amadey | a2e56b293874962f8ccf1fc3d1a6f96b01222f470a6891d7cad95b70bc3e99c4

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04-02-2024 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

976f6386a6c31fad6a4e2996306bbf3d.exe
Size

7.1MB
MD5

976f6386a6c31fad6a4e2996306bbf3d
SHA1

82018f85cab8337f8fe294a3864bada0cc5d845e
SHA256

a2e56b293874962f8ccf1fc3d1a6f96b01222f470a6891d7cad95b70bc3e99c4
SHA512

c72cf4eb4fab0e9e3cae2fbe5f39a4aa1b9b031b982f6e98453bcfcf72303a045269244f73966023eb4415038a726d2507d9f594d24919fb294e700199ff83f9
SSDEEP

196608:SqVSV1KkmYUVB9daURUyUlYS1yaxK8gb2ZcsS:SXV1r4DOYS1yaE89ZcsS

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.cdcc
offline_id
LBxKKiegnAy53rpqH3Pj2j46vwldiEt9kqHSuMt1
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iVcrVFVRqu Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@freshingmail.top Reserve e-mail address to contact us: datarestorehelpyou@airmail.cc Your personal ID: 0846ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exenetsh.exed21cbe21e38b385a41a68c5e6dd32f4c.exe

pid	process
2172	schtasks.exe
1800	schtasks.exe
2948	schtasks.exe
1716	schtasks.exe
2540	schtasks.exe
1448	netsh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Detect Fabookie payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2708-387-0x0000000003800000-0x000000000392C000-memory.dmp	family_fabookie
behavioral1/memory/2708-390-0x0000000003800000-0x000000000392C000-memory.dmp	family_fabookie

Detect Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/948-542-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/948-546-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2836-545-0x0000000000230000-0x0000000000260000-memory.dmp	family_vidar_v7

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1088-796-0x0000000000EF0000-0x0000000001448000-memory.dmp	family_zgrat_v1

Detected Djvu ransomware 13 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2896-422-0x00000000004D0000-0x00000000005EB000-memory.dmp	family_djvu
behavioral1/memory/2892-423-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2892-424-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2892-418-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2892-479-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1888-491-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1888-505-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1888-504-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1888-527-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1888-529-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1888-533-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1888-547-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1888-603-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2156-46-0x0000000002B00000-0x00000000033EB000-memory.dmp	family_glupteba
behavioral1/memory/2156-48-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2156-60-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2156-74-0x0000000002B00000-0x00000000033EB000-memory.dmp	family_glupteba
behavioral1/memory/1780-148-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2092-189-0x0000000002A20000-0x000000000330B000-memory.dmp	family_glupteba
behavioral1/memory/2092-190-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2092-377-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2092-396-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2092-406-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

106.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF\Performance	106.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo\Performance	106.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest\Performance	106.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse\Performance	106.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService\Performance	106.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
1436	bcdedit.exe
2552	bcdedit.exe
2412	bcdedit.exe
1924	bcdedit.exe
2100	bcdedit.exe
2400	bcdedit.exe
564	bcdedit.exe
2180	bcdedit.exe
1088	bcdedit.exe
1984	bcdedit.exe
2768	bcdedit.exe
2160	bcdedit.exe
1388	bcdedit.exe
2700	bcdedit.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1448 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
1448	netsh.exe

Executes dropped EXE 29 IoCs

Processes:

InstallSetup9.exed21cbe21e38b385a41a68c5e6dd32f4c.exerty25.exetoolspub1.exeBroomSetup.exed21cbe21e38b385a41a68c5e6dd32f4c.exensd11ED.tmpcsrss.exepatch.exeinjector.exe6671.exe764A.exe764A.exeWMIADAP.EXE764A.exedsefix.exebuild2.exebuild2.exebuild3.exebuild3.exewindefender.exewindefender.exeECF0.exeFC31.exe106.exe7FA.exe15E0.exemstsca.exemstsca.exe

pid	process
2964	InstallSetup9.exe
2156	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2708	rty25.exe
2764	toolspub1.exe
2608	BroomSetup.exe
1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1140	nsd11ED.tmp
2092	csrss.exe
2968	patch.exe
2452	injector.exe
2692	6671.exe
2896	764A.exe
2892	764A.exe
2304	WMIADAP.EXE
1888	764A.exe
2592	dsefix.exe
2836	build2.exe
948	build2.exe
1196	build3.exe
2820	build3.exe
1136	windefender.exe
1092	windefender.exe
2600	ECF0.exe
1280	FC31.exe
3044	106.exe
2516	7FA.exe
1088	15E0.exe
1596	mstsca.exe
944	mstsca.exe

Loads dropped DLL 50 IoCs

Processes:

764A.exeInstallSetup9.exed21cbe21e38b385a41a68c5e6dd32f4c.exepatch.execsrss.exensd11ED.tmp764A.exeWMIADAP.EXE764A.exeWerFault.exeWerFault.exe15E0.exe

pid	process
2896	764A.exe
2896	764A.exe
2896	764A.exe
2896	764A.exe
2964	InstallSetup9.exe
2964	InstallSetup9.exe
2896	764A.exe
2896	764A.exe
2964
2964
2964
1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe
852
2968	patch.exe
2968	patch.exe
2968	patch.exe
2968	patch.exe
2968	patch.exe
2092	csrss.exe
1140	nsd11ED.tmp
1140	nsd11ED.tmp
2964
2896	764A.exe
2968	patch.exe
2968	patch.exe
2968	patch.exe
2892	764A.exe
2892	764A.exe
2304	WMIADAP.EXE
2092	csrss.exe
1888	764A.exe
1888	764A.exe
1888	764A.exe
1888	764A.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
1752	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
2992	WerFault.exe
1380
1456
1088	15E0.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1764 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1764	icacls.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1136-691-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe764A.execsrss.exe106.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2c953e79-886f-4667-9d8f-29d17086d1bf\\764A.exe\" --AutoStart"	764A.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\win32.emulator = "C:\\Users\\Admin\\AppData\\Local\\Temp\\106.exe "	106.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

