef9b523af3814

SHA512
cac9f5e10fe61b091ad4247ba1912785affd7a0be49836c0d062b0e264a8b4acb3f8b365c4d9c103292668b85cd2a778b5bb071c6ec01bfd0b7f39ec9fbb7395

Download Submit
C:\Users\Admin\AppData\Local\Temp\83B2.exe
Filesize
343KB

MD5
897027f58e3d12ad28ca1033a044e695

SHA1
5e786f6f0f577497c2c6899f7f203fe7437ec524

SHA256
d9362ba086ab860b1f9f5f8855d17d296cb599e7d37c0901e1deb80547709d61

SHA512
73fd8393c23c34d6bc0aa5be5afb96f1d085456cba34d97290554aecef50f173448403f970cf123e164284487e154392f91e31a9f33a4755f220903f719d5fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\83B2.exe
Filesize
72KB

MD5
7a38999c7d32e04c9fe5760b176fbb54

SHA1
5af7b315a599ab410b767df3c176f3a2aa2afeb2

SHA256
9cf6d2078f784b130c0362964e4f62c5af4f830887339e35681d1623f424b839

SHA512
a12f0674489f825a5ee30a34b3ee91e0da62a9a8f1ab3b2d9eb5c1a0f580ee38907feb62be5e143e31963f0a4485fef8f481507904a895bbf90fc2d4627a06a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
346KB

MD5
690b7590483fe521d9c4d392a1f8436d

SHA1
7d5b8510626409190b3089cc1cee74de1a625646

SHA256
73a5eb7483b8ffb8c2d1b023e19aed4e5f03dc78d9aefa596d7bfdb5dcc90002

SHA512
dfac188260531e3fdc757276db63f99c11102cf232d5eb151e40806ff0a6f2dd3f442f59213a63e474fee04624e750f36295718c0fbec780696f5f4f950c6b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab204F.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
360KB

MD5
1243bb08fde38a00fcb2e3d4fa970504

SHA1
ea0aa8aa816c249d9ff269f8cde5c58d4aa4098d

SHA256
b5c469cb456e6f61703131d146e61583be492a941015887fa81fbbf9df1dbb4b

SHA512
a9cb689db9b8cd7237d191a553c0051fc1e991d95df78cdf19737b5d8b7e29c602925bc5888f9804d0d21d57386d4d6ad82d1eddbfdc0312dc82f437f1b716de

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
403KB

MD5
54d5bd15fe21a647fe3f912d446a693c

SHA1
06439f31bfff8211a1bf996afc3536d871c9b03d

SHA256
85e95d8489ddb2498038d64abf272b027d8e0761297a68f17514a48b127d1380

SHA512
e1618bdae30aeb0b4a1622b48628da87429730e338f273d6b4eed5aa704a95b01f26e65d671e19dfaa4154dc8a30683d231532955e5af1cc541d4d27882213a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar211D.tmp
Filesize
91KB

MD5
c7bd02c7deda5f4c2653ddf3a0ece40f

SHA1
2308a110297b5af4c261d8c2793a750230d8cd50

SHA256
7d09c7e938be9a29db95fbd51cadd79909d2c567182a1157416010a277a6bb3c

SHA512
1926558f53e47cffa885798211bd6b59413fe709dc151c52f3f419b10fe5fce13d1c80e87648933a77cb8d370715edb76b35f92fcd98d0006e32edd4b3fd004d

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
Filesize
63KB

MD5
f44099c1e1bfa70ad0fd4f326ceee2ef

SHA1
196c12e4ab0fdea4dfda025ea548be9baff5fd25

SHA256
960d1c89803f3e9cf6372d46e158233ab8096f26a5cbfdbb6dd77bb0c9d3b25e

SHA512
4d9f835403844b1e9dab738800145f23209ac4cf8741687f76fea00cc48b0414354e11ecee9cde68d512d73c2a8081bf9456566bcce7528567f72e24e75db33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
185KB

MD5
50f0b3d8e4c1fa1a912c402d788d7a52

SHA1
61f71cae571df368428d1a2cff1872c2a877f323

SHA256
b4eb5b7443e0b0c14049979c10fcdb0414d06d2948e90755c2b7d2a262736ea4

SHA512
58566b3171b955f561d107928874a5c8f0f7cbce97e2e8681db52347116701321503ce769ad42101e39cb3e2fc464c5aacf0bcf3e2e71acca7354edf77fc4657

