dcrat | d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

6.3MB
MD5

c67cb967230036816fd0cbbfd96959c6
SHA1

d2fe988a302dce4bc0f34a1003a623f96a06b250
SHA256

d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76
SHA512

2f51046e44bdfa470f676071c69da8c05d50d8f79e748748f25ac13ec53d346f1c3988148000fea3ece38623fd629d1b3dcc943006e80b7bee95da7f1f42920c
SSDEEP

196608:GHqO3grg0lAc4G+JCJjsP8BXkf/hmzJzFYngA13jvHKvj4:GHzCOc4G+oB0BmdFY31zq

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exenetsh.exed21cbe21e38b385a41a68c5e6dd32f4c.exeschtasks.exe

pid	process
1524	schtasks.exe
2228	schtasks.exe
2444	schtasks.exe
436	schtasks.exe
1604	netsh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe
960	schtasks.exe

Detect Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/844-525-0x0000000000230000-0x0000000000260000-memory.dmp	family_vidar_v7
behavioral1/memory/2108-529-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2108-760-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1792-303-0x0000000001D30000-0x0000000001E4B000-memory.dmp	family_djvu
behavioral1/memory/1912-305-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1912-316-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1912-318-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1912-351-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3052-364-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3052-365-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3052-388-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3052-387-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3052-393-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3052-396-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3052-395-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/3052-674-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2336-42-0x00000000029E0000-0x00000000032CB000-memory.dmp	family_glupteba
behavioral1/memory/2336-43-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2336-68-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2336-69-0x00000000029E0000-0x00000000032CB000-memory.dmp	family_glupteba
behavioral1/memory/2168-74-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2168-115-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2392-139-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2392-250-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2392-280-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2392-281-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2392-298-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2392-359-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2392-389-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/924-761-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/924-768-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1764-776-0x0000000002AB0000-0x000000000339B000-memory.dmp	family_glupteba
behavioral1/memory/1764-777-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1764-780-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
3044	bcdedit.exe
2860	bcdedit.exe
1960	bcdedit.exe
2936	bcdedit.exe
544	bcdedit.exe
2624	bcdedit.exe
2712	bcdedit.exe
1784	bcdedit.exe
2992	bcdedit.exe
2000	bcdedit.exe
2264	bcdedit.exe
2104	bcdedit.exe
832	bcdedit.exe
2308	bcdedit.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1604 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
1604	netsh.exe

Executes dropped EXE 33 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exeInstallSetup9.execonhost.exeBroomSetup.execonhost.exed21cbe21e38b385a41a68c5e6dd32f4c.execsrss.exeinjector.exepatch.exeC986.exeE0AF.exeE0AF.exeE0AF.exeE0AF.execonhost.exe41A4.exebuild2.exe4BF0.exebuild2.exebuild3.exewindefender.exewindefender.exebuild3.exe712D.exeInstallSetup3.exeapril.exeapril.tmpc53cfff621a84792162f70e790980e38.exec53cfff621a84792162f70e790980e38.exewebsocketconnectionroutine.exewebsocketconnectionroutine.exemstsca.exemstsca.exe

pid	process
2336	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2828	InstallSetup9.exe
2452	conhost.exe
2692	BroomSetup.exe
2560	conhost.exe
2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2392	csrss.exe
1756	injector.exe
2112	patch.exe
2268	C986.exe
1792	E0AF.exe
1912	E0AF.exe
2684	E0AF.exe
3052	E0AF.exe
2884	conhost.exe
2416	41A4.exe
844	build2.exe
1712	4BF0.exe
2108	build2.exe
1224	build3.exe
3020	windefender.exe
956	windefender.exe
532	build3.exe
2600	712D.exe
556	InstallSetup3.exe
2068	april.exe
2140	april.tmp
924	c53cfff621a84792162f70e790980e38.exe
1764	c53cfff621a84792162f70e790980e38.exe
1092	websocketconnectionroutine.exe
1672	websocketconnectionroutine.exe
1784	mstsca.exe
1640	mstsca.exe

Loads dropped DLL 56 IoCs

Processes:

InstallSetup9.exed21cbe21e38b385a41a68c5e6dd32f4c.execonhost.execsrss.exepatch.exeE0AF.exeE0AF.exeE0AF.exeWerFault.exeE0AF.exeWerFault.exe712D.exeapril.exeapril.tmp

pid	process
3008
3008
3008
3008
3008
2828	InstallSetup9.exe
2828	InstallSetup9.exe
2828	InstallSetup9.exe
2828	InstallSetup9.exe
2828	InstallSetup9.exe
2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2560	conhost.exe
2560	conhost.exe
2392	csrss.exe
868
2112	patch.exe
2112	patch.exe
2112	patch.exe
2112	patch.exe
2112	patch.exe
2828	InstallSetup9.exe
1792	E0AF.exe
2112	patch.exe
2112	patch.exe
2112	patch.exe
1912	E0AF.exe
1912	E0AF.exe
2684	E0AF.exe
2392	csrss.exe
964	WerFault.exe
964	WerFault.exe
964	WerFault.exe
964	WerFault.exe
964	WerFault.exe
3052	E0AF.exe
3052	E0AF.exe
3052	E0AF.exe
3052	E0AF.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
2600	712D.exe
2600	712D.exe
2068	april.exe
2600	712D.exe
2140	april.tmp
2140	april.tmp
2600	712D.exe
2140	april.tmp
2140	april.tmp
2140	april.tmp

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2900 icacls.exe

pid	process
2900	icacls.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3020-612-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/956-631-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/3020-633-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/956-774-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

E0AF.execsrss.exed21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0daf64dc-6b16-4781-8d44-84f2d57dbb00\\E0AF.exe\" --AutoStart"	E0AF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 api.2ip.ua
61 api.2ip.ua
35 api.2ip.ua
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
36	api.2ip.ua
61	api.2ip.ua
35	api.2ip.ua

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

E0AF.exeE0AF.exebuild2.exebuild3.exemstsca.exe

description	pid	process	target process
PID 1792 set thread context of 1912	1792	E0AF.exe	E0AF.exe
PID 2684 set thread context of 3052	2684	E0AF.exe	E0AF.exe
PID 844 set thread context of 2108	844	build2.exe	build2.exe
PID 1224 set thread context of 532	1224	build3.exe	build3.exe
PID 1784 set thread context of 1640	1784	mstsca.exe	mstsca.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exec53cfff621a84792162f70e790980e38.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File opened (read-only)	\??\VBoxMiniRdrDN	c53cfff621a84792162f70e790980e38.exe

Drops file in Windows directory 5 IoCs

Processes:

makecab.execsrss.exed21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20240204082353.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\rss	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\rss\csrss.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

912 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

964 2416 WerFault.exe 41A4.exe
2380 2108 WerFault.exe build2.exe

pid	process
912	sc.exe

pid	pid_target	process	target process
964	2416	WerFault.exe	41A4.exe
2380	2108	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

C986.execonhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C986.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C986.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C986.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	conhost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	conhost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	conhost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

conhost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	conhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	conhost.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

