dcrat | 4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee

Analysis

max time kernel
300s
max time network
294s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exe
Size

231KB
MD5

ff1a6e6863428c2888d990c1afeb477e
SHA1

f15b4c057f1f323c3c9d876f36aa61b315b1dc5a
SHA256

4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee
SHA512

e37b9c8fb7b2d02f241d32b12d2863019af1d701ee10dbe11625379d8d240228dd8b60ad57ea5c5895d5e6c802079e4b2460812c2923085f454b00a3a2bc0394
SSDEEP

3072:rGTH9LSPLkeRLOfoeido3uaXY5n12cEb3X3RW91V35sUnX7q8564e3jGLxYx6TVj:M9LqRL4o2/cDErHwN35rMR3jGFY2

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Signatures

DcRat 8 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exec53cfff621a84792162f70e790980e38.exe4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exeschtasks.exeB368.exe

pid	process
568	schtasks.exe
2664	schtasks.exe
872	schtasks.exe
2128	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	c53cfff621a84792162f70e790980e38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exe
2600	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4de165ab-65bb-47ed-bb07-66961f5bb239\\B368.exe\" --AutoStart"	B368.exe

Detect Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2036-307-0x00000000001C0000-0x00000000001F0000-memory.dmp	family_vidar_v7
behavioral1/memory/3064-313-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/3064-569-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2956-28-0x0000000001CA0000-0x0000000001DBB000-memory.dmp	family_djvu
behavioral1/memory/2576-37-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2576-40-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2576-41-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2576-62-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1116-162-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1116-179-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1116-180-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1116-226-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1116-228-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1116-229-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1116-485-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2648-571-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2648-572-0x0000000002980000-0x000000000326B000-memory.dmp	family_glupteba
behavioral1/memory/2648-591-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2368-593-0x0000000002AC0000-0x00000000033AB000-memory.dmp	family_glupteba
behavioral1/memory/2368-594-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2368-635-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1516-657-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1516-648-0x0000000002A60000-0x000000000334B000-memory.dmp	family_glupteba
behavioral1/memory/1516-800-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

c53cfff621a84792162f70e790980e38.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\c53cfff621a84792162f70e790980e38.exe = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	c53cfff621a84792162f70e790980e38.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2876	bcdedit.exe
2216	bcdedit.exe
2680	bcdedit.exe
2124	bcdedit.exe
2380	bcdedit.exe
1160	bcdedit.exe
2980	bcdedit.exe
3044	bcdedit.exe
2188	bcdedit.exe
1976	bcdedit.exe
1700	bcdedit.exe
2836	bcdedit.exe
1012	bcdedit.exe
1424	bcdedit.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1816 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Deletes itself 1 IoCs

Processes:

pid process

1244

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
1816	netsh.exe

pid	process
1244

Executes dropped EXE 34 IoCs

Processes:

9E13.exeB368.exeB368.exeB368.exeB368.exeD6B.exebuild2.exebuild2.exe1DFD.exebuild3.exebuild3.exe44B0.exeInstallSetup3.exeapril.execonhost.exeapril.tmpBroomSetup.exensj53CD.tmpc53cfff621a84792162f70e790980e38.execsrss.exepatch.exeinjector.exemstsca.exeuvwjjdrmstsca.exedsefix.exewindefender.exewindefender.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe

pid	process
2680	9E13.exe
2956	B368.exe
2576	B368.exe
1748	B368.exe
1116	B368.exe
1036	D6B.exe
2036	build2.exe
3064	build2.exe
3056	1DFD.exe
1200	build3.exe
2196	build3.exe
2124	44B0.exe
2136	InstallSetup3.exe
1068	april.exe
2648	conhost.exe
2532	april.tmp
2616	BroomSetup.exe
2296	nsj53CD.tmp
2368	c53cfff621a84792162f70e790980e38.exe
1516	csrss.exe
336	patch.exe
1504	injector.exe
2956	mstsca.exe
2620	uvwjjdr
1748	mstsca.exe
2176	dsefix.exe
2956	windefender.exe
2920	windefender.exe
2204	mstsca.exe
2276	mstsca.exe
1772	mstsca.exe
1780	mstsca.exe
1328	mstsca.exe
1756	mstsca.exe

Loads dropped DLL 50 IoCs

Processes:

B368.exeB368.exeB368.exeWerFault.exeB368.exeWerFault.exe44B0.exeapril.exeInstallSetup3.exeapril.tmpc53cfff621a84792162f70e790980e38.exensj53CD.tmppatch.execsrss.exe

pid	process
2956	B368.exe
2576	B368.exe
2576	B368.exe
1748	B368.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe
1072	WerFault.exe
1116	B368.exe
1116	B368.exe
1116	B368.exe
1116	B368.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2248	WerFault.exe
2124	44B0.exe
2124	44B0.exe
2124	44B0.exe
2124	44B0.exe
1068	april.exe
2136	InstallSetup3.exe
2136	InstallSetup3.exe
2532	april.tmp
2532	april.tmp
2532	april.tmp
2532	april.tmp
2136	InstallSetup3.exe
2136	InstallSetup3.exe
2136	InstallSetup3.exe
2368	c53cfff621a84792162f70e790980e38.exe
2368	c53cfff621a84792162f70e790980e38.exe
2296	nsj53CD.tmp
2296	nsj53CD.tmp
860
336	patch.exe
336	patch.exe
336	patch.exe
336	patch.exe
336	patch.exe
1516	csrss.exe
2136	InstallSetup3.exe
336	patch.exe
336	patch.exe
336	patch.exe
1516	csrss.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2164 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2164	icacls.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2956-879-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2920-881-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2956-882-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/2920-908-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

c53cfff621a84792162f70e790980e38.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	c53cfff621a84792162f70e790980e38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\c53cfff621a84792162f70e790980e38.exe = "0"	c53cfff621a84792162f70e790980e38.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