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
85KB

MD5
e6ac3e079720be8f173edd54d91ea23b

SHA1
661e265f2b1ccfaecb5d10677848eebbf8486e91

SHA256
712830e7a5e2a19355d2cef48ad7ef5a0d8bb94ee15dc4b7c559d466e2c872e7

SHA512
5670a4190ee2f83afdddfaee60a627480c15109fd5ffaf829bcf1f2a50deb9916363b0a725b7a27400594697ff530f718c238a5abe3845c267e93597f112a38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1B21.tmp
Filesize
15KB

MD5
3e6b838d6903b75203b903375a091ef0

SHA1
6ab382c238e8186ef2dc8301af30dacd29cd8819

SHA256
90fbb58bc2eac731f74378ee698a803b9cb3e85fb330ec3a62ed92f7107bdbfe

SHA512
26025e32c1e45dc9998f6a9fc9f93ca33aab7a20a0bbb3e76f8ecec0882ce7aa43b2d183aae45acaffb714ac832e0d1e26596559683b877987efd7a247814df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1B21.tmp
Filesize
75KB

MD5
ad2bc4090280b0b0034a9c2c31d16443

SHA1
cedff62d47e20d3773ff7492fbea8a4819b86f9a

SHA256
ea3d79c1c1df3307705bee3ae2209ecf5b330ad90d86cdfd21526c03a4f41506

SHA512
05449a48598045b57ff180d50ebcffc7f5eb29326b430d18acfa9624b05b1a2f5c043624e679259b122250c5a82099c344fd952019b792e415efef66690d59fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1B21.tmp
Filesize
175KB

MD5
ac75ba0b8fc71fea9155929969c7a4c4

SHA1
f2f7397ae9bdfe6229224336b4aca396aee3dbd3

SHA256
bc6394b0d9ac6bb11531f38d27aff9b8df1c763c4dcb02009c5fc2e13d0c2359

SHA512
59527e0f75f2c0c6c648daa3dfd49bb5446d8d55c5c8f983b3122335feb553468dc75daf98f342fe96bf4a1af5b4030c3666a7f78463bbcc47bc6aa40e0451f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
263KB

MD5
e80612c26ee9b26442ff5aefe0b201ff

SHA1
5874accff7364329f60455c1dcc1a2fd9334faeb

SHA256
39d241923bd679790fc49ad3b6446b5d4872a2a39f2b4c30aff3c034600118a7

SHA512
29ffc7e2bcd72e99def1e8fd10da47e148c868398beb94f2d0cad3b7cc0f8ccbde831732febfc00899f4ce43d701767e976db3d1221fd23661bdce94b425e3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
299KB

MD5
a1d1c3459865750d9a0ad4fddaf2c5f2

SHA1
bdc39e02c0ae4477d055119684bc0f8ce2f5d218

SHA256
ea7fe0cec9e7211eebb4f3841fcb55bd0441966ac6fdb9dac948a9a00381b69a

SHA512
beff743c46eff4fb187766cbd9b28a8657534c3cf9716c5cb025c4d574c12cbb13136851b8ad7e55e6aa848cb8f6c6539551e13dac6bd77a917c9c9383a76641

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
270KB

MD5
a5de9215f4a0abdd5e10ff603ae110ea

SHA1
687f6288b348a8b739361ccd40885b54ff606269

SHA256
761520ed0a57e867919982c0821fbc2190aa0ae8482121086d89baa9bbbdafce

SHA512
835556699c91bff95234eeccc813ab084f2ecbfc7f44f177e17fccf5ddb8cecc0e61fa240618e5adc0e9dfbeb5ce4ce2ea4949b19f88591d84d00297723c1424

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
230KB

MD5
714d9cd18ce9af6bf14293129c66eb66

SHA1
68016406568a7f4b5238af4d23b54fe505254919

SHA256
412bf27521d0c80cb00a2920c22efadaf21f77b455b71650a480a03c64e07aa7

SHA512
2ea47a13c35799032389e0c41f328f92a9ba4b5a4384fee0790130348c6753a9cb0b64a8d021deda51251b4ed2a7e8d4550975574a4ec097020838701d999827

Download Submit
C:\Users\Admin\AppData\Local\e4e025d6-5092-4735-a5fa-1ae764491e57\83B2.exe
Filesize
173KB

MD5
2978a5fef2ad5f51e666c82cd253f817

SHA1
02c7c9b20ac41390c05e3b8238bb83e49aa8b335

SHA256
0616491c4d7464a1c1ac6ccddc7da1ea272ff0c91b15e53a7c51e80a4db0ca3a

SHA512
022b8d8f8fb18c39466f25457aec14a4cd1a7d589bc9e196d6c4870b1915ea51f5ffab0620192a74643b56aefc0a15f6eff78bffe96877bbe7b54f5991c7458d