960 schtasks.exe
1524 schtasks.exe
2228 schtasks.exe
2444 schtasks.exe
436 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2416 timeout.exe

pid	process
960	schtasks.exe
1524	schtasks.exe
2228	schtasks.exe
2444	schtasks.exe
436	schtasks.exe

pid	process
2416	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

windefender.exed21cbe21e38b385a41a68c5e6dd32f4c.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	windefender.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

patch.execsrss.exebuild2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

conhost.exed21cbe21e38b385a41a68c5e6dd32f4c.execonhost.exed21cbe21e38b385a41a68c5e6dd32f4c.exe

pid	process
2452	conhost.exe
2452	conhost.exe
2336	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2560	conhost.exe
1260
1260
1260
1260
1260
1260
2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260
1260

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

conhost.exeC986.exe

pid process

2452 conhost.exe
2268 C986.exe

pid	process
464

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.execsrss.exesc.exec53cfff621a84792162f70e790980e38.exe

description	pid	process
Token: SeDebugPrivilege	2336	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeImpersonatePrivilege	2336	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeShutdownPrivilege	1260
Token: SeSystemEnvironmentPrivilege	2392	csrss.exe
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeSecurityPrivilege	912	sc.exe
Token: SeSecurityPrivilege	912	sc.exe
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeShutdownPrivilege	1260
Token: SeDebugPrivilege	924	c53cfff621a84792162f70e790980e38.exe
Token: SeImpersonatePrivilege	924	c53cfff621a84792162f70e790980e38.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

april.tmp

pid process

1260
1260
2140 april.tmp
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1260
1260
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BroomSetup.exe

pid process

2692 BroomSetup.exe

pid	process
1260
1260
2140	april.tmp

pid	process
1260
1260

pid	process
2692	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

InstallSetup9.exed21cbe21e38b385a41a68c5e6dd32f4c.execmd.exeBroomSetup.execsrss.exec53cfff621a84792162f70e790980e38.execonhost.exewindefender.exe

description	pid	process	target process
PID 3008 wrote to memory of 2336	3008		d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 3008 wrote to memory of 2336	3008		d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 3008 wrote to memory of 2336	3008		d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 3008 wrote to memory of 2336	3008		d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 3008 wrote to memory of 2828	3008		InstallSetup9.exe
PID 3008 wrote to memory of 2828	3008		InstallSetup9.exe
PID 3008 wrote to memory of 2828	3008		InstallSetup9.exe
PID 3008 wrote to memory of 2828	3008		InstallSetup9.exe
PID 3008 wrote to memory of 2828	3008		InstallSetup9.exe
PID 3008 wrote to memory of 2828	3008		InstallSetup9.exe
PID 3008 wrote to memory of 2828	3008		InstallSetup9.exe
PID 3008 wrote to memory of 2452	3008		conhost.exe
PID 3008 wrote to memory of 2452	3008		conhost.exe
PID 3008 wrote to memory of 2452	3008		conhost.exe
PID 3008 wrote to memory of 2452	3008		conhost.exe
PID 2828 wrote to memory of 2692	2828	InstallSetup9.exe	BroomSetup.exe
PID 2828 wrote to memory of 2692	2828	InstallSetup9.exe	BroomSetup.exe
PID 2828 wrote to memory of 2692	2828	InstallSetup9.exe	BroomSetup.exe
PID 2828 wrote to memory of 2692	2828	InstallSetup9.exe	BroomSetup.exe
PID 2828 wrote to memory of 2692	2828	InstallSetup9.exe	BroomSetup.exe
PID 2828 wrote to memory of 2692	2828	InstallSetup9.exe	BroomSetup.exe
PID 2828 wrote to memory of 2692	2828	InstallSetup9.exe	BroomSetup.exe
PID 2828 wrote to memory of 2560	2828	InstallSetup9.exe	conhost.exe
PID 2828 wrote to memory of 2560	2828	InstallSetup9.exe	conhost.exe
PID 2828 wrote to memory of 2560	2828	InstallSetup9.exe	conhost.exe
PID 2828 wrote to memory of 2560	2828	InstallSetup9.exe	conhost.exe
PID 2168 wrote to memory of 2504	2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 2168 wrote to memory of 2504	2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 2168 wrote to memory of 2504	2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 2168 wrote to memory of 2504	2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 2504 wrote to memory of 1604	2504	cmd.exe	netsh.exe
PID 2504 wrote to memory of 1604	2504	cmd.exe	netsh.exe
PID 2504 wrote to memory of 1604	2504	cmd.exe	netsh.exe
PID 2168 wrote to memory of 2392	2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 2168 wrote to memory of 2392	2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 2168 wrote to memory of 2392	2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 2168 wrote to memory of 2392	2168	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 2692 wrote to memory of 924	2692	BroomSetup.exe	c53cfff621a84792162f70e790980e38.exe
PID 2692 wrote to memory of 924	2692	BroomSetup.exe	c53cfff621a84792162f70e790980e38.exe
PID 2692 wrote to memory of 924	2692	BroomSetup.exe	c53cfff621a84792162f70e790980e38.exe
PID 2692 wrote to memory of 924	2692	BroomSetup.exe	c53cfff621a84792162f70e790980e38.exe
PID 2392 wrote to memory of 1756	2392	csrss.exe	injector.exe
PID 2392 wrote to memory of 1756	2392	csrss.exe	injector.exe
PID 2392 wrote to memory of 1756	2392	csrss.exe	injector.exe
PID 2392 wrote to memory of 1756	2392	csrss.exe	injector.exe
PID 924 wrote to memory of 2404	924	c53cfff621a84792162f70e790980e38.exe	chcp.com
PID 924 wrote to memory of 2404	924	c53cfff621a84792162f70e790980e38.exe	chcp.com
PID 924 wrote to memory of 2404	924	c53cfff621a84792162f70e790980e38.exe	chcp.com
PID 924 wrote to memory of 2404	924	c53cfff621a84792162f70e790980e38.exe	chcp.com
PID 924 wrote to memory of 1524	924	c53cfff621a84792162f70e790980e38.exe	schtasks.exe
PID 924 wrote to memory of 1524	924	c53cfff621a84792162f70e790980e38.exe	schtasks.exe
PID 924 wrote to memory of 1524	924	c53cfff621a84792162f70e790980e38.exe	schtasks.exe
PID 924 wrote to memory of 1524	924	c53cfff621a84792162f70e790980e38.exe	schtasks.exe
PID 2560 wrote to memory of 3020	2560	conhost.exe	windefender.exe
PID 2560 wrote to memory of 3020	2560	conhost.exe	windefender.exe
PID 2560 wrote to memory of 3020	2560	conhost.exe	windefender.exe
PID 2560 wrote to memory of 3020	2560	conhost.exe	windefender.exe
PID 3020 wrote to memory of 2416	3020	windefender.exe	41A4.exe
PID 3020 wrote to memory of 2416	3020	windefender.exe	41A4.exe
PID 3020 wrote to memory of 2416	3020	windefender.exe	41A4.exe
PID 3020 wrote to memory of 2416	3020	windefender.exe	41A4.exe
PID 1260 wrote to memory of 2268	1260		C986.exe
PID 1260 wrote to memory of 2268	1260		C986.exe
PID 1260 wrote to memory of 2268	1260		C986.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
PID:3008
- C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:924
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:2404
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1524
- - C:\Users\Admin\AppData\Local\Temp\nsi5DEA.tmp
    C:\Users\Admin\AppData\Local\Temp\nsi5DEA.tmp
    3⤵
    PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsi5DEA.tmp" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      PID:3020
- C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
  2⤵
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
  "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
    3⤵
    - DcRat
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        DcRat
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:1604
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Manipulates WinMon driver.
      Manipulates WinMonFS driver.
      Drops file in Windows directory
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:1356
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:960
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        
        PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:2112
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:3044
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2860
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1960
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2936
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:544
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2624
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2712
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1784
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2992
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2000
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2104
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:832
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2308
    - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        5⤵
        