106.exe

description ioc process

File opened (read-only) \??\F: 106.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 api.2ip.ua
44 api.2ip.ua
61 api.2ip.ua
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7FA.exe

pid process

2516 7FA.exe

description	ioc	process
File opened (read-only)	\??\F:	106.exe

flow	ioc
42	api.2ip.ua
44	api.2ip.ua
61	api.2ip.ua

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

pid	process
2516	7FA.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

764A.exeWMIADAP.EXEbuild2.exebuild3.exe15E0.exemstsca.exe

description	pid	process	target process
PID 2896 set thread context of 2892	2896	764A.exe	764A.exe
PID 2304 set thread context of 1888	2304	WMIADAP.EXE	764A.exe
PID 2836 set thread context of 948	2836	build2.exe	build2.exe
PID 1196 set thread context of 2820	1196	build3.exe	build3.exe
PID 1088 set thread context of 2960	1088	15E0.exe	MsBuild.exe
PID 1596 set thread context of 944	1596	mstsca.exe	mstsca.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Drops file in Windows directory 6 IoCs

Processes:

csrss.exe7FA.exed21cbe21e38b385a41a68c5e6dd32f4c.exemakecab.exe

description	ioc	process
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Tasks\explorgu.job	7FA.exe
File opened for modification	C:\Windows\rss	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\rss\csrss.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240204183615.cab	makecab.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2388 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1752 948 WerFault.exe build2.exe
2992 2600 WerFault.exe ECF0.exe
2156 2960 WerFault.exe MsBuild.exe

pid	process
2388	sc.exe

pid	pid_target	process	target process
1752	948	WerFault.exe	build2.exe
2992	2600	WerFault.exe	ECF0.exe
2156	2960	WerFault.exe	MsBuild.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe6671.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6671.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6671.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6671.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nsd11ED.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsd11ED.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsd11ED.tmp

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1716 schtasks.exe
2172 schtasks.exe
2540 schtasks.exe
1800 schtasks.exe
2948 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

1664 tasklist.exe

pid	process
1716	schtasks.exe
2172	schtasks.exe
2540	schtasks.exe
1800	schtasks.exe
2948	schtasks.exe

pid	process
1664	tasklist.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exewindefender.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-492 = "India Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe

Modifies system certificate store 2 TTPs 24 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

rty25.execsrss.exepatch.exe764A.exe764A.exebuild2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	764A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	764A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rty25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	764A.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	764A.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	rty25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	764A.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub1.exed21cbe21e38b385a41a68c5e6dd32f4c.exed21cbe21e38b385a41a68c5e6dd32f4c.exensd11ED.tmpinjector.exe

pid	process
2764	toolspub1.exe
2764	toolspub1.exe
2156	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1140	nsd11ED.tmp
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
2452	injector.exe
1380
1380
1380
1380
1380
1380
1380
1380
1380
2452	injector.exe
1380
1380
1380
1380
1380
1380
1380
1380
1380
1380
2452	injector.exe
1380
1380
1380
1380
1380
1380
1380
1380
1380
2452	injector.exe
1380
1380
1380
1140	nsd11ED.tmp
1380
1380
1380
1380
1380
1380
2452	injector.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

476
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

toolspub1.exe6671.exe

pid process

2764 toolspub1.exe
2692 6671.exe

pid	process
476

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.execsrss.exesc.exetasklist.exe106.exe

description	pid	process
Token: SeDebugPrivilege	2156	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeImpersonatePrivilege	2156	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeSystemEnvironmentPrivilege	2092	csrss.exe
Token: SeShutdownPrivilege	1380
Token: SeSecurityPrivilege	2388	sc.exe
Token: SeSecurityPrivilege	2388	sc.exe
Token: SeShutdownPrivilege	1380
Token: SeShutdownPrivilege	1380
Token: SeShutdownPrivilege	1380
Token: SeShutdownPrivilege	1380
Token: SeShutdownPrivilege	1380
Token: SeDebugPrivilege	1664	tasklist.exe
Token: SeShutdownPrivilege	3044	106.exe
Token: SeShutdownPrivilege	3044	106.exe
Token: SeShutdownPrivilege	3044	106.exe
Token: SeShutdownPrivilege	3044	106.exe
Token: SeShutdownPrivilege	3044	106.exe
Token: SeShutdownPrivilege	3044	106.exe
Token: SeShutdownPrivilege	1380

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7FA.exe

pid process

2516 7FA.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

BroomSetup.exe7FA.exe

pid process

2608 BroomSetup.exe
2516 7FA.exe

pid	process
2516	7FA.exe

pid	process
2608	BroomSetup.exe
2516	7FA.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

764A.exeInstallSetup9.exed21cbe21e38b385a41a68c5e6dd32f4c.execmd.exeBroomSetup.execmd.execsrss.exe