B368.exec53cfff621a84792162f70e790980e38.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4de165ab-65bb-47ed-bb07-66961f5bb239\\B368.exe\" --AutoStart"	B368.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

47 api.2ip.ua
48 api.2ip.ua
53 api.2ip.ua
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
47	api.2ip.ua
48	api.2ip.ua
53	api.2ip.ua

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

B368.exeB368.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 2956 set thread context of 2576	2956	B368.exe	B368.exe
PID 1748 set thread context of 1116	1748	B368.exe	B368.exe
PID 2036 set thread context of 3064	2036	build2.exe	build2.exe
PID 1200 set thread context of 2196	1200	build3.exe	build3.exe
PID 2956 set thread context of 1748	2956	mstsca.exe	mstsca.exe
PID 2204 set thread context of 2276	2204	mstsca.exe	mstsca.exe
PID 1772 set thread context of 1780	1772	mstsca.exe	mstsca.exe
PID 1328 set thread context of 1756	1328	mstsca.exe	mstsca.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

c53cfff621a84792162f70e790980e38.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN c53cfff621a84792162f70e790980e38.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	c53cfff621a84792162f70e790980e38.exe

Drops file in Windows directory 5 IoCs

Processes:

c53cfff621a84792162f70e790980e38.exemakecab.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	c53cfff621a84792162f70e790980e38.exe
File created	C:\Windows\rss\csrss.exe	c53cfff621a84792162f70e790980e38.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240204073936.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1080 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1072 1036 WerFault.exe D6B.exe
2248 3064 WerFault.exe build2.exe

pid	process
1080	sc.exe

pid	pid_target	process	target process
1072	1036	WerFault.exe	D6B.exe
2248	3064	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

uvwjjdr4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exe9E13.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uvwjjdr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9E13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9E13.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9E13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uvwjjdr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uvwjjdr

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nsj53CD.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsj53CD.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsj53CD.tmp

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

568 schtasks.exe
2664 schtasks.exe
872 schtasks.exe
2128 schtasks.exe
2600 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1664 timeout.exe

pid	process
568	schtasks.exe
2664	schtasks.exe
872	schtasks.exe
2128	schtasks.exe
2600	schtasks.exe

pid	process
1664	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

c53cfff621a84792162f70e790980e38.exenetsh.exewindefender.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-422 = "Russian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	c53cfff621a84792162f70e790980e38.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	c53cfff621a84792162f70e790980e38.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.execsrss.exepatch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exe

pid	process
1996	4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exe
1996	4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exe
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244
1244

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exe9E13.exeuvwjjdr

pid process

1996 4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exe
2680 9E13.exe
2620 uvwjjdr

pid	process
468

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

conhost.execsrss.exesc.exe

description	pid	process
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeShutdownPrivilege	1244
Token: SeDebugPrivilege	2648	conhost.exe
Token: SeImpersonatePrivilege	2648	conhost.exe
Token: SeShutdownPrivilege	1244
Token: SeSystemEnvironmentPrivilege	1516	csrss.exe
Token: SeSecurityPrivilege	1080	sc.exe
Token: SeSecurityPrivilege	1080	sc.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

april.tmp

pid process

1244
1244
2532 april.tmp
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1244
1244
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BroomSetup.exe