        PID:2884
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2264
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2228
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3020
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:912

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240204082353.log C:\Windows\Logs\CBS\CbsPersist_20240204082353.cab
1⤵
- Drops file in Windows directory
PID:1908

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
1⤵
- Delays execution with timeout.exe
PID:2416

C:\Users\Admin\AppData\Local\Temp\C986.exe
C:\Users\Admin\AppData\Local\Temp\C986.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2268

C:\Users\Admin\AppData\Local\Temp\E0AF.exe
C:\Users\Admin\AppData\Local\Temp\E0AF.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1792
- C:\Users\Admin\AppData\Local\Temp\E0AF.exe
  C:\Users\Admin\AppData\Local\Temp\E0AF.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:1912
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\0daf64dc-6b16-4781-8d44-84f2d57dbb00" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2900
- - C:\Users\Admin\AppData\Local\Temp\E0AF.exe
    "C:\Users\Admin\AppData\Local\Temp\E0AF.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\E0AF.exe
      "C:\Users\Admin\AppData\Local\Temp\E0AF.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3052
    - - C:\Users\Admin\AppData\Local\c65c66ca-5d32-4857-8f73-e5f63f88884b\build2.exe
        
        "C:\Users\Admin\AppData\Local\c65c66ca-5d32-4857-8f73-e5f63f88884b\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:844
      - C:\Users\Admin\AppData\Local\c65c66ca-5d32-4857-8f73-e5f63f88884b\build2.exe
        
        "C:\Users\Admin\AppData\Local\c65c66ca-5d32-4857-8f73-e5f63f88884b\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:2108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1452
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2380
    - - C:\Users\Admin\AppData\Local\c65c66ca-5d32-4857-8f73-e5f63f88884b\build3.exe
        
        "C:\Users\Admin\AppData\Local\c65c66ca-5d32-4857-8f73-e5f63f88884b\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1224
      - C:\Users\Admin\AppData\Local\c65c66ca-5d32-4857-8f73-e5f63f88884b\build3.exe
        
        "C:\Users\Admin\AppData\Local\c65c66ca-5d32-4857-8f73-e5f63f88884b\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3334116161126757299-537465315-1705160347-16341660713555295841764566971-1207066084"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "497461451-16197378441498815242204176882970610613-38084750012578214361787552181"
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2452

C:\Users\Admin\AppData\Local\Temp\41A4.exe
C:\Users\Admin\AppData\Local\Temp\41A4.exe
1⤵
- Executes dropped EXE
PID:2416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 96
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:964

C:\Users\Admin\AppData\Local\Temp\4BF0.exe
C:\Users\Admin\AppData\Local\Temp\4BF0.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-159577288-14040832352099642057793724348-12661534821616702938908852926-1896038287"
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:956

C:\Users\Admin\AppData\Local\Temp\712D.exe
C:\Users\Admin\AppData\Local\Temp\712D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600
- C:\Users\Admin\AppData\Local\Temp\InstallSetup3.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup3.exe"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Users\Admin\AppData\Local\Temp\april.exe
  "C:\Users\Admin\AppData\Local\Temp\april.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\is-336JF.tmp\april.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-336JF.tmp\april.tmp" /SL5="$1021C,7683695,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:2140
  - - C:\Users\Admin\AppData\Local\WebSocket connection routine\websocketconnectionroutine.exe
      "C:\Users\Admin\AppData\Local\WebSocket connection routine\websocketconnectionroutine.exe" -i
      4⤵
      Executes dropped EXE
      PID:1092
  - - C:\Users\Admin\AppData\Local\WebSocket connection routine\websocketconnectionroutine.exe
      "C:\Users\Admin\AppData\Local\WebSocket connection routine\websocketconnectionroutine.exe" -s
      4⤵
      Executes dropped EXE
      PID:1672
- C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
  "C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
    "C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe"
    3⤵
    - Executes dropped EXE
    - Checks for VirtualBox DLLs, possible anti-VM trick
    PID:1764

C:\Windows\system32\taskeng.exe
taskeng.exe {3F2944C0-6DE8-4746-8A17-27B6EF0A8A4C} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]
1⤵
PID:2792
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1784
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:1640
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
3769f53ac22cdf6658c874805d9983a5

SHA1
53ba470f9cd12bbfde1d1149bcad0029e0f8a84f

SHA256
87ec66df2ed0afbd05a6094ba5ad5bc5b3ef6807828d00323b1addb6addd1c17

SHA512
56ce76ea6aeaaafac14128912b31e12a16a2ca85b97ece7f3034bea5ca3b249c0cfe974b2823f35d38c46d6b3faa7278732b183a86c85f469c422384f08f2925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
4b561ad451dd6a802bb30101df68a5e6

SHA1
a457e720d47943b4060213a858e68eee8d610224

SHA256
2fab171e29e57e70561ad301d8379cecbe40fcad4f81326d385ed1480aa9a131

SHA512
4725098c480ffdea15c03e351af491417dc6a4788cbb81f033a83db6b61d201fc7cdcd38f3440c7276784451f756253471219426ac7483a2f4d673372cce179a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b9089c6331032d76d94e37f2c437502

SHA1
6f4346d6e548a01894e73b5afeb0a68a2db46ce6

SHA256
f05890d59d22097280fc75991eaa734c3c909250909b9e8793396abbe3df8955

SHA512
69a69f901dbaf297d203de9ca28111f4ee9bfcb17d4231eb4fc7a245bcd5e4e6f0c0a3bc40753955ae72cf19dc0c88a8111f806e81905b9d5192494cd0547026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
068f31af536fb68eeae1987cde199e75

SHA1
6bfe7fa6b228dd39af80bd29b0e04a1550c266a2

SHA256
f7ca16e0cbfdad53b12f8c9e9a73553e20ba20e78c21b1c212fb3dfff0a4ecd2

SHA512
c68764f65a26c03efd5c69f198b7b2a516902f9fd74a1c0f6faa4d1628253877f21988d5bad7edac9c2a4dd42300cf3d4c6f01488d86c99f0f4365621260d98a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3f27d8d6710567221643d37ca8810f6c

SHA1
43e25a5aae4802d97219d29aeea534217fd79bf6

SHA256
b01295588218442ed5c07ea851c408ed41966e3bb7dd58bdae98504f188f55bb

SHA512
ece7607db7a458d8aff30afbf60c29af9debd36a9877fa8990d2f89958fd4eb1a7639b800c03b594097f0cd8607ad10559d4f175d1aa87d81405dd36c74abdb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
155b4708fad7a568311c71e1f4f3d550