description	pid	process	target process
PID 2896 wrote to memory of 2964	2896	764A.exe	InstallSetup9.exe
PID 2896 wrote to memory of 2964	2896	764A.exe	InstallSetup9.exe
PID 2896 wrote to memory of 2964	2896	764A.exe	InstallSetup9.exe
PID 2896 wrote to memory of 2964	2896	764A.exe	InstallSetup9.exe
PID 2896 wrote to memory of 2964	2896	764A.exe	InstallSetup9.exe
PID 2896 wrote to memory of 2964	2896	764A.exe	InstallSetup9.exe
PID 2896 wrote to memory of 2964	2896	764A.exe	InstallSetup9.exe
PID 2896 wrote to memory of 2156	2896	764A.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2896 wrote to memory of 2156	2896	764A.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2896 wrote to memory of 2156	2896	764A.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2896 wrote to memory of 2156	2896	764A.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2896 wrote to memory of 2708	2896	764A.exe	rty25.exe
PID 2896 wrote to memory of 2708	2896	764A.exe	rty25.exe
PID 2896 wrote to memory of 2708	2896	764A.exe	rty25.exe
PID 2896 wrote to memory of 2708	2896	764A.exe	rty25.exe
PID 2964 wrote to memory of 2608	2964	InstallSetup9.exe	BroomSetup.exe
PID 2964 wrote to memory of 2608	2964	InstallSetup9.exe	BroomSetup.exe
PID 2964 wrote to memory of 2608	2964	InstallSetup9.exe	BroomSetup.exe
PID 2964 wrote to memory of 2608	2964	InstallSetup9.exe	BroomSetup.exe
PID 2964 wrote to memory of 2608	2964	InstallSetup9.exe	BroomSetup.exe
PID 2964 wrote to memory of 2608	2964	InstallSetup9.exe	BroomSetup.exe
PID 2964 wrote to memory of 2608	2964	InstallSetup9.exe	BroomSetup.exe
PID 2896 wrote to memory of 2764	2896	764A.exe	toolspub1.exe
PID 2896 wrote to memory of 2764	2896	764A.exe	toolspub1.exe
PID 2896 wrote to memory of 2764	2896	764A.exe	toolspub1.exe
PID 2896 wrote to memory of 2764	2896	764A.exe	toolspub1.exe
PID 2964 wrote to memory of 1140	2964		nsd11ED.tmp
PID 2964 wrote to memory of 1140	2964		nsd11ED.tmp
PID 2964 wrote to memory of 1140	2964		nsd11ED.tmp
PID 2964 wrote to memory of 1140	2964		nsd11ED.tmp
PID 1780 wrote to memory of 596	1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 1780 wrote to memory of 596	1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 1780 wrote to memory of 596	1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 1780 wrote to memory of 596	1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 596 wrote to memory of 1448	596	cmd.exe	netsh.exe
PID 596 wrote to memory of 1448	596	cmd.exe	netsh.exe
PID 596 wrote to memory of 1448	596	cmd.exe	netsh.exe
PID 1780 wrote to memory of 2092	1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 1780 wrote to memory of 2092	1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 1780 wrote to memory of 2092	1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 1780 wrote to memory of 2092	1780	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 2608 wrote to memory of 2504	2608	BroomSetup.exe	cmd.exe
PID 2608 wrote to memory of 2504	2608	BroomSetup.exe	cmd.exe
PID 2608 wrote to memory of 2504	2608	BroomSetup.exe	cmd.exe
PID 2608 wrote to memory of 2504	2608	BroomSetup.exe	cmd.exe
PID 2504 wrote to memory of 2992	2504	cmd.exe	chcp.com
PID 2504 wrote to memory of 2992	2504	cmd.exe	chcp.com
PID 2504 wrote to memory of 2992	2504	cmd.exe	chcp.com
PID 2504 wrote to memory of 2992	2504	cmd.exe	chcp.com
PID 2504 wrote to memory of 2540	2504	cmd.exe	schtasks.exe
PID 2504 wrote to memory of 2540	2504	cmd.exe	schtasks.exe
PID 2504 wrote to memory of 2540	2504	cmd.exe	schtasks.exe
PID 2504 wrote to memory of 2540	2504	cmd.exe	schtasks.exe
PID 2092 wrote to memory of 2452	2092	csrss.exe	injector.exe
PID 2092 wrote to memory of 2452	2092	csrss.exe	injector.exe
PID 2092 wrote to memory of 2452	2092	csrss.exe	injector.exe
PID 2092 wrote to memory of 2452	2092	csrss.exe	injector.exe
PID 1380 wrote to memory of 2692	1380		6671.exe
PID 1380 wrote to memory of 2692	1380		6671.exe
PID 1380 wrote to memory of 2692	1380		6671.exe
PID 1380 wrote to memory of 2692	1380		6671.exe
PID 1380 wrote to memory of 2896	1380		764A.exe
PID 1380 wrote to memory of 2896	1380		764A.exe
PID 1380 wrote to memory of 2896	1380		764A.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\976f6386a6c31fad6a4e2996306bbf3d.exe
"C:\Users\Admin\AppData\Local\Temp\976f6386a6c31fad6a4e2996306bbf3d.exe"
1⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\nsd11ED.tmp
C:\Users\Admin\AppData\Local\Temp\nsd11ED.tmp
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1140

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
3⤵
- DcRat
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:596

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2968

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:1436

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:2552

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:2412

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:1924

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:2100

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:2400

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:564

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:2180

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:1088

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:1984

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:2768

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:2160

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:1388

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
5⤵
- Modifies boot configuration data using bcdedit
PID:2700

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
5⤵
- Executes dropped EXE
PID:2592

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- DcRat
- Creates scheduled task(s)
PID:2948

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
- Executes dropped EXE
PID:1136

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:2876

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2764

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2708

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240204183615.log C:\Windows\Logs\CBS\CbsPersist_20240204183615.cab
1⤵
- Drops file in Windows directory
PID:760

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- DcRat
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1448

C:\Windows\SysWOW64\chcp.com
chcp 1251
1⤵
PID:2992

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
1⤵
- DcRat
- Creates scheduled task(s)
PID:2540

C:\Users\Admin\AppData\Local\Temp\6671.exe
C:\Users\Admin\AppData\Local\Temp\6671.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2692

C:\Users\Admin\AppData\Local\Temp\764A.exe
C:\Users\Admin\AppData\Local\Temp\764A.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2896

C:\Users\Admin\AppData\Local\Temp\764A.exe
C:\Users\Admin\AppData\Local\Temp\764A.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
PID:2892

C:\Users\Admin\AppData\Local\Temp\764A.exe
"C:\Users\Admin\AppData\Local\Temp\764A.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:2304

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\2c953e79-886f-4667-9d8f-29d17086d1bf" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:1764

C:\Users\Admin\AppData\Local\Temp\764A.exe
"C:\Users\Admin\AppData\Local\Temp\764A.exe" --Admin IsNotAutoStart IsNotTask
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1888

C:\Users\Admin\AppData\Local\39eb19ca-a196-4d92-b1da-4109875f639d\build2.exe
"C:\Users\Admin\AppData\Local\39eb19ca-a196-4d92-b1da-4109875f639d\build2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2836

C:\Users\Admin\AppData\Local\39eb19ca-a196-4d92-b1da-4109875f639d\build2.exe
"C:\Users\Admin\AppData\Local\39eb19ca-a196-4d92-b1da-4109875f639d\build2.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 1440
4⤵
- Loads dropped DLL
- Program crash
PID:1752

C:\Users\Admin\AppData\Local\39eb19ca-a196-4d92-b1da-4109875f639d\build3.exe
"C:\Users\Admin\AppData\Local\39eb19ca-a196-4d92-b1da-4109875f639d\build3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1196

C:\Users\Admin\AppData\Local\39eb19ca-a196-4d92-b1da-4109875f639d\build3.exe
"C:\Users\Admin\AppData\Local\39eb19ca-a196-4d92-b1da-4109875f639d\build3.exe"
3⤵
- Executes dropped EXE
PID:2820

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- DcRat
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2304

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1092

C:\Users\Admin\AppData\Local\Temp\ECF0.exe
C:\Users\Admin\AppData\Local\Temp\ECF0.exe
1⤵
- Executes dropped EXE
PID:2600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 96
2⤵
- Loads dropped DLL
- Program crash
PID:2992

C:\Users\Admin\AppData\Local\Temp\FC31.exe
C:\Users\Admin\AppData\Local\Temp\FC31.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Users\Admin\AppData\Local\Temp\106.exe
C:\Users\Admin\AppData\Local\Temp\106.exe
1⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\cmd.exe
"cmd" /C tasklist
2⤵
PID:2364