pid process

2616 BroomSetup.exe

pid	process
1244
1244
2532	april.tmp

pid	process
1244
1244

pid	process
2616	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

B368.exeB368.exeB368.exeD6B.exeB368.exebuild2.exe

description	pid	process	target process
PID 1244 wrote to memory of 2680	1244		9E13.exe
PID 1244 wrote to memory of 2680	1244		9E13.exe
PID 1244 wrote to memory of 2680	1244		9E13.exe
PID 1244 wrote to memory of 2680	1244		9E13.exe
PID 1244 wrote to memory of 2956	1244		B368.exe
PID 1244 wrote to memory of 2956	1244		B368.exe
PID 1244 wrote to memory of 2956	1244		B368.exe
PID 1244 wrote to memory of 2956	1244		B368.exe
PID 2956 wrote to memory of 2576	2956	B368.exe	B368.exe
PID 2956 wrote to memory of 2576	2956	B368.exe	B368.exe
PID 2956 wrote to memory of 2576	2956	B368.exe	B368.exe
PID 2956 wrote to memory of 2576	2956	B368.exe	B368.exe
PID 2956 wrote to memory of 2576	2956	B368.exe	B368.exe
PID 2956 wrote to memory of 2576	2956	B368.exe	B368.exe
PID 2956 wrote to memory of 2576	2956	B368.exe	B368.exe
PID 2956 wrote to memory of 2576	2956	B368.exe	B368.exe
PID 2956 wrote to memory of 2576	2956	B368.exe	B368.exe
PID 2956 wrote to memory of 2576	2956	B368.exe	B368.exe
PID 2956 wrote to memory of 2576	2956	B368.exe	B368.exe
PID 2576 wrote to memory of 2164	2576	B368.exe	icacls.exe
PID 2576 wrote to memory of 2164	2576	B368.exe	icacls.exe
PID 2576 wrote to memory of 2164	2576	B368.exe	icacls.exe
PID 2576 wrote to memory of 2164	2576	B368.exe	icacls.exe
PID 2576 wrote to memory of 1748	2576	B368.exe	B368.exe
PID 2576 wrote to memory of 1748	2576	B368.exe	B368.exe
PID 2576 wrote to memory of 1748	2576	B368.exe	B368.exe
PID 2576 wrote to memory of 1748	2576	B368.exe	B368.exe
PID 1748 wrote to memory of 1116	1748	B368.exe	B368.exe
PID 1748 wrote to memory of 1116	1748	B368.exe	B368.exe
PID 1748 wrote to memory of 1116	1748	B368.exe	B368.exe
PID 1748 wrote to memory of 1116	1748	B368.exe	B368.exe
PID 1748 wrote to memory of 1116	1748	B368.exe	B368.exe
PID 1748 wrote to memory of 1116	1748	B368.exe	B368.exe
PID 1748 wrote to memory of 1116	1748	B368.exe	B368.exe
PID 1748 wrote to memory of 1116	1748	B368.exe	B368.exe
PID 1748 wrote to memory of 1116	1748	B368.exe	B368.exe
PID 1748 wrote to memory of 1116	1748	B368.exe	B368.exe
PID 1748 wrote to memory of 1116	1748	B368.exe	B368.exe
PID 1244 wrote to memory of 1036	1244		D6B.exe
PID 1244 wrote to memory of 1036	1244		D6B.exe
PID 1244 wrote to memory of 1036	1244		D6B.exe
PID 1244 wrote to memory of 1036	1244		D6B.exe
PID 1036 wrote to memory of 1072	1036	D6B.exe	WerFault.exe
PID 1036 wrote to memory of 1072	1036	D6B.exe	WerFault.exe
PID 1036 wrote to memory of 1072	1036	D6B.exe	WerFault.exe
PID 1036 wrote to memory of 1072	1036	D6B.exe	WerFault.exe
PID 1116 wrote to memory of 2036	1116	B368.exe	build2.exe
PID 1116 wrote to memory of 2036	1116	B368.exe	build2.exe
PID 1116 wrote to memory of 2036	1116	B368.exe	build2.exe
PID 1116 wrote to memory of 2036	1116	B368.exe	build2.exe
PID 2036 wrote to memory of 3064	2036	build2.exe	build2.exe
PID 2036 wrote to memory of 3064	2036	build2.exe	build2.exe
PID 2036 wrote to memory of 3064	2036	build2.exe	build2.exe
PID 2036 wrote to memory of 3064	2036	build2.exe	build2.exe
PID 2036 wrote to memory of 3064	2036	build2.exe	build2.exe
PID 2036 wrote to memory of 3064	2036	build2.exe	build2.exe
PID 2036 wrote to memory of 3064	2036	build2.exe	build2.exe
PID 2036 wrote to memory of 3064	2036	build2.exe	build2.exe
PID 2036 wrote to memory of 3064	2036	build2.exe	build2.exe
PID 2036 wrote to memory of 3064	2036	build2.exe	build2.exe
PID 2036 wrote to memory of 3064	2036	build2.exe	build2.exe
PID 1244 wrote to memory of 3056	1244		1DFD.exe
PID 1244 wrote to memory of 3056	1244		1DFD.exe
PID 1244 wrote to memory of 3056	1244		1DFD.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exe
"C:\Users\Admin\AppData\Local\Temp\4a5176af4c9dedd9e984b193761d994bc68a76481ae3975eb0acb30e687e52ee.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1996

C:\Users\Admin\AppData\Local\Temp\9E13.exe
C:\Users\Admin\AppData\Local\Temp\9E13.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2680

C:\Users\Admin\AppData\Local\Temp\B368.exe
C:\Users\Admin\AppData\Local\Temp\B368.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\AppData\Local\Temp\B368.exe
C:\Users\Admin\AppData\Local\Temp\B368.exe
2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\4de165ab-65bb-47ed-bb07-66961f5bb239" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2164

C:\Users\Admin\AppData\Local\Temp\B368.exe
"C:\Users\Admin\AppData\Local\Temp\B368.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\B368.exe
"C:\Users\Admin\AppData\Local\Temp\B368.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\2fb12086-28cf-49a2-857a-453f014ec9d2\build2.exe
"C:\Users\Admin\AppData\Local\2fb12086-28cf-49a2-857a-453f014ec9d2\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\2fb12086-28cf-49a2-857a-453f014ec9d2\build2.exe
"C:\Users\Admin\AppData\Local\2fb12086-28cf-49a2-857a-453f014ec9d2\build2.exe"
6⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 1440
7⤵
- Loads dropped DLL
- Program crash
PID:2248

C:\Users\Admin\AppData\Local\2fb12086-28cf-49a2-857a-453f014ec9d2\build3.exe
"C:\Users\Admin\AppData\Local\2fb12086-28cf-49a2-857a-453f014ec9d2\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1200

C:\Users\Admin\AppData\Local\2fb12086-28cf-49a2-857a-453f014ec9d2\build3.exe
"C:\Users\Admin\AppData\Local\2fb12086-28cf-49a2-857a-453f014ec9d2\build3.exe"
6⤵
- Executes dropped EXE
PID:2196

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- DcRat
- Creates scheduled task(s)
PID:568

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- DcRat
- Creates scheduled task(s)
PID:2128