SHA1
2bc314c0bfc1d3096553a725722e08e182a022eb

SHA256
fb93c75c891d94fa1ea170c1dc2907d612c4167eed1b46d556d056147d4cb89f

SHA512
205e77926800f1bedfdfac54ec15f048290b06985fe5cc04e77a730161605a103a7c735d7ab24d76ba3268dff8ecb59399bf4db9b5010fbad032b61ec7bcba05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
539abdb07def01bc03085e5601677b17

SHA1
fe5d438a51a5f60718515101550bf09088490e20

SHA256
f0c13696953fa558fe5c2340fa87a13361101601d7b5b0e328590392d28ee04e

SHA512
f491ee505581269d3a86089a234e07db9aa6096866f086f9e1ea8a46398009752f401283b453baa443701b910acec639668510d8c5fe058e7a9b31aab02afe17

Download Submit
C:\Users\Admin\AppData\Local\0daf64dc-6b16-4781-8d44-84f2d57dbb00\E0AF.exe

Filesize
337KB

MD5
55f7fb782cb8426d7ff5ef6393c0bf31

SHA1
27d0cdb642477353934f91f52879d94faffb0f08

SHA256
5b5185dc680d43d6f96ccaa3a069de8e1f4f95b31271eb0990f2a26aa0869938

SHA512
f40c32401219e64cc84ae3956d8990e2cc1bcbfbf4cc43eb6dcfd37328f07491ae16b6e33d3a14ab77d592eabbcf5ad462d291c1e0c67afa5acc67a13d48c0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\41A4.exe

Filesize
268KB

MD5
3471a3018afee1fb34d463a3d9f61366

SHA1
d036e4b2974b291cea8de675858244d0b11aa943

SHA256
0b1e60f97079e9faa44e75baff723cf3793fbc84e5e638b0acd654836b94a4ff

SHA512
610d4793a404ba3449e08f8f3c040d3d6dae451b047f2d7d98982453058c05b19d22ef817da2c69e5319fa369d3bbc30689528516004da8d3b89f5bee98ff478

Download Submit
C:\Users\Admin\AppData\Local\Temp\4BF0.exe

Filesize
1006KB

MD5
553285ecbeb6f0b4c3d31d34e182792d

SHA1
96a3e4dc75fc1bb748c416fb079b19cbd77f2d38

SHA256
a81a6c2290116f3b0caa0d56885cabe75b65f0d7a48b533390cb6890276ebd85

SHA512
9dd637afb4af840b24ef2677d9e2f2ed0287947cb6f67cfc806fc37ae45a3a337c592e459516c8e1d2a0fafede1098e6a7d616ef8391eef6cda8fa19a41f03c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
168KB

MD5
91e23d4c513853efa8dfad99ff9a22c4

SHA1
4cf39f07c05051919a68fef7afd4d553e21b6885

SHA256
b3d45ce28c48a9ed4c3e4cdea5d2b6eaa977439fc737f9d3dfaab400bddfed2e

SHA512
f54d7d21912f4c08e01ce405ff59d60b839bc6c4929849ca8615090376a15105a0ed77ff5fc1c46e638271148d593619fde7e0ec2726ccbf5b8133ebe3a3a1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\C986.exe

Filesize
71KB

MD5
3d67bacf5146d3a66245328159e96e51

SHA1
e0100c9bfabe11c9deadf56b350c257d35cf3f93

SHA256
c08cbcef3773ffa5c42417f7ae1989a5cf1b90f86d6192c872a94bff24591870

SHA512
9ab3e9e3519344ecf84e0d2777fed78919ee7d0c6e418b5caae90dff730c9bedd406bd7ac9572701360e82d31b0afe8fcc40a56d902514c1eaf4c272ed2097c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\C986.exe

Filesize
168KB

MD5
0b4a307b45561c54e5432c2d1c2f76c7

SHA1
bed3ce2eb31b5c69ab8f73c9d2a55f31e265f066

SHA256
ba47dc323b614f75bb942fd50dcc3a620ae6eee2128ba635b54b3098ae8ff258

SHA512
c0126c514565076c2188861be361739fb739236964839b5f59e820e885f7e4690cc6375602d130bf4f3c0bc4cae27ece605bf50df507f04c2ddff9b75e0cad3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA6FB.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0AF.exe

Filesize
92KB

MD5
8b08b30c294a7f40f79ab9bfe49f79b1

SHA1
9026da508c61c7efe309c882ea447d0d286e9871

SHA256
e38b5b973ea2c2f49d109782a45574cd2655cd28bd95ff5cbe1624f314faaa6e

SHA512
9bbdde69a0219f2f28c2a9971f073f6596fe6c8e2c05a25dce6b574c84fd23bd4143177d9bfee2c96e04456468adb5b91f2e1ea7c8a13bda19fd2c0dbec80271

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0AF.exe

Filesize
71KB

MD5
0efc56bc48caed30939e723dfaf4f455

SHA1
2d3c522b8702ba980bbc73cfdb6be09ab2121ffa

SHA256
e72f94a6951fd79b87129581ada4d836858acb5279aa79ff47f12d2498da45b2

SHA512
11e73df3be39a952d0e029b4223a283507bd016a7626a6912b6a510226f1d00de77d3127c38ac330d88b707a404b845c15f4b1c873d417e3fc4d2f17cef81ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0AF.exe

Filesize
569KB

MD5
4628eef4e6006600f0677d86b2b9dd92

SHA1
c9370f219901dc98e1f5e64509938e725049e5ec

SHA256
0ef2510dca6df74a1d10ee88ab70c90dfada8a38da5de066ee8e040c19c39c0e

SHA512
bee5c649817912fe059d32fd1d8676c8af28ddfa161e46bfb0249d3f3e5096c541b265cff1c5aac9ebda976d6a5283f02c924ac1f6710e2c424e8f6d3ae4ad04

Download Submit
C:\Users\Admin\AppData\Local\Temp\E0AF.exe

Filesize
596KB

MD5
614b56eca73f62520e00f6defc4fc2a6

SHA1
64a88358c65cbb47967f21b6b7f7267aa01d3392

SHA256
1d89ba86a51f68a701a0d75b8b4ef7a14a786aa7f3ed5dfbc9d54cedd9d95997

SHA512
9678eae735ca8feb4b8082de3c4603dd2c589ca785ab9ed51030cbcaee2ff1591b500790f64a99b869be70dccb9722d4dbefe12fa446f5d2a6abebe2eb0bc5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup3.exe

Filesize
1.8MB

MD5
653ed50af596be9708aeaa068615c11a

SHA1
372b2709a09e2e9a20ebcfe5336409ba4f6914cc

SHA256
654732b2a85fc8f33e240ec5dde3e95714d94b6c4baa169b5cf55bde13746378

SHA512
4e848c4aacc4534f878bf11195a3fba92fc812aa1d0441b8f2984ff018ed66b89032ecc94da13f29dfe033f893d80f48d5ff4097c2e9287c725f057e7a16cdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
94KB

MD5
5f8a07299e6e61710667e74686970bd4

SHA1
f02e5915717af8c182bfd4437f20d944f04ebd09

SHA256
690156023fb334f92f1d5f3b5dcc41df23821752fd683edfdd4a75f89f9d52be

SHA512
9762eaf9c2c02a3c75eb2569051b3c91132f38a06186db3e69a6b84adf35e369b7176af5b1936136344436fac8654784e1f41f2446b45e12a8b3a97c4c3f1881

