amadey | 1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922

Analysis

max time kernel
150s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-02-2024 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4580e8db0c3dbc88891842fd8a31158.exe
Size

5.5MB
MD5

c4580e8db0c3dbc88891842fd8a31158
SHA1

744f03fcf10db1459d3f40beaea2bfe1b000582b
SHA256

1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922
SHA512

cefd412e0d5aba56d6603fdc46a056474ce387dbb220b32a9317dca0822bef9320515afacc2ab2086db46f9e01b3456c87a0dc83bd99c246550d87efd3606945
SSDEEP

98304:Fs9EI6sZJrf04Hr3VvPkrcRizJ6krK4JLQaEHlXU+vG9G1jMaZQRrkp:W+I6sU4HjZkwkVJo1+G1jMaZQpk

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.ldhy
offline_id
pIGzEr0bxHiTz7xnvNidWeqzKkxMfVdHTyCkzwt1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-hPAqznkJKD Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0849ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.6

Botnet

1b9d7ec5a25ab9d78c31777a0016a097

https://t.me/tvrugrats

https://steamcommunity.com/profiles/76561199627279110

Attributes

profile_id_v2
1b9d7ec5a25ab9d78c31777a0016a097

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Fabookie payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2680-308-0x0000000003890000-0x00000000039BC000-memory.dmp	family_fabookie
behavioral1/memory/2680-348-0x0000000003890000-0x00000000039BC000-memory.dmp	family_fabookie

Detect Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2784-503-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/2784-500-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7
behavioral1/memory/268-498-0x0000000000230000-0x0000000000260000-memory.dmp	family_vidar_v7
behavioral1/memory/2784-689-0x0000000000400000-0x0000000000643000-memory.dmp	family_vidar_v7

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/904-791-0x00000000000E0000-0x0000000000736000-memory.dmp	family_zgrat_v1

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2712-423-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2712-422-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2712-418-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2788-419-0x0000000001D90000-0x0000000001EAB000-memory.dmp	family_djvu
behavioral1/memory/2712-445-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2520-460-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2520-459-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2520-474-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2520-473-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2520-478-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2520-481-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2520-480-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2520-482-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2520-683-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2740-39-0x0000000002960000-0x000000000324B000-memory.dmp	family_glupteba
behavioral1/memory/2740-40-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2740-47-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2740-49-0x0000000002960000-0x000000000324B000-memory.dmp	family_glupteba
behavioral1/memory/2400-69-0x0000000002B90000-0x000000000347B000-memory.dmp	family_glupteba
behavioral1/memory/2400-70-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2400-136-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2648-170-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2648-369-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2648-382-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2648-390-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Modifies boot configuration data using bcdedit 1 TTPs 14 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2872	bcdedit.exe
1972	bcdedit.exe
1496	bcdedit.exe
604	bcdedit.exe
2352	bcdedit.exe
2736	bcdedit.exe
1744	bcdedit.exe
2424	bcdedit.exe
1180	bcdedit.exe
1756	bcdedit.exe
2204	bcdedit.exe
2968	bcdedit.exe
2220	bcdedit.exe
2360	bcdedit.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1360 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
1360	netsh.exe

Executes dropped EXE 29 IoCs

Processes:

InstallSetup_nine.exed21cbe21e38b385a41a68c5e6dd32f4c.exerty25.exetoolspub1.exed21cbe21e38b385a41a68c5e6dd32f4c.exeu1s8.0.execsrss.exepatch.exeinjector.exeu1s8.1.exe78D8.exe9A4D.exe9A4D.exe9A4D.exe9A4D.exebuild2.exebuild2.exebuild3.exebuild3.exemstsca.exemstsca.exedsefix.exeF6E.exe171C.exe26EA.exewindefender.exewindefender.exemstsca.exemstsca.exe

pid	process
2312	InstallSetup_nine.exe
2740	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2680	rty25.exe
1044	toolspub1.exe
2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe
352	u1s8.0.exe
2648	csrss.exe
1356	patch.exe
1112	injector.exe
992	u1s8.1.exe
288	78D8.exe
2788	9A4D.exe
2712	9A4D.exe
2840	9A4D.exe
2520	9A4D.exe
268	build2.exe
2784	build2.exe
696	build3.exe
1820	build3.exe
2980	mstsca.exe
840	mstsca.exe
1992	dsefix.exe
1092	F6E.exe
2652	171C.exe
904	26EA.exe
2244	windefender.exe
1636	windefender.exe
2752	mstsca.exe
108	mstsca.exe