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\rss\csrss.exe
Filesize
111KB

MD5
603342b7821587924b8c7ffc73300a8f

SHA1
68a8c09ece0402aaac311e9a43a2915c55bd9482

SHA256
d780b526ab124f1d4f948252bec05b39462cbfa0373206b973d01b54546ad4c9

SHA512
29f33cfe10ce1efa0921a5446c997a7f5014b1f29b4d20d574d125fb9ea58568461e722ee096b853b120b0455a1777af05431ad7b2e8304b842dad5c22c9386d

Download Submit
C:\Windows\rss\csrss.exe
Filesize
97KB

MD5
c218710e364e8ea0f5c1403d0c62268e

SHA1
239da8cede717871f053c5399e007ae2d3c76171

SHA256
7ccb4604a8aa7b7bdb85adc3bdbe52cdbd366123e6c022fe8a4231e5682594bc

SHA512
d7d32ae953b7442839d07d290e8f0295d26c67e5225fb613808badffb38bcda745c96665d5407d2796afe503ef70b15ae8614e1cf8a7b4d3eb502a73fa18e539

Download Submit
C:\Windows\windefender.exe
Filesize
57KB

MD5
80b7d1601b7e484fb76392b12b1d8c2e

SHA1
fb51881c67d7f7540a86b7d306bae839c7f81310

SHA256
e9930639907fac490c80a5335117871aa93bbd522f8c255efe0b8f8760164ebe

SHA512
19dd327a0f652ad0d63ad3cb82af547125aab02c36aa211f6671b9f58deb1336adacbdb728b1ecbb7444f7488dce9301c9494213dcb9f67e4cbc663f93080cf1

Download Submit
C:\Windows\windefender.exe
Filesize
214KB

MD5
48f487703fbf9592e5feb2d2beb55497

SHA1
56500595b33e36c3adc9d3a756db9fbb54363433

SHA256
47ee6e674fdcfcfe34029833a92a09972ab060edc402fe0d0caa5677e7e2a8c9

SHA512
61ec3a27d2c08f7ce3e9efe320eeb8785889cd267c189559c917eaec261c932798e912b9db11e0dc5da2cbf1746dc40253fc3ac0bc25a38cfc78ec98d833c321

Download Submit
C:\Windows\windefender.exe
Filesize
35KB

MD5
682455ae26f90403ff16ae8a299b9d91

SHA1
9031ad325caf72cd3faff4241825156dc66929af

SHA256
aedc7bdf6d5578e5963d371a4a7ba9c5c7183c9f66623831b5094412a950e0ff

SHA512
eaa01140810a79c9ed2612abd6d1d31288f6950d4680b2b80b61176a8d615617de125a543abc88ea03dad0c0f795d2fa372ff38d14394ef7b11f6eb5386375c3

Download Submit
\ProgramData\mozglue.dll
Filesize
97KB

MD5
7640d58bb9f640a976babe2a8517eab2

SHA1
36dd660dd7f7c5946369927d36a98fb5e1c23c28

SHA256
5c34657675cc0e9a2ced5d7dad6f3551c692007dc7dda7496eb49ada031be838

SHA512
50b640497d33e1a31eeb800271e93229db73d9a06fcd2833dd382caf78d5ce7ee9ef934cec31629c9ebbb211b4e937105caba0bfc06f77a9e487067006ebca17

Download Submit
\ProgramData\nss3.dll
Filesize
52KB

MD5
74a34bb4cd01e05c443b7354c0edd989

SHA1
7b65c5b3598dff599fb3ec4b3d26399c2780780f

SHA256
445d71ee0bf2133da1556dbd29fa8eb5dc9117673b0f245a0e4d53b9734ec6d7

SHA512
4c7f0f2923a145bcf1edc06c805a777a89b403f58144a8be89e302313130f724a09a68b133c0b68fab65b18bc85b36902cf74123c56aca80b22149e16af20c4a

Download Submit
\Users\Admin\AppData\Local\58544b98-8643-494d-85c7-b36f2c86c376\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
204KB