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
416KB

MD5
479fc254720e2734ffb4939b627b961d

SHA1
26d728963d01850c4f3319ada9c1977600b6304b

SHA256
75b90f13746b2685fbc3c39d95421998e1207e5cd25cf882df05f62cce791a9a

SHA512
62d7e2eafc277f46b3e12250c983a5ebdad5ea21c94b0e69a702791c30e8dfec96ce92b80104124a0f66a8396e68000882bbb5f6a800193d51d0c69405f697d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
860KB

MD5
0035e1f32917552d072b20fe1943143c

SHA1
85d6584f01ec57d5a250e86b67805064458c399f

SHA256
8778867a51bcbd1a8c29449d70c47380af39e8384468f2d06fb0b8a5c100ef88

SHA512
44eea80929f5a2c58edcbf3cb4230aee078e4a8b35fba748b6974da74b91bd8bcde15e9d4ec5bbaa18da284e42bf5666aa262dfea579755bc04b750107ac7a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
254KB

MD5
983014fb191dfb6d99b768f215e42e0d

SHA1
a7e39d4d6a4e1a3e7edc5556a30da979d484f4a5

SHA256
9ea2c026592754614780aa24c50fa708bbfe79f1be1497085d5564638de590af

SHA512
ceec2f7b297ac7bf60d200fb446f602fe0e7d9b48d206c974e0c6702aa8d08bb238e525c37607d147fe3f590a05c84005c4dfe4eaa08daa7997dbf4bd2b402be

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA74C.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe

Filesize
958KB

MD5
b8bad97eb862a670023bba65809433f3

SHA1
cbb5f1a08909df3db7221601d29a8a6a66ed8c96

SHA256
ea7c9b3b56534508203882c107fc155297bbef09141d745a373e25de1aeb7f9d

SHA512
66dd83489ed2d1df26549e412af9cc42abfaf4e725bf8abc2d435c5803353b6ca5b2adf1538c81ca0e57380081d1837cdeb3d0cd106a511d4df885586214108b

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
279KB

MD5
cb07cb74671a03a09d23c15d5b6bbd82

SHA1
592cc4fbac30f30d49e9ad9b534dd7db88d225fc

SHA256
12a20f40c25ae2489bac684a3f4e2dcca2a26045b46336ec8286996a346f535e

SHA512
66d5629aae96904748733cf3a4d326cae0304d3ab49df5a3c4f904931732667f5bbd6493a7477ca9ef0004c013544d6d6e3f0e63ffc26f88abff92a52e062be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
298KB

MD5
438be32c71af9a129c48055117076d74

SHA1
6edbf8142fad42ee006a7ee7f9649632beb57646

SHA256
fc3641cb620dc20f33248b782b8571fa06cf63daa23042fcee582abc47d6fdf0

SHA512
03c05248c5671860bfb8db6018c5e567afc2797be43c5c43d01bde2e9690e29bfa78ccae19e593371ef782aebec1704f4f8fb00cc74208dd75ea69de5905493b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
54KB

MD5
7876f74ea86ce4767565a7e74b3218ec

SHA1
7f2872f165f13d886b4171d7027cf772f14dbd68

SHA256
785d94f44f6c820588989707f903391b2aec3ad9a7bf6b2f663de46e4ddf4742

SHA512
ee29c82433d3b7b12774e7bf3c0bcea0c35fb04d3d6d873586384f7ea16e5df29b44fe268482be7e507fca60c97942ef0c61cbc45e81d2f8f5a5a751ee1b39ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
51KB

MD5
92eeaecd23b22a8d575513f3d8762b73

SHA1
d643a296519773baaa24fe145fa67961cf931c75

SHA256
89b997f4b05adbe8b40ac5bb11e441765d6939cc9de31a7da57d6088707aebc4

SHA512
e9a80b86fc0834fd3ba94ad8b6a9923e57e718e484208bdbe8ad514317707616987a2165cf77997ffaff112627012b5288743c1b0ee206417658b6f733d6f586

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
249KB

MD5
48b68d992e246babf8353859693fdec9

SHA1
5bd6e97c8aaf56a6a57bfbb286b4ba6c4f6b9bda

SHA256
2ba4134610fcb788f829fea01ad1668b7a0badc1007bed1f3ab78b07304d99e3

SHA512
c6d9cecea12f892d92a8ec70b8497d35bd3c19cc36cd5234c840eb63ecf0f147a912a206e066024400013e8fb0dfff4945bde9d7e1f2030499c8a05099272383

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5DEA.tmp

Filesize
294KB

MD5
3247e68ba68e6c6b4265abb720d004a3

SHA1
c695f29be7f797c4cbf1cf7da7dab0f6f3d9f818

SHA256
a77dc661dfdfdc3b8dc757672a79992affe6ff6d4928419b5d538b909ec83943

SHA512
a3e0186850e9105c123c05b3b71826c505db3af94b0c1f9319cdf5f793fd9909f4e394f817cc600875999ad7590c4793b81b32e6b6351232db0c0ec49cc4f2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5DEA.tmp

Filesize
72KB

MD5
2f5d8ff87221ba420f8d39eb8156b744

SHA1
18ab25d2a76f24fbae1a4308a5a05992e5d062d6

SHA256
df37dda089f7f896382fcbd1949e565c4717b03ad4a7bb7c37d85d4a12f5ed4c

SHA512
eed00a5337580c11353133712a39c9aa25a3f1ff8fd5ba711a65706f05d59ce0aa4534aea7276d1955834d13b979b93eac03445a947dd6c0bca0bb08a07c3923

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5DEA.tmp

Filesize
32KB

MD5
f05203dbe606afb74427ad43a9378dba

SHA1
6ff34d35fa5403f94e1313279e7d2bc1e72a897a

SHA256
eb82da1096e14ba5c7f586eab9762671d6d293d33e6ec4901404038febce842c

SHA512
82def5671eaa5e34ee94334a3ab7877cea42524fc53558e6299edee79f4a66a257926c8ea862f2454872cd111f587d3b194bbe3e467810d6678aadbd59a95de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
1KB

MD5
f469e3084fb0a4b03073a4db681efa44

SHA1
828fa36a3a8c8e91dfbb00e6c2e5e5d3c4a3eea6

SHA256
c56ff3aa9da4dda7696ff44c02b9d73321e6753eb1cdf0039f1a97dd18b2fbf0

SHA512
d17a892bacdc9d5e91d9dd3ca296846251b017d48c2547dfa49a2ef769100191bffacb53cc2d7ac2a11b090bae35b24102435cffb18c558d0d11c9a8aebbf0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
254KB

MD5
603e19d3935ff1363e3492bad158a962

SHA1
614a601770a0faaad6b7244dd78c5742125a62b6

SHA256
5e0cd284d2777ef0ea51a04433067547b53a1ec3d97aebfdf15e22dcf99cb296

SHA512
f50ba3f60f070aaf34975aa2497b336dbdad4e411b24ed3170cd60b4e05dd764a6acf17496d1f855f23dd00ab3429304e6c56326d3b2c8994753d580af0b3d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