C:\Users\Admin\AppData\Local\Temp\D6B.exe
C:\Users\Admin\AppData\Local\Temp\D6B.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 96
2⤵
- Loads dropped DLL
- Program crash
PID:1072

C:\Users\Admin\AppData\Local\Temp\1DFD.exe
C:\Users\Admin\AppData\Local\Temp\1DFD.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Users\Admin\AppData\Local\Temp\44B0.exe
C:\Users\Admin\AppData\Local\Temp\44B0.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124

C:\Users\Admin\AppData\Local\Temp\InstallSetup3.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup3.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
4⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\nsj53CD.tmp
C:\Users\Admin\AppData\Local\Temp\nsj53CD.tmp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsj53CD.tmp" & del "C:\ProgramData\*.dll"" & exit
4⤵
PID:2360

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
5⤵
- Delays execution with timeout.exe
PID:1664

C:\Users\Admin\AppData\Local\Temp\april.exe
"C:\Users\Admin\AppData\Local\Temp\april.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068

C:\Users\Admin\AppData\Local\Temp\is-11HS5.tmp\april.tmp
"C:\Users\Admin\AppData\Local\Temp\is-11HS5.tmp\april.tmp" /SL5="$201E0,7683695,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2532

C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
"C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe"
2⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
"C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe"
3⤵
- DcRat
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:616

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1816

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:336

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:2876

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:2216

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:2680

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:2124

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:2380

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:1160

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:2980

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:3044

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:2188

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:1976

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:1700

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:2836

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:1012

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:1504

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
5⤵
- Modifies boot configuration data using bcdedit
PID:1424

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
5⤵
- Executes dropped EXE
PID:2176

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:2600

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
- Executes dropped EXE
PID:2956

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:2208

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240204073936.log C:\Windows\Logs\CBS\CbsPersist_20240204073936.cab
1⤵
- Drops file in Windows directory
PID:1984

C:\Windows\SysWOW64\chcp.com
chcp 1251
1⤵
PID:2564

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
1⤵
- DcRat
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-131808531365129860-1612546671052562661-10728977737414565621772675412116037192"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\system32\taskeng.exe
taskeng.exe {13EE291D-3B19-4C10-813C-760F5E45D04D} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]
1⤵
PID:1812

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2956

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1748

C:\Users\Admin\AppData\Roaming\uvwjjdr
C:\Users\Admin\AppData\Roaming\uvwjjdr
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2620

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2204

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:2276

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1772

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1328

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:1756

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
3769f53ac22cdf6658c874805d9983a5

SHA1
53ba470f9cd12bbfde1d1149bcad0029e0f8a84f

SHA256
87ec66df2ed0afbd05a6094ba5ad5bc5b3ef6807828d00323b1addb6addd1c17

SHA512
56ce76ea6aeaaafac14128912b31e12a16a2ca85b97ece7f3034bea5ca3b249c0cfe974b2823f35d38c46d6b3faa7278732b183a86c85f469c422384f08f2925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
f525847085b6ed6a5f292c3596883d0a

SHA1
42bea63f6d4fab071052d1ba255c8537f6d4cbf8

SHA256
797b78ddef256f7839250c50dc22a89a290020e47e2777805bfa634b329aecad

SHA512
22409e83186a8fb06aa1de22eb53fb00cb31cd064a0fbb0add6a9e2ef7b880e91a382cc1bba2e3d0730757ef9a19a54db1b97bef3a18b3edd78a12d7749415c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
79875e5063798fa4895f8bce7a76d53c

SHA1
f789776869c9c7fbab5fdf74aefa3484bd1ca6a7

SHA256
bfac4bfcea291c42160f29cc19c3cc93b2780075d15031cd4535e4c04417e8f7

SHA512
98c0a04d4b44e0e0f5b947ca3c23abc3f82bd4f1531d9c8423215b6d4c24dca124e67de48f4d3845663f98aae7429958ea75551f0c9dddbffaf718edf5c9ebc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dc275e0a33e40b2478e9c4bf2d9700b2

SHA1
00e40e7971e706c615a202d4cb47ad21567d8b44

SHA256
a967f57ba7dda2c327018976d71c9dfce361d54e7c723ecf9bf9a8fc675084e4

SHA512
6d0a5b7e0f47b492474e3632b5ab593b3995b6ae4beeb367f6011c31a97859fddfac3bbf8249baa5dafdf1c28f1c1efe73caffe80883568be376c30ee6fbe568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
63a11555aa3277d870d19ea59b7cb52f

SHA1
92eedb98c2de161673a664fe3f9f1855458bf576

SHA256
2f79219c1012b40b36dcdc0daa16e8ee82f00890416fedb0efc60387093f51b6

SHA512
d294874416a4fbc61f87972b2033eff36d854746bc7384efb68effd5c5ff26eedaa6289a0cd1d2c25ec9a24d6226a339db2c918191a6192d594964a33f13a4e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
09f5643470d5845434397d0f371e6bc5

SHA1
1cc4120ce98dcc5320acd8ff78a7f68494e50d5b

SHA256
f8c3a924517c9c75f30b08581db84b24dd298bd9b06b2b8bb52b8c8ca4a06359

SHA512
cd92b7afd8376f4ec47fe07580778e6faaf4fb7f71dccb2cb9dcba3ed3b131ada5f9963c6c5b7975c815a8d21b7a9f002cc242848fe285a78a7a11242647044e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
05b5abac121867bfba313ddec180309d