MD5
f828f320e61e1bbe3a66651c70d6ce24

SHA1
35607bb3bb934dd3c9b9cf75703c143d99032b00

SHA256
d8a476f543064957df65b2a25a923fdf6b7a7933edf5aef004fee3ca42caff1d

SHA512
77d1cee00976a4388deae985a733e08057af2ec36ebb3bcab3e6bc53fad2dbb7f64fde948422704b0aefcb7d4caec731e1e07f934fe667319c62986af1ea8932

Download Submit
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
332KB

MD5
dc96bb8f0ec6ac2b1a281e2c43d32471

SHA1
a939c2e5458e055099d57829ac9df5d3c60c86c7

SHA256
09c7d2b728b8e4c2fe610b6f01d344363dcd4c07fd0822aebf888d4c5ceff059

SHA512
824a51bbf6ce5d4df337bf940fbe9390f287ea4a31dad231c2a922e0ed2f6d907ff5e7c59ab95f173dc40181ee11cebb628deb01622b96196d051529a9f09fd3

Download Submit
\Users\Admin\AppData\Local\Temp\83B2.exe
Filesize
12KB

MD5
48e3fce5edf2676b94e73906123b1100

SHA1
a043b8eaa5c18ba262bc53480135042cfb5f12e0

SHA256
2b264efd7b8c70818541ea94f127c18ab0ec6466491e4801d33197175d32e3c3

SHA512
8119cfa90e7fd4705df07663d25c027b4a87b99d3c477b6f96312c76a55532a2b4f04f43b5e47b9ae1d2f32d36d2c623000cc631d1a387c2750f3033a9027ad5

Download Submit
\Users\Admin\AppData\Local\Temp\83B2.exe
Filesize
64KB

MD5
073154e27160cfc12ffb3d625943ac78

SHA1
f9db1498c3d7664b692c244a7499bc72724cb6a9

SHA256
76b479bece1901cf57fc6638b9786a16a668b38ec762fc74e9b8a98deb3c4bb3

SHA512
8a03e160816347a790b112f58163bca96dd41ca7a5d19f9340d18d4b9af7b9da9e4ec8b3bc79dcbf79e7f009605fcf7978a2e05ed3a5a0cd1c2de9fab0b99e31

Download Submit
\Users\Admin\AppData\Local\Temp\83B2.exe
Filesize
58KB

MD5
87badc2483dad1f18e9f2865a0034178

SHA1
f7bdbcfc9f0a15ffe17a7388ed3c52fd4598be22

SHA256
9be617f1ebc7d5e5dbab30f4cac3382e6746d8ba197c65380ddb7e711e2a79c8

SHA512
7357cc898693480ba2a35414907e4006b6176a589c5a8fd8dc507cc1069f0182ab692d9aba414424f32b747cf74b5073eea469be3addc7d165a80e2f64c6927e

Download Submit
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
202KB

MD5
9ac3fa075174788f5175f146f90dd296

SHA1
32d3b797fa90562cdbaf25d2ccfa2cf1b4079f4d

SHA256
46537dd4373ba2a4235e93a64c7afe606464cf8a12e09392a83138d0ee0a0e7f

SHA512
d8e25e6d8f2d48488fe4f80315e1f6bf8f309f9f4009090f020412708fdf17a51a9d79763ac74ddbc81814c8f7469de9b27fd345f3e07fd13e02a347718a7fb7

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
364KB

MD5
eeff7ba263200736a7c98b60cba1a35d

SHA1
f72ed449e052ed06e82aee8bb12a7f2dedacf4bc

SHA256
501ed3c71449091afeab15373730f6bdf705b51877318a69ba856b4a098829b8

SHA512
93f39a216ae5986c920347ba04b19f865ccc48a0b6373ff991102c40cc4447aeb1be765829e81811a5232c2e819fe1ba85e9aad0cf888c9a87ab0ab940779bdb

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
Filesize
50KB

MD5
1807a5c330f0cd780772674f57e7aee2

SHA1
493d5efd277b26584e00f0c65a9e6e12e30dd00b

SHA256
77f2b408445a3e4137d60b34b4d856d83c161cb5ecb033864469d8277cb43947

SHA512
a0782cb5d9f71d61ef425f5c47a2513157f25b48cc6dc4717f9dc706cdb8bd7a37252f74b6a7b05cb018a0c0403432edaa535169b66822453fe13b18d5e6e2c8

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
136KB

MD5
b1574073149ec6427f5d213e44ce0e89

SHA1
c5e46f5a4c35dd77c6806685c39be59b4e1b384b

SHA256
a20c339cd5794a98c1a946fb1c02c5735f411b7fbc1f79dda5b3bd1d44cdaa18

SHA512
296544e82bdd8e7617ded5c41ce3f2d3c26308910f2d4083e9f4bba84fd0e4769ac9e2d3fb1d6d6a08f59d5100648301b487e6256c2f103db799486100faf8e0