Loads dropped DLL 51 IoCs

Processes:

c4580e8db0c3dbc88891842fd8a31158.exeInstallSetup_nine.exed21cbe21e38b385a41a68c5e6dd32f4c.exepatch.execsrss.exeu1s8.0.exe9A4D.exe9A4D.exe9A4D.exe9A4D.exeWerFault.exeWerFault.exe26EA.exe

pid	process
2516	c4580e8db0c3dbc88891842fd8a31158.exe
2516	c4580e8db0c3dbc88891842fd8a31158.exe
2516	c4580e8db0c3dbc88891842fd8a31158.exe
2516	c4580e8db0c3dbc88891842fd8a31158.exe
2516	c4580e8db0c3dbc88891842fd8a31158.exe
2516	c4580e8db0c3dbc88891842fd8a31158.exe
2312	InstallSetup_nine.exe
2312	InstallSetup_nine.exe
2312	InstallSetup_nine.exe
2312	InstallSetup_nine.exe
2312	InstallSetup_nine.exe
2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe
860
1356	patch.exe
1356	patch.exe
1356	patch.exe
1356	patch.exe
1356	patch.exe
2648	csrss.exe
352	u1s8.0.exe
352	u1s8.0.exe
2312	InstallSetup_nine.exe
2312	InstallSetup_nine.exe
2312	InstallSetup_nine.exe
2312	InstallSetup_nine.exe
2788	9A4D.exe
2712	9A4D.exe
2712	9A4D.exe
2840	9A4D.exe
2520	9A4D.exe
2520	9A4D.exe
2520	9A4D.exe
2520	9A4D.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
2288	WerFault.exe
1356	patch.exe
1356	patch.exe
1356	patch.exe
2648	csrss.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
904	26EA.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2608 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2608	icacls.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe9A4D.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e363a746-1d06-4d00-a750-973c42805e5c\\9A4D.exe\" --AutoStart"	9A4D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

171C.exe

pid process

2652 171C.exe

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

pid	process
2652	171C.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

9A4D.exe9A4D.exebuild2.exebuild3.exemstsca.exe26EA.exemstsca.exe

description	pid	process	target process
PID 2788 set thread context of 2712	2788	9A4D.exe	9A4D.exe
PID 2840 set thread context of 2520	2840	9A4D.exe	9A4D.exe
PID 268 set thread context of 2784	268	build2.exe	build2.exe
PID 696 set thread context of 1820	696	build3.exe	build3.exe
PID 2980 set thread context of 840	2980	mstsca.exe	mstsca.exe
PID 904 set thread context of 880	904	26EA.exe	MsBuild.exe
PID 2752 set thread context of 108	2752	mstsca.exe	mstsca.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Drops file in Windows directory 6 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe171C.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\rss\csrss.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240205110116.cab
File created	C:\Windows\Tasks\explorgu.job	171C.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3012 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2288 2784 WerFault.exe build2.exe
2720 1092 WerFault.exe F6E.exe
584 880 WerFault.exe MsBuild.exe

pid	process
3012	sc.exe

pid	pid_target	process	target process
2288	2784	WerFault.exe	build2.exe
2720	1092	WerFault.exe	F6E.exe
584	880	WerFault.exe	MsBuild.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe78D8.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	78D8.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	78D8.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	78D8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u1s8.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1s8.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1s8.0.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2316 schtasks.exe
1864 schtasks.exe
2180 schtasks.exe
828 schtasks.exe
480 schtasks.exe

pid	process
2316	schtasks.exe
1864	schtasks.exe
2180	schtasks.exe
828	schtasks.exe
480	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exewindefender.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time"	windefender.exe

Modifies system certificate store 2 TTPs 19 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build2.exerty25.execsrss.exe9A4D.exepatch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rty25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	9A4D.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	9A4D.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rty25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	9A4D.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub1.exed21cbe21e38b385a41a68c5e6dd32f4c.exed21cbe21e38b385a41a68c5e6dd32f4c.exeu1s8.0.exeinjector.exe

pid	process
1044	toolspub1.exe
1044	toolspub1.exe
2740	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe
352	u1s8.0.exe
1140
1140
1140
1140
1140
1140
1140
1140
1112	injector.exe
1140
1140
1140
1140
1140
1140
1140
1140
1140
1112	injector.exe
1140
1140
1140
1140
1140
1140
1140
1140
1140
1112	injector.exe
1140
1140
1140
1140
1140
1140
1140
1140
1140
1140
1112	injector.exe
1140
1140
1140
1140
1140
1140
1140
1140
1140
1112	injector.exe
1140
1140
1140
1140
1140