SHA1
871ea03578e542ce90acec823c36153bc81cd7f4

SHA256
ef667cb08ed64ef2540deb878c05ae10861a36aff045507c2357895b439aa573

SHA512
62330497a94de41a6b36ab77f10b81201f6bead1c64a9700fcffe0972b6d3fc4b81e2984f296c5c4af27e3b302971f7d3cd23cf2bb86222af673a79150221a93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
d58333535b5305061d499270adac405a

SHA1
f9949f467cccc543093c20d8a6f6f8fde716acb4

SHA256
36dc8070732d14fc97f9c87fbd2ac83ce2072fdfcfc9399cedff3b46200ddf4c

SHA512
c08cf4b47b368f141ab1f64be7e90ede0bd7b60dd8aac9effde269276e1931ecc3f5fcf8eb88416d48e4b38b18c67b2544e88b7fb95e4eecba8ab6b10e52f997

Download Submit
C:\Users\Admin\AppData\Local\2fb12086-28cf-49a2-857a-453f014ec9d2\build3.exe
Filesize
238KB

MD5
4c5016714ad22bcaceebaf82ea2bae4e

SHA1
2c0a16b93b4eb61cb9df7b14a873ded3cbba1ba8

SHA256
990c567dfbd5e879e7b0969bdc4008e9397ce02f0c73fff4543eba910239a24a

SHA512
b7c103f3036d513ae10d31db166c17d5c76fec918e147ee9ebf5bca857dbdcf5f857c4b7aa2958815d35cbf8114a67d5121873e4bb937a34e89051df6c2cb9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DFD.exe
Filesize
785KB

MD5
3eb6340b76d91f54f13ab98311a0b1b5

SHA1
3c6c7cc079e2a6500ddb74faa9bb449f798a86c9

SHA256
44a7dfe0ec8beecd8ca39d293eb40da74965407d88df426ac89001b5df8fc9e2

SHA512
d96cb279ca06986fe247293bdd359c422b0dafb29be468ab7ba3c616f7ab7d514620d6833b9da5f88358879c277bbe239b5739352695f11a111e7872c75ea721

Download Submit
C:\Users\Admin\AppData\Local\Temp\1DFD.exe
Filesize
1.1MB

MD5
88652fca9ba3f89c03c4713bef23263b

SHA1
2f968f92a75670eee6f3989de345755e253ce62d

SHA256
7d913e62226728b116cfb4b37e691b729e29dc49244127a47257a463468bc08b

SHA512
5e94aa6e0875e041d9111fff9d9db3a53aac34306a2715326f49752ed702cedfb5e445f6afb1fccb10659f8243c15cf0290834bd11941134ca0310f5d1f97ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\44B0.exe
Filesize
1.9MB

MD5
7cbbb5ba8f980fdae3561eb1ab9ab9ee

SHA1
6708542a67d0022e1c7c186327037ab9589576e5

SHA256
1131d275fd9ab6d63c36d5e458704b289ac7174ef50c89331b9df75d1d9b518f

SHA512
812dc188347326f4120d597eb5ca0ae808a83060cebd5823a4dfa63729c55be2542c84c463c174032b0e3c016aaf9146156aeb6fb95c5f7b86ef85eef73b3d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\44B0.exe
Filesize
2.0MB

MD5
8e6205330ba21c6f833e502ff088d854

SHA1
0e8cd55d325c800052cf54acf5e25ec28dff69a1

SHA256
a230f4c5a00190c9243f1e488d2c333ebb056b276d48bf1987a2752d4d45889d

SHA512
f2fffb9582541781f6055c1c2acf5a65e533c3e0a0293bbdd61d1dd55431c91fb0c99c7cba3ff3fa3d40fe88e9b5cd791e22d2d7e0e2d73864fde3522daed8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9E13.exe
Filesize
238KB

MD5
8c20d9745afb54a1b59131314c15d61c

SHA1
1975f997e2db1e487c1caf570263a6a3ba135958

SHA256
a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1

SHA512
580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B368.exe
Filesize
819KB

MD5
b92eb27c178c804767eee6f9c2c0b66e

SHA1
da8d5133b085faf3f731c45d168e2a0ceb0dc7c5

SHA256
d4a51583f027a637d090b5c4a7635584cde48e58752758d18ba339e473f14404

SHA512
baebb63dbb6cbcbf008bd6cf5d746ef4032242c3f7892b0b4ba8d7b12780b79ff6087add00b3dd11d7c468c01ad7bc167bdf6a7f2be28647c5c8fc6128a804d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
117KB

MD5
08491791825ac28e42236ce64d8bc2b5

SHA1
b2dafa3bba5596d2a718b05be3d725e22136b3bc

SHA256
5a730a38cc7acfb8f2c246669ff01e753fbe60a79996c798faa96300eda55278

SHA512
2f3deb5d97e44af42044e4f19c3ad9d261f05f5868a7d014e6e8f3d2e97915c634ec8bd1009656e448f57c8e4869e278c95853ad8b1beeccd4b37d32c878bb1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBD3.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6B.exe
Filesize
2.1MB

MD5
2b89b8bf056dcb43c32cdf45a17832d2

SHA1
b2bfca8c6693a75865c6376abbc196c125925713

SHA256
87727e68221c19fbbe077569629145a8607f747c66c40074b48bc66532e8e4e9

SHA512
64c2e54a637b81fd0cf09e0e550c85e1c0e16eae9aa308af92950980cbeb25485d6ec28ef69c58d160e986b2f39af97d5443bbc8453f9dd6ac525ed4d9ea7fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup3.exe
Filesize
159KB