Filesize
137KB

MD5
fda00209572986b185f2ca26809c3ca7

SHA1
182e7e832efa5032290496a0b8116019862d4823

SHA256
ee2460537ecaed2b340dfeccaaaa8bbfaae3735822ef1c70494d82e9cd294d0b

SHA512
a77b0224452bba1ab015ade27d254a7618672f8fe00be0b54909dfd7ab98cdbb0650836abbae3242f3de68e713ff8d1bec14c94203f909fb94ccb1741745d70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

Filesize
7KB

MD5
6f828c2af53359538250bbefaa353a94

SHA1
973c7e72c69368cbb142a687103f473d981f4518

SHA256
dcf1dd7a3443f72b4b998356cf01abd2485a6ac0b9d05a26e44d1fcd06203327

SHA512
fc79ed150779869aeecfbe6cedf7571594811fd5f93708ec6c275fecd78726cda8d479539981a96e3161820e76fbbf5b44e416556a59ed796c661e3bb795142e

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

Filesize
171KB

MD5
4d1a4b3096f4a39f3a91df2f6efd43c6

SHA1
af7b52300363fa6f5ce8b5f99f753a9b1e0af94f

SHA256
ca5b5e71addd8a56460eefad5cd368a5f6aca71b7a2d6dcfb312f45d1ae6e20b

SHA512
d7cc6cf36fa0da5c22b531f7b3f58cbbcc206aaa47d40ebc0256fa5ede758fa7f636f9b70fa8077664067c8cbd3b38633ef2ca1e2e8e349b3b05c3cec1f8afd7

Download Submit
C:\Users\Admin\AppData\Local\c65c66ca-5d32-4857-8f73-e5f63f88884b\build2.exe

Filesize
266KB

MD5
bfa713b555cedb947e22800636eccf60

SHA1
f1f79036dbeb1b24aeb23f2b3aea876a82e1be98

SHA256
2f45cb90965d00ced3a5bb28fe3fb7fdb66cd1c5278958659ea7d47578de484a

SHA512
a67e499d33cd6a98f33db80b2348064bc8af63f1f28a4f2e14495f3b50c68291c0c456dc949a3f0395317d7275020deb9a9bea1a354f8a2b54a9f0d16e18edf1

Download Submit
C:\Users\Admin\AppData\Local\c65c66ca-5d32-4857-8f73-e5f63f88884b\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\rss\csrss.exe

Filesize
290KB

MD5
cc3296092362e1577d1b4d8e31d3349f

SHA1
9f20810d61fbd377f919e42f9b953a12e4526f40

SHA256
6fe040a93eb709ac83d6973a6238a4fb2fd39610f74278ddff8e35d7940aca4b

SHA512
6f9463dd0b4d34ba36266f2c7798d4433736c5903a7df621ce872171d6bb16f0d090769fa212033b28915072fec4c3db28f62ba4f266dae1549d543bd9ca50b1

Download Submit
C:\Windows\rss\csrss.exe

Filesize
138KB

MD5
c1dadb01c4583c29a94865a768a22666

SHA1
4eab680d0eb57443a4bd37430a03a088f13c47bb

SHA256
84aaf22d0a0b0486cad071bb76e5e48b17873401fbb96a502e48a87f09dd3fc1

SHA512
67e4887379e7864eaae67b53ada9358fa7c15b9745ca4c22401b22316041e72cffb461eacb358c92d471190182f50c9dec6808198e4806b65d3c671371628f55

Download Submit
\ProgramData\mozglue.dll

Filesize
285KB

MD5
f5d43b8a996676695da72d3c64dd7c13

SHA1
658e275620c031fd23eaa8fd346ca6ac47ebf83b

SHA256
a5a964a2dff7b985d4b9a1adf3a926954a8e5ad58be2b165891446e963fe2ffa

SHA512
1816f1109421403a0d33d0f72f73aa7ff59ca7f681659a2b6673757d4d4e6e7fe3d13da38b7bb1f757bb36baaaa4b824d0c83b396a5fc87948e2f1550ea9cb29

Download Submit
\ProgramData\nss3.dll

Filesize
685KB

MD5
39858f9c7df4c38c8cd606f3c4b1a64c

SHA1
f4a25b4f15f2f54c605d1536de5f6bc4de2c456a

SHA256
ec29178f80103a0e6b5d33684378c23a8906ffbcc0102fc25edd22d540d86145

SHA512
7adfc383061facd5a6525055fb532c0f4b3623c8b0247adc38968303442e5b244110c8048f1e52a26f96fec8ddb73f570f9c01ebc40fd51d8f959170ac4f7d04

Download Submit
\Users\Admin\AppData\Local\Temp\41A4.exe

Filesize
555KB

MD5
e5f96dce5a2d3b666b2f16734aa2ef2e

SHA1
7062409ac2eb99d15183b99ef3b7bd9061025874

SHA256
c18eb9fa036cc5bdee63d291894852440829857982b4624a7d6933fbd96595ba

SHA512
8af50100d2419efa4109242d3e35f377e98be20bf461d64616735473214608081fc024cf1b0e075d27117976b93a2ad6623864ded727f7e353e47bc29d4e2456

Download Submit
\Users\Admin\AppData\Local\Temp\41A4.exe

Filesize
538KB

MD5
f6e4d11b01c227f3a49b8ab4d7c3bb59

SHA1
f9e9d531a5d6c560892cbf71e048b4e34b4c27a3

SHA256
179b004a7a916698b4f0f979c9afe0fc6dadc69e6af9d9b20c2fdee4afac7165

SHA512
f42d7812b490375445b71cca22d2900a6c0c032d2f459ff18aa46b2c98799a122f821f096454f30c1ac8a806031835abfd167065a5aacebd5c60fdf6d75b4a68

Download Submit
\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
198KB

MD5
aff6f7b8c75902fd9c765a1b6ee066db

SHA1
c92d74a782964cbe2eb3126a56e5b253ca70c7ad

SHA256
8899e4c3f2e32007963bb7a136ae921a31d41e680542bc624733390302a85f3c

SHA512
a5bc5100800c8238e726e0308ebc32bf48ea4ceafa0b984befec16d96bddf6fbb28bad686568d9ae96a6849441010576c324521407db3a86c1e06831cab019be

Download Submit
\Users\Admin\AppData\Local\Temp\E0AF.exe

Filesize
641KB

MD5
a2ed24eb299811f062a89c6f53b0ca2b

SHA1
ebc768aec401a89568e9784990a7090f0efb2bef

SHA256
a8699e63afaee390471b564e3b817db03cd5b12456438f052aa7f18bfbe2b062

SHA512
d963ba161e5f890e7f23e369b57e3e5ca895aea666f8994b2bf520f8e7bb5345ff2d143ec5e1e46d429974ff9c2156402478c737ccf34f3b2af7e9131ba19356

Download Submit
\Users\Admin\AppData\Local\Temp\E0AF.exe

Filesize
819KB

MD5
7fbb43e45972770463e5a905f997960d

SHA1
af53adbdb6dc3ac0636f4874e384aa7bfd423ac4

SHA256
13040cfe161bb47fe3e62a56cf808eef602a989830ff0e3e32714e933fa72b5e

SHA512
6bbd40d8bb8c1ffeaa5ca0d8e3940daa03a0df68c4aecb5d90a73c0880ed8cfce758ac83f26bbd2d79b42bb61273590c2335344c564b5e972bebb7100653d8f2