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
53KB

MD5
25bc00ae2c7a82644dda51fe6c58b68f

SHA1
a33aba8dcda97de800526eaecb5940a758417dea

SHA256
998b93535219f3b8b66caa1995233f911f2544481f39b259208c76d0defb1105

SHA512
0dac7a43fc7e3d4ed878f27c7970e4fc1630820a9e90a84b9757141a8e939ee95380f2ddf3e34a44b5483607fb6145dab399f8dedff55fccad94446909675201

Download Submit
\Users\Admin\AppData\Local\Temp\nsd16CC.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nst1B21.tmp
Filesize
192KB

MD5
4c0e582b5cd6f5a9d0a7bb1dad12dae9

SHA1
87eb88f59cd943b73580ea1b56ad40206e1b9241

SHA256
f5fa56201472c808b7c4b5c7781313967128ca25e55c17f25e0280433fba85a3

SHA512
971feae0d53854baabd6747aef064022a8c5340b74dc311db007c3b34b9173a933cf63ce4fc25afe70b28bd1b86ff9a7c0c997f2572fceee278c363442954d5c

Download Submit
\Users\Admin\AppData\Local\Temp\nst1B21.tmp
Filesize
233KB

MD5
4b6cd796440ab21ee8a297ed04b1382a

SHA1
08f906f130a86a1650cc66dbd366739a1941e150

SHA256
ae850ae8df351f276df5ca3a5cde1c848bc3ca522d1ca718a5c927e9effa0979

SHA512
56eb70a687bd5f668e604635ed121d9de85f544a07395660acbf5a8f8d3adf84c4a580f845847ae93c764c7a7d2c6f3593828375f7640ba5eafbbe02a827ee41

Download Submit
\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
240KB

MD5
0af529805607553654c9991dcdfb8bdb

SHA1
0b74389471cc60fa2156ee291c442155fbb638b4

SHA256
c060c892da0b7d2f27777bb90a40333ca1f1b40beee81b4003b5d0c8e500a0f6

SHA512
3327a9d50aa0d1e7537ce67a4aadd390340c82160637df8b32ae2b7778c1ce3a7f3c67b4049bed4f42b371726f08293e72f41d9fa7a436e9c69eed4700ff77ac

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
332KB

MD5
a1470335c14e84fd1f158878a5776ae1

SHA1
98ff4297b83233ce26c0a116abe76312af645398

SHA256
8da2cb8ea28028e84ead59e8d7e4f97325351ddab33df6704d3cf8894d5ce7a5

SHA512
cb43793944d547f6d91a546619848f02605e42ed6160954fa89e5297b0d252a1ddf3747d5fd96912fabcad6ec90901a15da5e755838916fe80396742c79008ec

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
284KB

MD5
e30c8ae20c17215584a0efd44092cb38

SHA1
095075ffb8a4a334b03c239a0bf53353edfbecc9

SHA256
cfe91094a955dbe6655500f28fa7c37c45f6d4dc954ab4669ac83cee8df3eed3

SHA512
e8cbb9fc0c38ecd40a075af6e9e703dbf4e7584ae9ae9b9849c81d97049e038b4c24d4a6cdf89ebc20a40ef7232ed7c00e09890e86cb842b5fdf0f6296c3cc83

Download Submit
\Windows\rss\csrss.exe
Filesize
187KB

MD5
d0398243935f604cf99bd9d3f88dd2c9

SHA1
0c740b31cd01fb7d3e9c22f923fd3d308b90fb9d

SHA256
14c65cc98d61f121e97005273bbfbad2dd5622a5c2da3ac40d86963b52a6cae1

SHA512
1899ca9c2dd899a15e59d62877352fdfceea3a29f1b848c5737e9b8a1ddf287ae16103f962fde771ddb170f8c4f2afe46eacd5efc591bed68012f5ba4ec18f0b

Download Submit
\Windows\rss\csrss.exe
Filesize
227KB

MD5
516819f21eeef7cb38cecd56c63a5418

SHA1
60913ccbcfcd36e344b29efa18c0327326795437

SHA256
f9b3e932dfc442b1c74cb64a9ba10e766b864a02ec31de58c7dff0d46bd8b488

SHA512
3654ba048774b52ad33aee71c09ec43ecd0245ac6ff0af7262db3b07708f825f5355be9b985710aec2c0a008b0845dbadb119c0b433a531a32944c0c09bce47c