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

484
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

toolspub1.exe78D8.exe

pid process

1044 toolspub1.exe
288 78D8.exe

pid	process
484

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.execsrss.exesc.exe

description	pid	process
Token: SeDebugPrivilege	2740	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeImpersonatePrivilege	2740	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeSystemEnvironmentPrivilege	2648	csrss.exe
Token: SeShutdownPrivilege	1140
Token: SeShutdownPrivilege	1140
Token: SeShutdownPrivilege	1140
Token: SeSecurityPrivilege	3012	sc.exe
Token: SeSecurityPrivilege	3012	sc.exe
Token: SeShutdownPrivilege	1140

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

171C.exe

pid process

2652 171C.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

u1s8.1.exe171C.exe

pid process

992 u1s8.1.exe
2652 171C.exe

pid	process
2652	171C.exe

pid	process
992	u1s8.1.exe
2652	171C.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c4580e8db0c3dbc88891842fd8a31158.exeInstallSetup_nine.exed21cbe21e38b385a41a68c5e6dd32f4c.execmd.execsrss.exeu1s8.1.execmd.exe9A4D.exe

description	pid	process	target process
PID 2516 wrote to memory of 2312	2516	c4580e8db0c3dbc88891842fd8a31158.exe	InstallSetup_nine.exe
PID 2516 wrote to memory of 2312	2516	c4580e8db0c3dbc88891842fd8a31158.exe	InstallSetup_nine.exe
PID 2516 wrote to memory of 2312	2516	c4580e8db0c3dbc88891842fd8a31158.exe	InstallSetup_nine.exe
PID 2516 wrote to memory of 2312	2516	c4580e8db0c3dbc88891842fd8a31158.exe	InstallSetup_nine.exe
PID 2516 wrote to memory of 2312	2516	c4580e8db0c3dbc88891842fd8a31158.exe	InstallSetup_nine.exe
PID 2516 wrote to memory of 2312	2516	c4580e8db0c3dbc88891842fd8a31158.exe	InstallSetup_nine.exe
PID 2516 wrote to memory of 2312	2516	c4580e8db0c3dbc88891842fd8a31158.exe	InstallSetup_nine.exe
PID 2516 wrote to memory of 2740	2516	c4580e8db0c3dbc88891842fd8a31158.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2516 wrote to memory of 2740	2516	c4580e8db0c3dbc88891842fd8a31158.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2516 wrote to memory of 2740	2516	c4580e8db0c3dbc88891842fd8a31158.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2516 wrote to memory of 2740	2516	c4580e8db0c3dbc88891842fd8a31158.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2516 wrote to memory of 2680	2516	c4580e8db0c3dbc88891842fd8a31158.exe	rty25.exe
PID 2516 wrote to memory of 2680	2516	c4580e8db0c3dbc88891842fd8a31158.exe	rty25.exe
PID 2516 wrote to memory of 2680	2516	c4580e8db0c3dbc88891842fd8a31158.exe	rty25.exe
PID 2516 wrote to memory of 2680	2516	c4580e8db0c3dbc88891842fd8a31158.exe	rty25.exe
PID 2516 wrote to memory of 1044	2516	c4580e8db0c3dbc88891842fd8a31158.exe	toolspub1.exe
PID 2516 wrote to memory of 1044	2516	c4580e8db0c3dbc88891842fd8a31158.exe	toolspub1.exe
PID 2516 wrote to memory of 1044	2516	c4580e8db0c3dbc88891842fd8a31158.exe	toolspub1.exe
PID 2516 wrote to memory of 1044	2516	c4580e8db0c3dbc88891842fd8a31158.exe	toolspub1.exe
PID 2312 wrote to memory of 352	2312	InstallSetup_nine.exe	u1s8.0.exe
PID 2312 wrote to memory of 352	2312	InstallSetup_nine.exe	u1s8.0.exe
PID 2312 wrote to memory of 352	2312	InstallSetup_nine.exe	u1s8.0.exe
PID 2312 wrote to memory of 352	2312	InstallSetup_nine.exe	u1s8.0.exe
PID 2400 wrote to memory of 1016	2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 2400 wrote to memory of 1016	2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 2400 wrote to memory of 1016	2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 2400 wrote to memory of 1016	2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 1016 wrote to memory of 1360	1016	cmd.exe	netsh.exe
PID 1016 wrote to memory of 1360	1016	cmd.exe	netsh.exe
PID 1016 wrote to memory of 1360	1016	cmd.exe	netsh.exe
PID 2400 wrote to memory of 2648	2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 2400 wrote to memory of 2648	2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 2400 wrote to memory of 2648	2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 2400 wrote to memory of 2648	2400	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 2648 wrote to memory of 1112	2648	csrss.exe	injector.exe
PID 2648 wrote to memory of 1112	2648	csrss.exe	injector.exe