C:\Windows\system32\cmd.exe
"cmd" /C "dir "
2⤵
PID:1632

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Users\Admin\AppData\Local\Temp\7FA.exe
C:\Users\Admin\AppData\Local\Temp\7FA.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Users\Admin\AppData\Local\Temp\15E0.exe
C:\Users\Admin\AppData\Local\Temp\15E0.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 88
3⤵
- Program crash
PID:2156

C:\Windows\system32\taskeng.exe
taskeng.exe {DFC39CA0-F281-4635-85CE-F2C2953139F8} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
PID:576

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1596

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:944

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- DcRat
- Creates scheduled task(s)
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
b68fe463c7ec10f2571f6b452b5195e1

SHA1
0a735214f8f38e3ff4de9fc072879cdd5b830836

SHA256
d416fa3f24102ef5802842473524183d7e4808ac0ef819703569fdeae2ec142f

SHA512
e4f4640d59050cab6e690b9c2d7973992be61a87a4110876700ea8cce644c1166301bea83a4a1b921325c34d39f0df9ed6c94981da9fa8eeb08a6cc62ba91001

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
26KB

MD5
8d12fe3c280498e9e8b05a112ef0b451

SHA1
da0481499591f98aa6d655f664c11dd0a607caf2

SHA256
a24e90cbe29517440740642d48b21ddcb028cce468eb4ca7cb95bcdbef58d037

SHA512
3c3f0e85fa5dacde26521bafe354ee28540e571f437da4950658638286074f6a8ef3694dd1ea077da6c93a72118c042f0806975a614b204d192408aa225ee8d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
ba56e2d1c5f581b8fb07932395ddbede

SHA1
cc916a2a9e0814d820638e210f40ac970e16c3ff

SHA256
dcfd09f676bb07bfeefc543057ba2566bf80dcd0ba4174df74c02c144a1a9021

SHA512
e68ca80c884c861239b76377516653c251b6ff47de70980026e2437f3a5f90fa6cdd682facba958eee2baadcad48e40e1ad7d3b87bbc12c3794e21c1112dc32b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
500e2b7803c584786a990d09bd7598cf

SHA1
4672bb5277321a57fde91e165c1837578076fbba

SHA256
77b27c5087a53922870b2de4507fd9db8f5cbdc2f8daf65c44b97c7401784eeb

SHA512
cf3dbe940a566b0559aa67af892866d1a7ef86f5fc8a2441e866f410e553ac8d0cd2da2473500fd5525448e2a70c27db8f0054861aea75d4526439ff3dfacaf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3f671d10317fab3ff47562539bd3e3b1

SHA1
27df4c361cda0d5145cecb2ff76427ae90bb2b59

SHA256
8a6cd599fe25f94b9dae4907e16179c98bd52e6dc6604df5522a9d4f7b7f5c10

SHA512
80d5a01dc56bc008dae6096c283b7bec64e559c91c5c0b20312c75c2c87d719b51d0338e1fe22ef79ee99e82fc8323129a5e6e2586b70b184667ad937a402585

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
08fac96d90e576cdb2d626247a546450

SHA1
db9411732e7180aeb5e14652becd2252b1a9f493

SHA256
9a8dc1be138a146825b0f5b823be1f1c2e947f559bbc7ab8beac7d3149a221de

SHA512
4ddf92e39829ae077d2fd9d3738661935fcf05ed495b0fa08bb8812e22e5cd3455dbe391afa770c24babd4f98aaeb29ee2941fd49b3251babce9d3a411661dc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
94a6969208a490aeffc28c9ef4986bf1

SHA1
141275cbff1d90f7a51b4cc54720e20bb8b65664

SHA256
b8e8a05957284a18fd0a0ef85432036e390403326fccad3a199369f54cd972a2

SHA512
828e7b9a657d4cecd8109a05ff81349ac8209286418cd0674e23108174b36bd3cc46b303324842e27a34d8043efcf7d0690c2579a511734c609d8ef3e50da437

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f45c9588c0e716771560cd419d16957f

SHA1
ae3ce65811f27567fdd185c4c7c42f037a801c0d

SHA256
8d464a8d3af0c1ae0b92203bbac456f681d5ed4cc1ee9de32c91c07914ff716e

SHA512
d4b7d86d633fef8979d900f7698a4b2824fddf2ccede94057c6da305590ce90e72055ad30ac07ab9abd58871152f15b36479f99d186e3d1087ed3e8081f25794

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
a2a9109123fa3614704e40876b332190

SHA1
a83ba9c284eaca6c6cafed2ad543b96154b90482

SHA256
4f84c558f3d52a43af6ec63301d0f61a3eb8067eabbb669c1dcdb70036f6395a

SHA512
3abe7d7bc371f52e328b0f3223f2ed34c73295c79ce94c68572dd596019625bc042eda693a887b9829e5d4a2675951a45c8b79692867389d636dad4480b16047

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
0017e8e6447b2692d857e93e8f107090

SHA1
c6fce7954bb23afa94bb9ba8398f1e2611e30f13

SHA256
005f3485d5a9b7227ee45609e57e912da5faff48c29aac5b734f8036c9cfe412

SHA512
c309139f4d707fe92e0110b78a4b38d742bed52610c9c60e8c6a2f625ad8d1856b82f0243714ea31df7e677c76e8eedc5780d0e54aa8fe95d6236a93b2fc36f4

Download Submit
C:\Users\Admin\AppData\Local\39eb19ca-a196-4d92-b1da-4109875f639d\build2.exe
Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
C:\Users\Admin\AppData\Local\39eb19ca-a196-4d92-b1da-4109875f639d\build3.exe
Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
Filesize
2.5MB

MD5
05aef2221ea6cc47def254618a61d437

SHA1
2d9e79b680ab3e570761d337857e674280f8c64f

SHA256
9da4c067d4be2414c6dd9a7dc7ee89faa4ad19b474b55e73605c707405a71339

SHA512
ae233a76fac1d7b7d9a9fabecd1c6c1178a1a5fe6be8e6f8325f579773806c0333a9081381f63a79af1e19dfba2f4708ca0ba1db431a927c3ae3ef7aff104f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6671.exe
Filesize
145KB