MD5
11ad60c9ff6b989b234e0bd302735d0a

SHA1
5a7e970e97814ea4bfaaea5868904f47c7798b78

SHA256
e4bf4051fdc7193ef5326198fc7ee3dcc8316bd57c6697b73b5c6b6534090e84

SHA512
914bddcd4990ea0b55e88d7830b8b4a4f45876120d9495cdb26f34d50af08f4a86848ae1a16f60d36ec5b155dd9ed72a38adec2d392a5b8e73de31814aecfc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup3.exe
Filesize
145KB

MD5
c6bc0086cbb2f1e6baf84f15904cc4ec

SHA1
bda9319ca2b71b1d79a1798891bd56655b5e6ff6

SHA256
ee8bb2b283b1ba8f701d9d7dbeb338c18144b89b19f9e1d1d5cd31e6521c2f42

SHA512
7437fad3f3a26173e107c60ec5d053123a994830d3e95fe7433909ebd88b07bb44683ce624883d73715e3de9350273905ab052f1619638623be4f8068629361f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar19EB.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe
Filesize
133KB

MD5
6c96164faac51398f9c793ded3a01e47

SHA1
858972038e9d3ba11e3cdab0020166116654c733

SHA256
3934890e29aa3735ae9cd43639bb5abdfdfc3a0261b9075613417e2dbd8bfcf8

SHA512
053973a8aaccbe749a4232255da8db592b69d2f63984cb2ceef1cdff66d05c859855dbac7675ac379c16ba97844c305e5463167d8cb0bd450d6c936cd8e54964

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe
Filesize
24KB

MD5
821676285bb2e751bc235a187e8c685a

SHA1
481df18e02d2e3695feedc8751fdc2798928780d

SHA256
89b7137d1f043f602d5f2e2bdbb2a27b113e9b01770c95062c0581f403026593

SHA512
87d3006ea6594460fc2af36ecef463668477382232ffa58ffa76decd9a68e8cd52a6cf9c876896d6b8185cb2f39ad8c1a16a7323e1ce31b109bf99c07b2822f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
Filesize
4KB

MD5
41d8bf7c177538b766313b644adcbd2f

SHA1
06010b896a8b3a1064506955d6a645e2396500ed

SHA256
7817722181a259dfff86283d81f964298eb6904fa7e290598c53239d35841b55

SHA512
5dd78946400b4178bc805b09522f022e694878350b1ef8cf6b8555399c6b69c2252b3e292ab81439bb0924c8d22c5020053bce972ee132557dd5113ddc564f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
Filesize
39KB

MD5
8e6a69b23fb8eb6ad5f5bba23c6fa101

SHA1
c224238b2ccb98d92ec79453166b44d127267876

SHA256
bc2e8b575cc5d91250385093ac09b5aa20870d03a670f3b6b1b9b87e9081f676

SHA512
e5632f8d9ca9b80c2f197e5990ef656b87d78eecd4a14251c6bb062c36aca59810f6f7a347dc820dea15d755dca03e0be579c48f882709f97ab6de59d143d0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-11HS5.tmp\april.tmp
Filesize
245KB

MD5
f7a99d7c50a84d1becaf640a63bd8553

SHA1
cb486a571c3658e9cce7d53cddd5b0e2dc0fc22f

SHA256
8a29b8cead664eba6875ccf9c13a25b34da8f80194c48815d185eaf2738735ce

SHA512
0427641e5e1ab27d1b789ee6082e263041205de475cb795f0c849c290f921a096c3e22c59fbbab764bbebc281370c1e7d68b0378ab91d2bcd7e1e5bcb5d7a551

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj53CD.tmp
Filesize
145KB

MD5
2cb03bc0ce43205b7e01cbeadaadb252

SHA1
ba7ae6571a27adbdfd7bfea73f4d3c4743e4eb0d

SHA256
1bd31aed54b5aac7d7f3fc23a6cec5ced0e431d46a8bc2299bbbca675bdddcb5

SHA512
6b6deb54d17575efe82a9baad708b0e31d32554289906f286dc5ac521896c85f8001ab257f16df57022a2a4d1b30e1ba22ac9d54e89434d5a748af182d6e8e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
131KB

MD5
72b6457cdbf238a72ef063aba9954b1e

SHA1
3d09a5a29541a2add4445f59fe0276f0c27613dc

SHA256
a187945257de8e7fa69d343978a118804fb14b0b28b336b44ba3ac5d4fc8f7d2

SHA512
cfee41c37cf2edee472675d1598201ac26153271c32196069076471145477926fdbf3d2f1a2cf752f1e1c8534e50bba4c001263a7317a8d734f2fe65bdfb5ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
\??\c:\users\admin\appdata\local\temp\is-11hs5.tmp\april.tmp
Filesize
198KB

MD5
38ec60157869abe65ec681121805eb69

SHA1
b687b93957077c2b76a9e7fa9b776ab02303d715

SHA256
1acf02bb27064cceb6b6af6e3fa62fccfd5dd8a6c83ec504a011297370e4b00c

SHA512
5a793ea7a17cd25600369a23e49d745d57b3dd461b570c499c48a1eef8936e9e441e41234256be897726b21c8cbe37e5c30f6cc831c46117f74e1858c35ef1ae

Download Submit
\Users\Admin\AppData\Local\2fb12086-28cf-49a2-857a-453f014ec9d2\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
\Users\Admin\AppData\Local\2fb12086-28cf-49a2-857a-453f014ec9d2\build3.exe
Filesize
18KB