PID 2648 wrote to memory of 1112	2648	csrss.exe	injector.exe
PID 2648 wrote to memory of 1112	2648	csrss.exe	injector.exe
PID 2312 wrote to memory of 992	2312	InstallSetup_nine.exe	u1s8.1.exe
PID 2312 wrote to memory of 992	2312	InstallSetup_nine.exe	u1s8.1.exe
PID 2312 wrote to memory of 992	2312	InstallSetup_nine.exe	u1s8.1.exe
PID 2312 wrote to memory of 992	2312	InstallSetup_nine.exe	u1s8.1.exe
PID 992 wrote to memory of 2280	992	u1s8.1.exe	cmd.exe
PID 992 wrote to memory of 2280	992	u1s8.1.exe	cmd.exe
PID 992 wrote to memory of 2280	992	u1s8.1.exe	cmd.exe
PID 992 wrote to memory of 2280	992	u1s8.1.exe	cmd.exe
PID 2280 wrote to memory of 332	2280	cmd.exe	chcp.com
PID 2280 wrote to memory of 332	2280	cmd.exe	chcp.com
PID 2280 wrote to memory of 332	2280	cmd.exe	chcp.com
PID 2280 wrote to memory of 332	2280	cmd.exe	chcp.com
PID 2280 wrote to memory of 1864	2280	cmd.exe	schtasks.exe
PID 2280 wrote to memory of 1864	2280	cmd.exe	schtasks.exe
PID 2280 wrote to memory of 1864	2280	cmd.exe	schtasks.exe
PID 2280 wrote to memory of 1864	2280	cmd.exe	schtasks.exe
PID 1140 wrote to memory of 288	1140		78D8.exe
PID 1140 wrote to memory of 288	1140		78D8.exe
PID 1140 wrote to memory of 288	1140		78D8.exe
PID 1140 wrote to memory of 288	1140		78D8.exe
PID 1140 wrote to memory of 2788	1140		9A4D.exe
PID 1140 wrote to memory of 2788	1140		9A4D.exe
PID 1140 wrote to memory of 2788	1140		9A4D.exe
PID 1140 wrote to memory of 2788	1140		9A4D.exe
PID 2788 wrote to memory of 2712	2788	9A4D.exe	9A4D.exe
PID 2788 wrote to memory of 2712	2788	9A4D.exe	9A4D.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c4580e8db0c3dbc88891842fd8a31158.exe
"C:\Users\Admin\AppData\Local\Temp\c4580e8db0c3dbc88891842fd8a31158.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Users\Admin\AppData\Local\Temp\u1s8.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u1s8.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:352
- - C:\Users\Admin\AppData\Local\Temp\u1s8.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u1s8.1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2280
- C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
  "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1016
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Manipulates WinMon driver.
      Manipulates WinMonFS driver.
      Drops file in Windows directory
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:2316
    - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1356
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2872
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1972
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1496
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:604
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2736
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1744
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2424
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1180
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1756
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2204
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2968
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2220
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2360
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:2336
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        5⤵
        Executes dropped EXE
        
        PID:1992
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2352
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:480
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        Executes dropped EXE
        
        PID:2244
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:756
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
- C:\Users\Admin\AppData\Local\Temp\rty25.exe
  "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1044

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240205110116.log C:\Windows\Logs\CBS\CbsPersist_20240205110116.cab
1⤵
PID:3044

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1360

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
1⤵
- Creates scheduled task(s)
PID:1864

C:\Windows\SysWOW64\chcp.com
chcp 1251
1⤵
PID:332

C:\Users\Admin\AppData\Local\Temp\78D8.exe
C:\Users\Admin\AppData\Local\Temp\78D8.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:288