MD5
efaf76ea7b27fc3198f2f703074f53fb

SHA1
5f0511f077aaaa04d5ef4ee731028dfb4b26dff1

SHA256
99590e9d995ec2226131be283f3dff64e833dbc839d24d0bb58e7f26ffb0042e

SHA512
8743d50ace1d8854e3bd2842092e9d716dcd1074344033e3e31ad376eff1090600eb06d5d98bb7c87926fb0860fd267150f51a298782800909c41418759bfccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\764A.exe
Filesize
192KB

MD5
a3952cb286ae18a12d40c5d85f4eea24

SHA1
8b5e4b4c121143a8f127bf3d5e1ee7b58c304a30

SHA256
82ab85f35fdd33faf36a377678213c4fa36168b91280804851c7c2a28b995fb2

SHA512
7f6affdf832f321528822231cac1d6f41c53d98fb0c9faac4f1f25652b5b7dcc74b27da96b18c0ca5f36b65bf1cda15d7ec90acb3c87f05ec922ac9a06e6396f

Download Submit
C:\Users\Admin\AppData\Local\Temp\764A.exe
Filesize
249KB

MD5
f41ac19c9c183807133d47c5086ac745

SHA1
88cb51f25d29bd8cce8fcc035b5bbd9ee3227e03

SHA256
555079e7de27aa1a3f0e11d0b528615a5b27938f9433372368f12e6aa308d146

SHA512
39bc2c856e599c9b40fb437a279dc34f13a17b5e15682e9df06c9059093dbefaf408b09ad342f2a508a360c7a9e0a909406eed547d3e80cdbfd8382dcde6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\764A.exe
Filesize
774KB

MD5
a775dae66ce141797fe36ee3509c6177

SHA1
b822ee79f6cdfe299c70bbb14cb96f9560edb4f6

SHA256
8c007c45f95884050ef0d13ab45605edbf1cb1cd26ca415bf0127cd8e6ca6dcf

SHA512
c94d0bfc21d4ac08b13b45aacb30a7411cf59d01139c6a5c78146cfcdafa7375b55f48be4192b331ae47a86e4a591cebe95f2a2878dc963e9160e62c9d42590f

Download Submit
C:\Users\Admin\AppData\Local\Temp\764A.exe
Filesize
603KB

MD5
7cf78bc476756173aac872c930079be7

SHA1
b0eb324205d27f8127adf0b49cdc4dc039c92fdf

SHA256
95a608d1d24d383fa22bd7eeb43d2e254eaf964fedc1f3de18794bdd5d9fe841

SHA512
77c7384423947135499804fa6a46ebdf854bd02aafee81f69d73d24f7bf3dec2ca2fe263e18e6240c18204002b01df48f13c27a648c3ca5e7ea6eb8263d08fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
385KB

MD5
28d46a7399df171625de3b330bf9aa9e

SHA1
27f5bf1dae96bc5ad33dc1fae330309531f2ae39

SHA256
edf9b5ab25d5ec78dd273f63888dcc34cac4ecc5a7945dd4e6f8faa1b63ffbe6

SHA512
1bcc425637c548ee5a820ef73ae10a9d81e522aac5c0401771c751a94a8afe9900823c86a2630bad2b5a5140032aebc5f46b42542711f400433ccb6b0cb45b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FC31.exe
Filesize
1.2MB

MD5
bf437c1e48883b20cc671fb27ded0cc3

SHA1
56448cc63403c547abd8a3ce2b829b26e29a38de

SHA256
2882f29ba3754b726184684f86102cb097f2587b0a6806af7727887982d05965

SHA512
71ec107d85ce2baa814719a9e7c74c1d8a51fb5ae2ee05e06d4fc457b508349050be2ada8916551ec3043cf14f4ecd4e7579fd61f537b74c28efca16a76f4df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
579KB

MD5
b01fe8e1e7ad5fe2b4c336dbe64d78b0

SHA1
cd48edff02593b1c21ef23fc6e5e88a1accec941

SHA256
e25ecc36b61b5b49d25e328465b6b9ff8a3567a7a0081a445a25dae40bc5f0ed

SHA512
e0ed857019cfd036f99eecbd557b4d230c61ccc9ab42e154f625e0894491e6228780a33ccf17aa8b870a7513e5729d9a43c4b6a4e9ef370c9c639c1ec626786c

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
790KB

MD5
f7271219fad9e66eb97c2aa7d2ac0317

SHA1
a087ae32cf8422a45ec069bffbb0ca136b4b4c03

SHA256
5bca586f46a5be810800b7bf972074fc337f90f96570e710f5268aed110b7b2d

SHA512
6f98fe525e030a19fbbc106e98b0fa5bc3c548c84c1b2ff398af52dc728bb9c3c834ee6e119620fa847e02972e2f6f3b985a3b156a874eaf59882180fd6394b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize
1024KB

MD5
1418e425f72721ba18b3f19eb058ab24

SHA1
103feda2b630916f8f3efdeb42bc9ff74e46ea5b

SHA256
187b964aad8ce54f07326ad8ea0c7d7b2af16dabec0c8eaa328e2939abf19dcc

SHA512
eb621ac1f37733b9670a181c106a4ecdff047aa94e18b7033617e7ca9fbaf942e7e81b6203b92a05e68a60c4fdaba7053853c7cd987823469b06a2b6023a481b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar198E.tmp
Filesize
1KB

MD5
fa527dcd6b5eb05e72fc51570a2a6608

SHA1
3380c5ef74408265fba2f67e790636d0ad0a51cc

SHA256
4dc7a4a6cb3be2c334a27a49df89f18f8f91749fe6aa1cf28d548e0e0c75ce3d

SHA512
05c0e217c433949cab210102a26ca7f6a765515b228b217e25c7409408fc167b5a59a8494e1181284e9ec72849c90288f3a066faa284e29d871097ec76291a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
495KB

MD5
3826c25044aa098f4eb78b6d95259f2e

SHA1
cd0c738620e7461dca85538322c17a33a75cd1d5

SHA256
1a04d466947967efa8e18e84b58d87474fa98c4e55f9719ff3ebc97d1ee5cd21

SHA512
3ff6844fb1d1c655966bf8bed97dd46fe5629efb478401ef21eb66814dc4651e9b284bb3264bb276a910d7cdfea970cd0e7160378af09361e6f0f410531e18d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
366KB

MD5
66bdfac3059d46ec0df8aa9cc7127b8a

SHA1
d2fd3ed55c5dae5871a7890f67d455db72c55305

SHA256
f8913bab77f090d4dca02135827a08222079f2c0ff40b6fa30ad60c9d05dcaa4

SHA512
d66908001d66fc4777e893e4c684cd272199e300e5df10d810c8f09f5264b34400d427e9a45e850f03e2cede4b40306263baf45a525e2a314ff4a9d39cf69f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
342KB