MD5
0902bf0382fb0f2e5c5f67e23245d08d

SHA1
53598fa7d6ee5a88b27032370a94bc6dcb29f63a

SHA256
e86dfbd416a7d8fbf297e097d04eff5a278ddb22cf7ea8a74ff4364e3441f803

SHA512
df9d497ac984c069a60ffc4f9d0dc5808c6062bb1cdd18956673c3f4c14c02af92b1d6e359d659e4788c66e62344af4e531b13011096458d1000581384585afd

Download Submit
\Users\Admin\AppData\Local\2fb12086-28cf-49a2-857a-453f014ec9d2\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
208KB

MD5
d75344cf7a12acd0e65250f4e48bb3de

SHA1
829d9ae4a9d8467be2e2b49d1420c0bdda3b333d

SHA256
c9f11ec177ef92c11ac12458aa8c50d34b57e8ad432e1af8628c5a7f6eeab223

SHA512
80edb1d92d6bdf63c67e3191868cd39f109c8101386ccd06e45360a465c86d7247b8d428de108cedb94a0ba5444093ca6454bc5b0ca588d4d277faa7de0d79f0

Download Submit
\Users\Admin\AppData\Local\Temp\D6B.exe
Filesize
1.3MB

MD5
663c2ddb7705c262812133c1edd722bd

SHA1
e843408f075cf1af70809a377ae342d332cc0767

SHA256
8f4d4578918927854b30f67967813f449580457131eeb42365a5dfae0f4a8dda

SHA512
d66686f9ac58f7c6424648f5da695282e90df76d974573abc484dae79dd6210f39a3367839b8d2d3e9aaeab32c9666804b298a0f83d744356f704b5c5d9a03a5

Download Submit
\Users\Admin\AppData\Local\Temp\D6B.exe
Filesize
1.4MB

MD5
4e885e8e0692b4a45354bb5fb435822f

SHA1
3602b50e531227d4f05185cbbc76344b779640b3

SHA256
8c2eb3f719b1e8ee10b491fb626ae0de0bc8b4c2b982d8a14b6af49da17bb7d1

SHA512
34c385775eab3278eab5c0e9da840ec267586499eeacf78d2de4e25a51485975391518a34bccd8465fb8d2927babdd9c23fad139fc2473daeca8bfcd6aff4a11

Download Submit
\Users\Admin\AppData\Local\Temp\D6B.exe
Filesize
1.1MB

MD5
fcda8e14e111ff5b462b3bc14d7a209b

SHA1
e636f8c0e34eb50414422b21627be8cf3aa8b945

SHA256
e559ce05d61e714ff25224776a0fc5cec17e4931fe04c9d6905f3829052601f7

SHA512
86c6d8bfd492726f62d3c141e57f68596af6bca5dc25a44f08b2f0bd92ac23e828f769fc6e0aabcbdb9ef962619a4d65265e25d9a22f0e2ba713d252d09c6ef4

Download Submit
\Users\Admin\AppData\Local\Temp\D6B.exe
Filesize
876KB

MD5
8c25d870b3cc4118c65e4197085d8085

SHA1
c9fdf5f7e21e74928a08c22df1158e8cce03b158

SHA256
6ae2af65a992865ce96c94dae5b2c185dd0519db49d392854d94e630802e6511

SHA512
26fd888fbf39936fc3c82f55bef02f1de7b8ee1c16eca9d9c89cd6d65f3b516af151c81a756b680f7183cd33f7192b11d0c30d00ee2d645302ba356e0758f5de

Download Submit
\Users\Admin\AppData\Local\Temp\D6B.exe
Filesize
1.1MB

MD5
21b13446d1915215e6a602678c1561c5

SHA1
0d6eb8577a85c26f013893888788d3c45282ff62

SHA256
3640711cfcc06e2976d6f0c078b95c7165f2dc4a24abf9eb06ecbe65d46b1b91

SHA512
d50b9081462c90876d8e5704a1260b7d39a42c2d3273f431dba5fe5cec2ee00d28998810b2119f6cae6f62af817f673f2a1f0efd5104f5d942e241719d6d9db6

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup3.exe
Filesize
45KB

MD5
340b1683c7f31eade2383e5e67c84817

SHA1
9d73425c3db2295a0e58b41ff425041807089123

SHA256
0a3cdce66c251198465c36986e82ca335b8e362bbbfed3007617dc752fed0d9e

SHA512
cc936fa1a5b7fd12702dac490bc71fc68a25decfa73331b6c90f65d11b48c0675b560b6d45b4054fcab412b6ba6e5ff87476fc86b3da03a8cc8e26c160cf3470

Download Submit
\Users\Admin\AppData\Local\Temp\april.exe
Filesize
2KB

MD5
3294ac0f509424aeb50fb4d4f639c664

SHA1
dd27235dd8b0abc37b92970473dbef38b8dd4641

SHA256
cc7415a0eff6e2592d54a49d793f6d4215ed73a97dee3a95ac934f1eb237f958

SHA512
39eaa6ab8d785e7537387b71f33e6232dc561230aaa72c1273fcc8787a32eeef11710b74ae4ba7808f029b6bb52ca5405053db0993d3f3f5417f2d129b48977b

Download Submit
\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
Filesize
253KB

MD5
84102b8bede74e0f1dad7e7698fa91c7

SHA1
4867e85a34db7d2e0d3036932fc1e306f57d41d3

SHA256
836447e0d9a8639985e998624d0a26696534b4fe8d67ac045bf024734ef4a5d7

SHA512
9506657866d1be844faf986e66625e18162f34382032d3b87c241181e7c970143eeef1bb47874bbebda2c362bc6206c167b83b2e90f6c4828c26c5d67c204550