C:\Users\Admin\AppData\Local\Temp\9A4D.exe
C:\Users\Admin\AppData\Local\Temp\9A4D.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\9A4D.exe
  C:\Users\Admin\AppData\Local\Temp\9A4D.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  PID:2712
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\e363a746-1d06-4d00-a750-973c42805e5c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2608
- - C:\Users\Admin\AppData\Local\Temp\9A4D.exe
    "C:\Users\Admin\AppData\Local\Temp\9A4D.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2840
  - - C:\Users\Admin\AppData\Local\Temp\9A4D.exe
      "C:\Users\Admin\AppData\Local\Temp\9A4D.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2520
    - - C:\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build2.exe
        
        "C:\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:268
      - C:\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build2.exe
        
        "C:\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:2784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1440
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2288
    - - C:\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build3.exe
        
        "C:\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:696
      - C:\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build3.exe
        
        "C:\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:2180

C:\Windows\system32\taskeng.exe
taskeng.exe {081BE7A6-5F98-438E-A8B4-E13C3BC2D6A8} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
1⤵
PID:2996
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2980
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:840
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2752
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:108

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
1⤵
- Creates scheduled task(s)
PID:828

C:\Users\Admin\AppData\Local\Temp\F6E.exe
C:\Users\Admin\AppData\Local\Temp\F6E.exe
1⤵
- Executes dropped EXE
PID:1092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 96
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2720

C:\Users\Admin\AppData\Local\Temp\171C.exe
C:\Users\Admin\AppData\Local\Temp\171C.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2652

C:\Users\Admin\AppData\Local\Temp\26EA.exe
C:\Users\Admin\AppData\Local\Temp\26EA.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
  2⤵
  PID:880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 92
    3⤵
    - Program crash
    PID:584

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
95a94f582e52ab36e13c3acf8c351291

SHA1
9c2bb2f35ac04b6dec613cc8536af991894e0f0b

SHA256
0f7c853990dc2ed00794ce95880ada9a11a53697dcfdbcd008d226983919f316

SHA512
6e68bdeee605c419ecbde3e9287bb4c05ef9a5bdcc267d97790a20dd68b93a865a22d3b884b537ba8ebab74021384768eaf54a81fb1aa52b6b7424befb11f55f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
e83a73e2c2a89e3185477f1ee44b6394

SHA1
6aa06b1bb7ec304ff2b00e7f2853a01b45b6d773

SHA256
1748691d6c4a0ec842c332efef6b39f71aaa7f0620edbc724f692b8b54851569

SHA512
4ebace6f032d8c2101a6deeea834f4d65cab9fe31be1cb76b234fa40bf9c5970664fd7f983ff785c17d7672295a922d9af8308368a95e24a726b51825ce7f3c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cba81b8035817aa3c9680037a534b426

SHA1
daf612be5786e7ac193b2eceddcd0449ceda9841

SHA256
d85e70a92d4893ad9ba142f95372ef340fc4bcdd9280f824dc577cf3b88d24e6

SHA512
3ff90a93868e30ca223f3b4187270fc548c0fb435ac6a299f5db7441d2797d0e831fb5da9f90e8f5f76b9f2605f360ee86948a6cf7e59e7be74392ec8e5ca554

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3540d053bdf9a56648c1550f3e147a74

SHA1
996034e7edafb11f4690ece0f5e0278e0b7f7871

SHA256
14f57e57e4e1e93b2f37fb022d5a233281801092c92e607d8acc1b67c07950ea

SHA512
00e91f956af1c215cae47a84b1b224854e7a61a3178b5b499454cfa5165fd60a8a6fb725d5b6d7e1d7c148ce102b079f69acfc988261588567be6bdfdc2593bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
536293abe40ecc986cd09d6d9945f5ef

SHA1
f8cbe29aa3be60bc382f979283dab2c1ca296f85

SHA256
b30131076a125199488926ba8bd7a1ab91e5fa16595673967e2183284f81477b

SHA512
6d789e8883dd08435481136734b993ae895ba9f2c6e80cecd6729c23acb97ed0764ba16031ffb0c5a4033250af75ed6ec877af5744ce5206d4f8f785fbbb4358

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba491a9dc34efcb26d8e79f536c5e8c7

SHA1
e00a375ed5f489b767af6b48e208bd970dc3bd5c

SHA256
05de3d368303a80a719c2653798dc81db64809187725108abebbf6d372f47535

SHA512
dd4526a0ac827162403b8ccd83a1b1e8a9b37a71223316d4b8064c255b724543d7e2fb8c3e5b9221232f8d028c265fe3ac4b336729e4c1df503e9fe06da07cff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
3b2284298a492e6ec71c414cbed6f475