MD5
31943021e026eff6075d1a0195006ca9

SHA1
18b45c490c8eafd0f561393ff26965cfda6bd2cb

SHA256
9566231edd6c4145d36df510a0b837e8f5493dacdd47059dcb753b153dc1fac6

SHA512
d36c0c18891f1b967eb390ff1f4c6ee80752c758987fb872d30e0c713fbca23b170794ed7388ff3dc15e1337c7c350b8e326ff9abb0ca48fe5899552650447eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
305KB

MD5
f597eab60dc29759001c58075d001d1f

SHA1
9cb8354e36c709e6b195a7bd625b725bd7969f6e

SHA256
0d5a47d5da746aa34dda550997e63ad57d875c65468c0f64e5912fdaac5b6a32

SHA512
4ce1496a3a95e54b248fc7047aa3830093f6efe30e2a0ec988f7ec744dc3a7b66087c0f806d470ba68ba20bf7a59862908e2c56107eab10a6d4da084ac0d29e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
605KB

MD5
b30bbd9c209373efc2904f50b13a2e42

SHA1
bb0b5fbb0b61ceb3c630ec448fd3855d953d7c1d

SHA256
4e62aa65aed216010c6e51e960451885d6fad905a205f493a972a485666641d3

SHA512
4a79b5d12b57919822e40cae9d567f3d7da7f3a9df0ccf995520c418af14c806ff99322b95dcb59886bba5087eda66bf9731587cee44bb9789075e7b72f21cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd11ED.tmp
Filesize
224KB

MD5
d49ec9d626906573730ee61ba73fd7ef

SHA1
fd50305cd6f0f6105db8fd6e95e0e5d52f6036dc

SHA256
b8f3cb97aa4dfee41c11855f2a6647dd9ddbbef6a220b76c85573a5bcf67979e

SHA512
70eb1d447c050fa8a1e4603d1ab8d710dd190deaedc192732344b6f21dda41a3689ff3a25ee9aa68a226da2fc161037beb4175e950459281355f3bc78f06e096

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd11ED.tmp
Filesize
146KB

MD5
7c3def033e8d8921a650956b07c3aa65

SHA1
dc1d05663155a0f43c3386e41df75dbd9d74ad54

SHA256
4c0b0ef00b148aebb12e2aab4d457c089d59e6df1b8691e0045e95cef8f04f26

SHA512
ae18f8fa19cb40aa830d6471201b7315fb5a70eeab3fccd2a1336a24b2da29377a4f003897506a87f0f34c1670453c6f0b44ccfa490dcd3e299aef312a991c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
322KB

MD5
a99750530f4136ef69e0f78c3dac2694

SHA1
03e56b62ae4009ff5a2a4648ce95253a87ccfc9d

SHA256
74713fc9bdf8de930dde098fb5e9ff95d05635574379d1c03f4d7bb5a73f9708

SHA512
fc91301aca29918e4d2bb6bfd7f1611e742ea31f74e46cf3e9a3b56f0019fc50534d3ba2d0c8adbe1a955f3fbc28658330d553c228aff06f540c0f698a49164a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
439KB

MD5
95823079bbd7f5fd1b96a2296bb38b12

SHA1
4fa810fee9b21260dcd4c0b0c4315a3eb1396cd0

SHA256
41c7c271b5de41589f4e9ab7f1e55d0dc6c590656e24f1f809a41711f1f3e727

SHA512
5c54e995345d332746a470b863abf031ba8fbd524e0142ce8f8c702ff7ed92df1a9facc590252e6bc8d984b295df7ee2d6a24028959f77b586a5f8dd4d7bbd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
238KB

MD5
8c20d9745afb54a1b59131314c15d61c

SHA1
1975f997e2db1e487c1caf570263a6a3ba135958

SHA256
a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1

SHA512
580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\rss\csrss.exe
Filesize
426KB

MD5
bee369cb9ead79168263393e181900f2

SHA1
d75ac480b613bcd3f6f9f2b037419d5af6f26330

SHA256
4d2fc42492133396f98e16cd32dee6bd2c2823cca5bab7e40393721f4ca30e5d

SHA512
3b0138e366530a8cc396eac70acdd77b5f5a7292545f03732d25ea6c66e64118b2df7b33c13428989d2c26ae701f4a96927bc6d264662acd450d43289af0b644

Download Submit
C:\Windows\rss\csrss.exe
Filesize
158KB

MD5
49a7409036a58ff567139fc4bc7e90e0

SHA1
ecb4630522b2af4c568db8d494319376017081d4

SHA256
b604296e63b2a238dcb8f39f69e487d0127f743efe8b7c4c8eb82845886300f4

SHA512
5096c2d2e68b249367afa65ab7be602edfe0c2be274645ab0265c965769d173664088a3d574c8719381c0e44596e83ddd7b8221161d85b2c3b12d3629326f451

Download Submit
\ProgramData\mozglue.dll
Filesize
337KB

MD5
624a35a263ab30e0cb49ff2135d7221f

SHA1
0de97ebdfa527f6d63bd42bbd4c0a757ad4a3291

SHA256
c92d40abd3338cb5f3d4c21554f4a5afef365d46d44e56da4f5bd419ec47c351

SHA512
cca8018ed765e56503c19f57240062922bc2b9527158f61477b90cf820f99c05c6d2c27092f59487104c37e7326007679c6efd592b089966a530f664a90309e1

Download Submit
\ProgramData\nss3.dll
Filesize
354KB

MD5
95014b877d61fb8e2947500ea3e479ff

SHA1
bda7b5ea9a7d061ab260e865bfe70b88acc19091

SHA256
c2aae5f67fb4905862512dbc903cae3a9d6629f83b4b8c91d4bec59fc71d6db4

SHA512
a328d95d2d44a37420020dd36617773366d72c3511a1014c3cc35b6c228545bcde35b74464fa4a4b0660ee37e6d5588897e01729f2d94e27a88bbed0f0fa8bb3