Download Submit
\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
Filesize
45KB

MD5
27e43fcbb4515529842feee2a4cad2b8

SHA1
def50711b011d6bb1dc218d0ea77c18d41cfee84

SHA256
762afe32537c6543731a1afae455f64c3bea458a408d25ba2714b12e126a4d17

SHA512
0c6958782a9894edbb1b894c0c193e2c4fd17377e2802bcacfd1a73c3942e5a67f09caef9333f913a5efc090a9a44f7fce0d692549b9908e32884ad6e493a598

Download Submit
\Users\Admin\AppData\Local\Temp\is-11HS5.tmp\april.tmp
Filesize
2KB

MD5
e85027a4637a9b4cdadf3312465d9c94

SHA1
c8a98355984b4314fb823049701ab4b05e5c0b82

SHA256
b21e494e7ec7a8ba917c7096c4cd8cd5a5bc2707431188a906003000e87b6d46

SHA512
fabb5a708ec19805abb0a523ec93e186be84a7967be2cab84e4ebf096fdd96aa05cb70126aafe274ae9f09903b41cb7af7a422ee6b114abe52556d748983f3dd

Download Submit
\Users\Admin\AppData\Local\Temp\is-PF6AA.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-PF6AA.tmp\_isetup\_isdecmp.dll
Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-PF6AA.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\nsy4CD9.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
memory/336-692-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/336-682-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1036-197-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1036-207-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1036-181-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1036-184-0x00000000013C0000-0x0000000001F1B000-memory.dmp

Filesize
11.4MB

Download
memory/1036-183-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1036-187-0x00000000013C0000-0x0000000001F1B000-memory.dmp

Filesize
11.4MB

Download
memory/1036-188-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1036-218-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1036-217-0x00000000013C0000-0x0000000001F1B000-memory.dmp

Filesize
11.4MB

Download
memory/1036-190-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1036-192-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1036-195-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1036-205-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1036-186-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1036-200-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1036-202-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1036-514-0x00000000013C0000-0x0000000001F1B000-memory.dmp

Filesize
11.4MB

Download
memory/1036-212-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1036-210-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1068-529-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1068-644-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1116-226-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1116-180-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1116-162-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1116-228-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1116-179-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1116-485-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1116-229-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1200-465-0x0000000000870000-0x0000000000970000-memory.dmp

Filesize
1024KB

Download
memory/1200-466-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1244-4-0x0000000002A10000-0x0000000002A26000-memory.dmp

Filesize
88KB

Download
memory/1244-29-0x00000000038D0000-0x00000000038E6000-memory.dmp

Filesize
88KB

Download
memory/1516-648-0x0000000002A60000-0x000000000334B000-memory.dmp

Filesize
8.9MB

Download
memory/1516-800-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1516-782-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/1516-657-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1516-645-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/1748-63-0x0000000000750000-0x00000000007E2000-memory.dmp

Filesize
584KB

Download
memory/1748-73-0x0000000000750000-0x00000000007E2000-memory.dmp

Filesize
584KB

Download
memory/1772-959-0x00000000009B0000-0x0000000000AB0000-memory.dmp

Filesize
1024KB

Download
memory/1996-3-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1996-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/1996-5-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1996-1-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2036-307-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/2036-306-0x00000000002E0000-0x00000000003E0000-memory.dmp

Filesize
1024KB

Download
memory/2124-524-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/2124-492-0x0000000072D10000-0x00000000733FE000-memory.dmp

Filesize
6.9MB

Download
memory/2124-493-0x0000000000850000-0x0000000001614000-memory.dmp

Filesize
13.8MB

Download
memory/2196-475-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2204-898-0x0000000000912000-0x0000000000922000-memory.dmp

Filesize
64KB

Download
memory/2296-768-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2296-586-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2296-587-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2296-588-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2296-769-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2296-789-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2296-790-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2368-635-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2368-592-0x00000000026C0000-0x0000000002AB8000-memory.dmp

Filesize
4.0MB

Download
memory/2368-594-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2368-634-0x00000000026C0000-0x0000000002AB8000-memory.dmp

Filesize
4.0MB

Download
memory/2368-593-0x0000000002AC0000-0x00000000033AB000-memory.dmp

Filesize
8.9MB

Download
memory/2532-647-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2532-537-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2576-41-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2576-62-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2576-40-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2576-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-37-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2616-656-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2616-568-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2620-787-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2620-819-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2620-786-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/2648-591-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2648-570-0x0000000002580000-0x0000000002978000-memory.dmp

Filesize
4.0MB

Download
memory/2648-571-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2648-572-0x0000000002980000-0x000000000326B000-memory.dmp

Filesize
8.9MB

Download
memory/2680-30-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2680-18-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/2680-19-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2920-908-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2920-881-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2956-26-0x0000000001C00000-0x0000000001C92000-memory.dmp

Filesize
584KB

Download
memory/2956-27-0x0000000001C00000-0x0000000001C92000-memory.dmp

Filesize
584KB

Download
memory/2956-879-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2956-805-0x0000000000312000-0x0000000000322000-memory.dmp

Filesize
64KB

Download
memory/2956-882-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/2956-28-0x0000000001CA0000-0x0000000001DBB000-memory.dmp

Filesize
1.1MB

Download
memory/3064-569-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/3064-313-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download