Download Submit
\Users\Admin\AppData\Local\Temp\E0AF.exe

Filesize
107KB

MD5
dbe90a61b343872dd1df004924c5bf9d

SHA1
5a08068d2d48a8cb087141a6bf8cb4ef54a17f09

SHA256
1018839e94f62e55305a5ff9cd1f88c51dfe4b122c642472496d5638e6764d7b

SHA512
e5fe3b265343ff92386ec343bc8871a18116ee644137abd07f11bf5dcdce8f2937d78bfdb7cf85e15724dbbfc939c869b46d05ad848d780a50db5abc9b9458ab

Download Submit
\Users\Admin\AppData\Local\Temp\E0AF.exe

Filesize
139KB

MD5
1f625a6b05de0e83a9384ac86673f044

SHA1
103abca04ab5cb43c5aea6893548f6b64e858c69

SHA256
dcdd54f786925cc45d7d953f8bb28becaebe85fcc8cf145b7a408cbe6f15511e

SHA512
6a0e4bfd1597c0f3e4760a54b9e3a180a5a24730992426c9acc2759cb9ff5f8a23d41b229c7f3ad1b3f258b0c2caf1ae9b9d26a19d1ba5679557d7c367b32fa1

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

Filesize
192KB

MD5
5f3339f2fba66791008f7346bf41e24e

SHA1
71fbc6001126b554bfad08539c9cbb3809239556

SHA256
cbb39236bfbc7d1a4b126c0f43a7792d31c9559892dc11db7e7d41c52e1fae7c

SHA512
50366d1eb8cea1790f7698c7cc461bcabc19b835edb3e1b17434894ae4f644fcedf8a4a11e9872bd51fed692629f739e54ea8fef6e9e6e141e88f20294fc36c5

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
187KB

MD5
ed191a200af79b551292cd23389c17e3

SHA1
8c28b436edfee4d776e039643391f03a763f3bc5

SHA256
ca8ec060a295c4063c29502d9274379033dad0c906d2a2e926cdf3f904dc9e67

SHA512
ea285c747f6dd47757907e5006bad3443d104e159cce3b3b254e2ef81773655d46c56db8bfe095fca4e08a2a73eeab6d93adeb4b69e50c76ac84acb9402520de

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
301KB

MD5
3161d8b34de495666a41ebcecd22a098

SHA1
45039f9bbfe3952bc11500fd41e3198d96062d35

SHA256
fa474ec0180635946c3858e82f459e0e3e3dca862657bf41feab7b8b38d16a65

SHA512
490165972ae818f469149036b09b32466eaf97a386a07b8804dbc5dbc37eba9036e0723cf4d8c6d54ffee4ce6a7e3ef4470bc1bcc95f6348c5d2d11966723214

Download Submit
\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
329KB

MD5
da876702085b01dafd82483f6c23e841

SHA1
d4abd6388b6da65780e72e28626c24e666d17a9c

SHA256
4f550af1695f000c22ccb009910b6fd10b10c0a3509beab27fc75a0a2e1b0a7f

SHA512
2b156a4903f5cec83106b44761bfa00b778b8c21e6d64b2f753d045c13257139403364b4d2cde90be8334181573f49578b36446649f834e55fc95c2d317ffc43

Download Submit
\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
209KB

MD5
25e8c56272f3c65995cce96d93002dfb

SHA1
bb527930bbd1537e82dc7360d0084ec79eb3334e

SHA256
108f1af2a07f6978f76b2906bff9fc31c3762e3b6a1c2d27cab39a609fe85ec8

SHA512
93280da1d151cdb647e0b1650bd9552055e50c3b748b56075455b58d958aeb8130e4dce6c0d916e82975d2a4d5d0867c627c12767f0f601d58db4810cbf05dc7

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
187KB

MD5
8d7bce6d08dcb068d4430c39172d84a0

SHA1
ff53830b57ccc5dfb67c4e0a9302de430804ec00

SHA256
3d370f8ad9f5b99ca1deb22fa156a247e9b6b74162b923240397839995767266

SHA512
b2d88e5cdbfd21650c6e5623d167c81566dc4b8cbf71a7aec9c1013ff5285b9f1a4e7f64852a7f2268076cc48995c1f5fd0a7d34f28ee8c667e5dbab99e7651f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5DEA.tmp

Filesize
9KB

MD5
abe4df11d96289bc9d47db50c0cc9fa8

SHA1
5e36b9d81edf2cf43571da2ad75bde952e4003fb

SHA256
4bf68af517b9c25945445570929b75cd52b2852e73e4ca0cb183381dd882a3d3

SHA512
87588acb248cc9a9b9111ee505a0e4bc470e478d4af1347d37fe7512623e9544828b5fcfbccb73e0abfe96ef82050dcb562ff4a28336f1d6d9f5a1dd4a233f9a

Download Submit
\Users\Admin\AppData\Local\Temp\nsi5DEA.tmp

Filesize
46KB

MD5
14720483224b80447393aa99aeb32c40

SHA1
4d8adcf5cd0778dce8d395e1cd1556737fa7a1e2

SHA256
461248592eed2712bd9f7b461681828b929101a1d0358c31959c9285d0f044fa

SHA512
5f8e1e53bf0c62d581613a7ec9b5dcc253a30ea5d0b3dcf22fb769de402a5a4b94703e25c17d704c4f0bd04e0f500e0e6b39527b7571475823e7af8be19291c0

Download Submit
\Users\Admin\AppData\Local\Temp\nsy560D.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
77KB

MD5
6ffaa7ec84210f3504b5ea362c13923c

SHA1
93ac628689612cdc7d32b928dc880ad02d7502be

SHA256
024bf41ab9b151bc1f0726a759c06a4f7eca9c902407c9565e1a4ffe5b164d7c

SHA512
3ff5dedc64aede9891145041d24cc169f5c45be2dddd726e98f4b3a8e5dca49cbebbcc178b8e063108b03b3374d1729414facdf312374b7bbe5dddb6a47e30e3

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
36KB

MD5
d2bbdc356653ca83f929e069fdb70026

SHA1
da363509ac75700d593f4a03ab37b68ed1c8f7f3

SHA256
f48429fdb85f7801818926f97065feace0bc29b5ab212ca0745241cda4b5a91b

SHA512
12b7e882117c8255666714683774b29f31abe4c90b0d49118c013ea314e17a197a6a975723fc44bd1138a39411c5f8a1e590a8fe6cc88380709514b6f9abacc5

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
350KB

MD5
9972ce766c69e34c1a2abfc2b0eea634

SHA1
132d4c461a5bd1ebd05d4cc69cb5a228601a10ae

SHA256
26520627c761d6470698f9a1b84d33486dcde2983be27da4c1b5492b4c4c3581

SHA512
e9f66a8742334f5f0d19316db61519b1dddab6324b32dab69f6b9f93e9dffa12d42cc3dad87110ed3e8dfb8d52c7a08cbb52873e86bf3de51b83126b5af40b2c

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
510KB

MD5
d457dc029ea90165bce69bdf37a97f68

SHA1
8c564074d60da80bfad17104ed8fa36e4aa92ec4

SHA256
8ddec950cc133ece1801f7e0732fa88e2d2bdb78d634e341264c647ab309d91f

SHA512
d027a8fa1f455f0df33e4246b20746a549ca4724dac5d8299f2fa3927f1ac4d80d6e01b0f38a833d7d18cd60bcc6bcb6ab96e46be257765b3c8760733ca3b9a0