Download Submit
\Users\Admin\AppData\Local\Temp\764A.exe
Filesize
64KB

MD5
3379072aab452651aec9247aa7b5e2df

SHA1
20230ccb14660f0e640ba93aaaa2039d49b03033

SHA256
6d8b66d0a80669aa69e5beb0fef16c7c3dd6f652c88fef73a1a67a1f1475d375

SHA512
76e1ef1310a98c6783556438f044ee0235844ab7ce0ffa8b62561aabae7a0fd75af47d449e702110c9113f1cc76cf38edef48aa2e5b32e240b6324ea5f7ebe30

Download Submit
\Users\Admin\AppData\Local\Temp\764A.exe
Filesize
614KB

MD5
6d7a3df3f6b7187a834a738fe01d5fe1

SHA1
f6039cb9c4ed9cccaf70904308a19359565882ef

SHA256
36cb14dce2d366d00bf928e06b15370ce37eaff63ffc9e8120ecccc90180aa86

SHA512
c2db3bda20e05459964b15b35abc3eb83617c89869236f863363783aaeddc0197aa551a423f57c6ae6c2222233df22e67a3f66609393b6abd84993a3905d6cf1

Download Submit
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
395KB

MD5
ee34473d7618692d8301cac9ec824eaf

SHA1
c9f68142aeec62d063454d21039546723f284bd8

SHA256
96474bfb7de5530242e11b01ebe408a1179b0c8487157f5e828299bc6de2ccf2

SHA512
3f1202793e3a91870722b5651d6f74e414a01421edfbfa3858d11efd4d6a4f82f80626dd38b273becf1bab527c6a882e20300e0011536d35cd46efa2f36c6106

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
Filesize
625KB

MD5
d81b0d5d23640f8d2e71976abb9bdb6a

SHA1
9d411e98d3f7a8bd64e1e2e0cee46f710b364015

SHA256
7ea65c01dcbed0704798b2d714a142d4de8a254ca509b9c86a4cdefe0fbcde61

SHA512
a216ee36e4c743c930e1d5b315de2651cfc545d23da61df7c3e6d81b6e317085c35803f93336f9ffba7a4c6f6652ad4c89e7ec0ba635a9496a0cdbea036499e0

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
Filesize
352KB

MD5
da06ec829cd64569c722bb7c981c0a30

SHA1
09f1cfd4cb33649a1e95cb877220692078e3073d

SHA256
2f5f91b1f6c237fcd6632a3a7036ce9d8db820bf8042eac219068a4e0dce92fd

SHA512
de7255dcf01ba04020186b9228b65153b9e9f233e941d4dd051fe4abee51c8f6bc6a78033d18959453762de9125f97734b7c15d45f4059aff19ecd11dd282448

Download Submit
\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
540KB

MD5
9c13d8c4d43f9a1389f76b8dd702ea78

SHA1
be986ef03655cb2e8c7303943d2f3eb1befcbebc

SHA256
bee2506d4587810a525e88c8b38cb2f4a7335cfda39db8bf193920bb5c36e643

SHA512
da96f3d6f79746c34c82f79471d7ed0d7598ce736ba88185ddf1197014480d64ea7ab034ca223507e5ab4470bb43beae3414d5dc3a451c272c4fc7a7d917a48e

Download Submit
\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
404KB

MD5
369252411cf8e52959f9eeb79109488c

SHA1
86f5630121346644053deb5f3da6054564924feb

SHA256
f0236b9e91eb87562254b6cd0da64deaadf4d62d317ea9b5f4ed8c022330d7a2

SHA512
86304714b985d129033797c3f69c2308e648d545ca42f4c6dcfb0e216c41e2f941ea561b893cecef9254c7a03ed3445146034f838f75d886e80e818bb065f38d

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll
Filesize
256KB

MD5
33a014bfeb3ce513b0ff951b80084f8c

SHA1
65d540f93fbefee2a99e1e2c063daa5451899d02

SHA256
3ec04cdf3271a8b750184e301695c30350e5769f92dcba58ef2f0768f2091136

SHA512
3a92610e8d6689dac50d9d5a4c021bb3f90e1d600dd14e7462138d6b96d74a929607cb8447970f779529acd740a651c1dfbc03ae90e58f4c5a29ff9b3767055c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd11ED.tmp
Filesize
194KB

MD5
f11c0764c13760fa577665b22351439a

SHA1
0bb76656ee38188fd3e83ce466c51176e9ff4834

SHA256
a1bc90319fec5475cf303b696232f388da1b1ca80626e62eccc0fbfacc7785ef

SHA512
da46e92e38b84ac8e96031acddd2f05945ada4fd4b60f61f56ccd8f48307204688132cfd9b1ce669f9fe5d8ab0a1227c7ba1bcf779df57d68e0650adac6cca40

Download Submit
\Users\Admin\AppData\Local\Temp\nsd11ED.tmp
Filesize
154KB

MD5
2dcf31391742e639468589c9c4faa7c9

SHA1
f10a4e73368dd5fd252b121e513fb021b3e3f02e

SHA256
8026ae9c8010a4e5728f7f8999c2323a9d4fc664448c4d785eeeb2ae892bd289

SHA512
df6c8753719fc7551c1372c09214eed3255f98602c8ce912a2000885605c93e5652003a2de33d759d27141d630899d53d1ec86f46fb10696cb5047c79168b997

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD0C.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
437KB

MD5
97c7003a2f99f600ead2f67423d95527

SHA1
698717f5cd43169bb45602ccd67f8f54351c92ab

SHA256
f9fb7131792e5da9b24d2797ac887eb73f10a1cdf29883bdfea7595408060b2e

SHA512
d390831d705f45a431feab397ea51d9f4d86b4a076e280c4084135191409d5e4484323a6138da38aba45088dd9bf9b361f6ef492cb3cbdbd283f5b99ea4691a4

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
198KB

MD5
a3d0afb91883559e537f1555742ae1be

SHA1
3db5536a0a04131c3b52ed32d8652f119124b611

SHA256
f31b23f0944bee6350cb29e1b134a8094df15591ccf4cdb1862341e99237256f

SHA512
9b9c29823f4953e12321949091394166f19f4cb45c4aac839b7a59f752c185f0fcf30b5f971efa2c4d1d918a263fd905c6fd6db8a800cb21910bd95082219e33

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
Filesize
317KB

MD5
a135fedfff5bbc7ab7d705099f2426d6

SHA1
37099b41f499ea726902f0f1d50b0295ecfbb297

SHA256
4c7b833f555f9d6fd369fb1feb067f0bcbfcb38672ac9f12bec757adf12da66c

SHA512
34327b80e61b07424f77d0a5ee7e11e28228bf742a2eae690556852f744325e45192b038c9248f4d793859731e81621ac2258b0de16f79b7f2520d9b124d98d4