Download Submit
memory/404-353-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/404-324-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/404-325-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/796-398-0x00000000004E0000-0x0000000000572000-memory.dmp

Filesize
584KB

Download
memory/796-391-0x00000000004E0000-0x0000000000572000-memory.dmp

Filesize
584KB

Download
memory/968-676-0x0000000000210000-0x00000000006F0000-memory.dmp

Filesize
4.9MB

Download
memory/1136-77-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1136-215-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1136-275-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1136-75-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/1136-302-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/1136-301-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1136-76-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/1140-348-0x0000000002E50000-0x0000000002E66000-memory.dmp

Filesize
88KB

Download
memory/1140-206-0x0000000002E00000-0x0000000002E16000-memory.dmp

Filesize
88KB

Download
memory/1196-161-0x0000000002BB0000-0x000000000349B000-memory.dmp

Filesize
8.9MB

Download
memory/1196-160-0x0000000001050000-0x0000000001448000-memory.dmp

Filesize
4.0MB

Download
memory/1196-158-0x0000000001050000-0x0000000001448000-memory.dmp

Filesize
4.0MB

Download
memory/1196-323-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1196-326-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1196-395-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1196-162-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1196-309-0x0000000001050000-0x0000000001448000-memory.dmp

Filesize
4.0MB

Download
memory/1196-420-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1196-296-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1360-73-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1360-159-0x0000000000FE0000-0x00000000013D8000-memory.dmp

Filesize
4.0MB

Download
memory/1360-70-0x0000000000FE0000-0x00000000013D8000-memory.dmp

Filesize
4.0MB

Download
memory/1360-61-0x0000000000FE0000-0x00000000013D8000-memory.dmp

Filesize
4.0MB

Download
memory/1360-157-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1508-356-0x00000000002A0000-0x0000000000332000-memory.dmp

Filesize
584KB

Download
memory/1508-361-0x0000000001D70000-0x0000000001E8B000-memory.dmp

Filesize
1.1MB

Download
memory/1508-366-0x00000000002A0000-0x0000000000332000-memory.dmp

Filesize
584KB

Download
memory/1508-357-0x00000000002A0000-0x0000000000332000-memory.dmp

Filesize
584KB

Download
memory/1704-634-0x0000000000820000-0x00000000011D1000-memory.dmp

Filesize
9.7MB

Download
memory/1704-637-0x0000000076EC0000-0x0000000076EC1000-memory.dmp

Filesize
4KB

Download
memory/1704-672-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1704-697-0x0000000000820000-0x00000000011D1000-memory.dmp

Filesize
9.7MB

Download
memory/1704-638-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1880-363-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1880-368-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1880-390-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1880-360-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1880-367-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1896-197-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1896-195-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1964-428-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1964-424-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2080-438-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2080-435-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2080-437-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2080-402-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2080-431-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2080-403-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2080-429-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2080-430-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2108-693-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/2252-442-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2252-427-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2580-50-0x00000000FF710000-0x00000000FF7C7000-memory.dmp

Filesize
732KB

Download
memory/2580-687-0x0000000002610000-0x0000000002718000-memory.dmp

Filesize
1.0MB

Download
memory/2580-688-0x0000000002BF0000-0x0000000002D18000-memory.dmp

Filesize
1.2MB

Download
memory/2732-473-0x0000000000560000-0x000000000057B000-memory.dmp

Filesize
108KB

Download
memory/2732-476-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2812-616-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2812-478-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2816-44-0x0000000000FD0000-0x00000000013C8000-memory.dmp

Filesize
4.0MB

Download
memory/2816-47-0x0000000002AF0000-0x00000000033DB000-memory.dmp

Filesize
8.9MB

Download
memory/2816-49-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2816-51-0x0000000000FD0000-0x00000000013C8000-memory.dmp

Filesize
4.0MB

Download
memory/2816-60-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2816-72-0x0000000002AF0000-0x00000000033DB000-memory.dmp

Filesize
8.9MB

Download
memory/2824-45-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/2824-40-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/2824-194-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/2824-193-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/2824-52-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2824-207-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3016-46-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/3016-1-0x00000000010F0000-0x0000000001844000-memory.dmp

Filesize
7.3MB

Download
memory/3016-0-0x0000000073EC0000-0x00000000745AE000-memory.dmp

Filesize
6.9MB

Download
memory/3028-196-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3028-48-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3028-274-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download