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
437KB

MD5
1adc0d94a76af11ae437ed56b2b59c95

SHA1
826524fe7d8dc1220c9861a01fc5e659ae9dfcff

SHA256
1df1800f74686ea795124f4015dddaad7f1f7574559fff24c9858f25bfe5f689

SHA512
1e704b7a64824747ffd88ebd602ab6ecbed65f57251ff6993b7d1fc84e78208c0e3c34f898b15a9ed90e807ae049d4bad57b4d97a939d7885d802a37626ed5c4

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
132KB

MD5
51059f22a44159d7d697b6467c36b503

SHA1
20fa9b32f49be1a0a3a1c8393cbae68d9b3f58e4

SHA256
ba0a704ff9b1f332670398ca9d504ac6ab012f11d384b98f4d39d7d19ab96ade

SHA512
a7d947d53dc3a22811516eb58ac02b8784fcf1c58d0c039790fa64dd558a27264717575484390f6e66bdaa11291a78afe6713ef987c03d0aae1de57281a8c08d

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub1.exe

Filesize
132KB

MD5
f28ed2ee1b935f3ed2d7aae2b16fae65

SHA1
a5530697b3eb80e4e87cb6ad52140e129e4685de

SHA256
41833844b94f3c08588933f3747025d621d2409d1a3f64a26bf91ee91d68f4ed

SHA512
467402824887a03464083203777abcc2180010ceb85f544257a7d0177095817fef00c7523dbacc1018bcda343570861b76b8e58e8bcc0ac0a39a3788c6e25403

Download Submit
\Windows\rss\csrss.exe

Filesize
414KB

MD5
5f665e6568b23842ff094f10b0d25ecb

SHA1
5c9cd0b7bdba39f20a043d18582751e6ddc1dc20

SHA256
7ccee2791377e851850f817377b11e97cdf9796c08738ac57d038c0e2218ffd5

SHA512
fca905bef5cdf385cc921f6343aa470ca0e08c4eed4c2573e687072308162344746eaa4c9e98f5c554b00b2e6c51fee71f9051c0ebf24d1d3a9e17ea1ca69bd8

Download Submit
\Windows\rss\csrss.exe

Filesize
199KB

MD5
5e05c36004939ef2e075febc96fdb261

SHA1
c92ecde37efa361989150b487dcbe894cabd811c

SHA256
e852a10a59840fd896ded5d96b7d83932b8cadecc6a2ef229b6101552c1788c6

SHA512
625594aefccebdeed55cd0b6f8486cec9daed4a9d8a987933bc8f7f5a21d0d5ad79395bcd6f620ffdca1893c4eeaaf838c5a414cd76778e0c117d951f3b54076

Download Submit
memory/532-673-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/844-524-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/844-525-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/924-761-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/924-753-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/924-768-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/924-771-0x0000000002660000-0x0000000002A58000-memory.dmp

Filesize
4.0MB

Download
memory/956-774-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/956-631-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1092-773-0x0000000000400000-0x000000000072C000-memory.dmp

Filesize
3.2MB

Download
memory/1224-671-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1224-668-0x0000000000962000-0x0000000000973000-memory.dmp

Filesize
68KB

Download
memory/1260-72-0x00000000029A0000-0x00000000029B6000-memory.dmp

Filesize
88KB

Download
memory/1260-286-0x0000000003A70000-0x0000000003A86000-memory.dmp

Filesize
88KB

Download
memory/1764-780-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1764-775-0x00000000026B0000-0x0000000002AA8000-memory.dmp

Filesize
4.0MB

Download
memory/1764-777-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1764-776-0x0000000002AB0000-0x000000000339B000-memory.dmp

Filesize
8.9MB

Download
memory/1792-301-0x00000000004E0000-0x0000000000572000-memory.dmp

Filesize
584KB

Download
memory/1792-297-0x00000000004E0000-0x0000000000572000-memory.dmp

Filesize
584KB

Download
memory/1792-303-0x0000000001D30000-0x0000000001E4B000-memory.dmp

Filesize
1.1MB

Download
memory/1912-351-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1912-305-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1912-302-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1912-318-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1912-316-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2068-719-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2108-529-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2108-760-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2112-172-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2112-192-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2140-772-0x0000000003700000-0x0000000003A2C000-memory.dmp

Filesize
3.2MB

Download
memory/2140-723-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2168-71-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/2168-115-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2168-67-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/2168-116-0x0000000002690000-0x0000000002A88000-memory.dmp

Filesize
4.0MB

Download
memory/2168-74-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2268-283-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2268-287-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2268-282-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/2336-70-0x00000000025E0000-0x00000000029D8000-memory.dmp

Filesize
4.0MB

Download
memory/2336-11-0x00000000025E0000-0x00000000029D8000-memory.dmp

Filesize
4.0MB

Download
memory/2336-41-0x00000000025E0000-0x00000000029D8000-memory.dmp

Filesize
4.0MB

Download
memory/2336-42-0x00000000029E0000-0x00000000032CB000-memory.dmp

Filesize
8.9MB

Download
memory/2336-43-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2336-68-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2336-69-0x00000000029E0000-0x00000000032CB000-memory.dmp

Filesize
8.9MB

Download
memory/2392-138-0x0000000002590000-0x0000000002988000-memory.dmp

Filesize
4.0MB

Download
memory/2392-139-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2392-359-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2392-389-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2392-250-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2392-114-0x0000000002590000-0x0000000002988000-memory.dmp

Filesize
4.0MB

Download
memory/2392-298-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2392-280-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2392-281-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2416-706-0x0000000000310000-0x0000000000E6B000-memory.dmp

Filesize
11.4MB

Download
memory/2416-439-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2416-406-0x0000000000310000-0x0000000000E6B000-memory.dmp

Filesize
11.4MB

Download
memory/2452-73-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2452-46-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2452-44-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2452-45-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2560-77-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2560-264-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2560-161-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2560-193-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/2560-63-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/2560-64-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2560-65-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2560-265-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/2560-259-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2560-194-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2600-689-0x0000000000EF0000-0x0000000001CB4000-memory.dmp

Filesize
13.8MB

Download
memory/2600-717-0x00000000717A0000-0x0000000071E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2600-688-0x00000000717A0000-0x0000000071E8E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-667-0x0000000001D40000-0x0000000001DD2000-memory.dmp

Filesize
584KB

Download
memory/2684-362-0x0000000001D40000-0x0000000001DD2000-memory.dmp

Filesize
584KB

Download
memory/2684-354-0x0000000001D40000-0x0000000001DD2000-memory.dmp

Filesize
584KB

Download
memory/2692-40-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2692-279-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2692-137-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2692-249-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3008-0-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-1-0x0000000000B60000-0x00000000011AA000-memory.dmp

Filesize
6.3MB

Download
memory/3008-28-0x0000000074030000-0x000000007471E000-memory.dmp

Filesize
6.9MB

Download
memory/3020-633-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3020-612-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/3052-388-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3052-387-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3052-365-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3052-364-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3052-393-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3052-396-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3052-395-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3052-674-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download