Download Submit
\Users\Admin\AppData\Local\Temp\osloader.exe
Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
404KB

MD5
ab0c1e9a1208ef7ffea5f1beec97f86a

SHA1
1cf8d1a5c3cd1559f410d1721564faad0e368459

SHA256
ee6ae06faccde88900d41d491a443c9d34b14287f52e0b7432fbfc7dc8f171e5

SHA512
f9118b00075b2cce63fa842d4ebd6e4ff20275b96b9fb221d5ef59adebed6e5d04852e588e9546af8951489fe27b251b3049d57f7773340568b8b2b2b247513f

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll
Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Windows\rss\csrss.exe
Filesize
610KB

MD5
6db15ab5be081feb107cd9514db164dc

SHA1
69f2cf532e60142ff79b91df9819776f2366f038

SHA256
a41475b8864f9025a0c278cfc2350e8306d1a3913c0aee9d8b65d550fe58426a

SHA512
2e972d435faa366e2827909c0d21d8aae64e7eaa1bafbfe83f389f59d244fc36d991123b9856ecda95c610143c4d2813427e90201bf9d9748d8e3cb29db17234

Download Submit
\Windows\rss\csrss.exe
Filesize
227KB

MD5
92f38c5ff3543f1a7142b3448f467e49

SHA1
9803a2119916d78190550a3a386a2ef00caf09f0

SHA256
40569ab5506bcaf2713e0d4c7a804904ef136cc7845878df31981b23729212b9

SHA512
5bea91dda8dec77b3cc944630faad669285e4ae550cab4aeb7c1f4eb2ec2e6c911906ab2819aca9e1e86de96cffc6de031d4d2cd46a0211a407a434d0bd6ef0b

Download Submit
memory/948-540-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/948-542-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/948-546-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1088-802-0x0000000006D70000-0x0000000006F02000-memory.dmp

Filesize
1.6MB

Download
memory/1088-796-0x0000000000EF0000-0x0000000001448000-memory.dmp

Filesize
5.3MB

Download
memory/1088-801-0x00000000059E0000-0x0000000005C28000-memory.dmp

Filesize
2.3MB

Download
memory/1088-806-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/1088-797-0x0000000000650000-0x000000000066A000-memory.dmp

Filesize
104KB

Download
memory/1088-819-0x00000000725A0000-0x0000000072C8E000-memory.dmp

Filesize
6.9MB

Download
memory/1088-820-0x0000000004E19000-0x0000000004E1D000-memory.dmp

Filesize
16KB

Download
memory/1136-691-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1140-79-0x0000000000650000-0x0000000000684000-memory.dmp

Filesize
208KB

Download
memory/1140-192-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1140-345-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1140-77-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/1140-78-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/1196-621-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1196-619-0x0000000000902000-0x0000000000913000-memory.dmp

Filesize
68KB

Download
memory/1380-471-0x00000000040D0000-0x00000000040E6000-memory.dmp

Filesize
88KB

Download
memory/1380-250-0x0000000003EB0000-0x0000000003EC6000-memory.dmp

Filesize
88KB

Download
memory/1596-826-0x00000000009A2000-0x00000000009B2000-memory.dmp

Filesize
64KB

Download
memory/1780-72-0x0000000002670000-0x0000000002A68000-memory.dmp

Filesize
4.0MB

Download
memory/1780-62-0x0000000002670000-0x0000000002A68000-memory.dmp

Filesize
4.0MB

Download
memory/1780-148-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1780-173-0x0000000002670000-0x0000000002A68000-memory.dmp

Filesize
4.0MB

Download
memory/1888-547-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1888-527-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1888-529-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1888-504-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1888-505-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1888-533-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1888-603-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1888-491-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2092-381-0x0000000002620000-0x0000000002A18000-memory.dmp

Filesize
4.0MB

Download
memory/2092-175-0x0000000002620000-0x0000000002A18000-memory.dmp

Filesize
4.0MB

Download
memory/2092-396-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2092-190-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2092-377-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2092-189-0x0000000002A20000-0x000000000330B000-memory.dmp

Filesize
8.9MB

Download
memory/2092-406-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2092-186-0x0000000002620000-0x0000000002A18000-memory.dmp

Filesize
4.0MB

Download
memory/2156-60-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2156-45-0x0000000002700000-0x0000000002AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2156-46-0x0000000002B00000-0x00000000033EB000-memory.dmp

Filesize
8.9MB

Download
memory/2156-44-0x0000000002700000-0x0000000002AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2156-74-0x0000000002B00000-0x00000000033EB000-memory.dmp

Filesize
8.9MB

Download
memory/2156-75-0x0000000002700000-0x0000000002AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2156-48-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2304-490-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2304-481-0x0000000000220000-0x00000000002B1000-memory.dmp

Filesize
580KB

Download
memory/2516-791-0x0000000000E70000-0x000000000188B000-memory.dmp

Filesize
10.1MB

Download
memory/2516-792-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2608-49-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2608-352-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/2692-404-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/2692-472-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2692-405-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2708-387-0x0000000003800000-0x000000000392C000-memory.dmp

Filesize
1.2MB

Download
memory/2708-390-0x0000000003800000-0x000000000392C000-memory.dmp

Filesize
1.2MB

Download
memory/2708-386-0x0000000002B40000-0x0000000002C4A000-memory.dmp

Filesize
1.0MB

Download
memory/2708-24-0x00000000FFBB0000-0x00000000FFC67000-memory.dmp

Filesize
732KB

Download
memory/2764-233-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2764-251-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2764-50-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2764-51-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2764-52-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2820-633-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2820-615-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2836-545-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2836-543-0x0000000000630000-0x000000000064B000-memory.dmp

Filesize
108KB

Download
memory/2892-423-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2892-416-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2892-418-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2892-479-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2892-424-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2896-0-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2896-1-0x00000000013E0000-0x0000000001B06000-memory.dmp

Filesize
7.1MB

Download
memory/2896-413-0x0000000000360000-0x00000000003F1000-memory.dmp

Filesize
580KB

Download
memory/2896-421-0x0000000000360000-0x00000000003F1000-memory.dmp

Filesize
580KB

Download
memory/2896-47-0x0000000074B20000-0x000000007520E000-memory.dmp

Filesize
6.9MB

Download
memory/2896-422-0x00000000004D0000-0x00000000005EB000-memory.dmp

Filesize
1.1MB

Download
memory/2968-221-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2968-241-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download