SHA1
34ca23e1afa1aea2ef6358165c63dc90c67875b2

SHA256
7ed7251b5e1428b3b4afff3a2017d76fc0689966b3fb98c949a02add9b9a0fae

SHA512
8e096c754934de069785815642f5ff8c072750c30cdf7f6fc5fed7e35db6a0586210d6ac2d15126372a0a443f7779f1906b62171c05632b73ad685d045137987

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a5067d40bc41193da55aa122eca1c644

SHA1
6b5e8bdffe860c9b1796802e5500bd2dcee16bb6

SHA256
1d98bef14806421220cc500fc4b06c4a85552807c8f00b311b767e2130f2240b

SHA512
a2fc3d2599e0fa085fb13230721b4ca9a01ef0470280aa325ae4447e4024b3c443f5dd88893d3a1c8ca88cce860c1a92e9bc7cfbe477158e328b3572322019b1

Download Submit
C:\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build2.exe

Filesize
28KB

MD5
c05b0eedf6502a6013125152191a963b

SHA1
990dcea7a019bdeadac705e6e78a8d276dacb1c4

SHA256
c57d0f773b38a65a01d6fd11d39f1e996e0ad60c8158166efe73e6438dc9b082

SHA512
a564b007a00be8896c4049a1c0868bf59a7c510e28f49f3b39583b7bf9acbb98963cf34830a3485736c5b9d75ecdf8d87cf4f644d24feed3e841b036d42350e6

Download Submit
C:\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build2.exe

Filesize
64KB

MD5
f37662805a083070abce1e95532371fd

SHA1
497e59f59b3b9c9f842b17461499b5aae20fa031

SHA256
5df2e781b6cb430b7a98b8d3796c3061d9c1e7863f1315d899cdba6ce2ccb167

SHA512
f6478d5273e8aa62b4d43a7fe0693a01fbfe8a6ec064f2660f3951f4c6a58a45cb14743e595d60fb1af517de593d059387145d4534b16185ead7fa788c211c16

Download Submit
C:\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build2.exe

Filesize
313KB

MD5
9d69a4b617fde921dbe0371c0717ba7f

SHA1
42961dda5d208960a85af4e9a7d3860121967283

SHA256
3bc83cfd3a8d4c5caa9cc52be2ac2bc0b6d39e7e7ccc223e76d8082a07734df8

SHA512
de9155a1c4ecbf106fc292a8fb1f0db35d0543876ecbe412d3b0bcbd9af48867d612619eaf7e6cebbb21b615a6fca2c683eaa1894022282cf9a0fc77d441d791

Download Submit
C:\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build3.exe

Filesize
264KB

MD5
cb7d407a7683a975abd4eb04e8cc2abc

SHA1
f72d62b4cbe0d97d6ba099ffa56ce763a8b5086e

SHA256
13178698a1d7ed4c33ce9804fda5a9a167191a209ecef33277edd8e2bd541dec

SHA512
6b14796d5f11c5dd793e9878e4a13cdf6066667808892aa709e5cb0877447b489fb04d5e445b083f6f908fa88e1cb89b8c36e97bc4c97b594ee7d2f2db6bccb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
2.5MB

MD5
b1c30caedd619e8f26c16ccbc0f0a95f

SHA1
e1da667e9a11dea55566ebd79bba8dc3f2a0bf5d

SHA256
a1e3bcf29a0a23c82347e7c7b85afeaca954e72618dbae109cad8cf6c022a9e7

SHA512
70ae2cfef63bceaba5d07791677268df7b57846c42d6c61608943d48b69cb0b5cfa976946a5a2322c7c1e5ca12e89da7a28c9651fe9244e7763f60a88580330d

Download Submit
C:\Users\Admin\AppData\Local\Temp\78D8.exe

Filesize
202KB

MD5
ee108bdf90633df74b6ba9daf21114ab

SHA1
594cf0ef2d461f03ff50109bbead7e214d2622b8

SHA256
bdf96159dd4607365aef14e037b5276d29e63a3c7d6420bf8570ee5925f21a6b

SHA512
06b83a71563fb3b46c7aa8c6b1297f102035b330c10b21ceb16ca810e464677ea442d1608a191a80438ab1cafaeeee91825af5ceef99bc17e38712f06f4db2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A4D.exe

Filesize
172KB

MD5
14c74c470616dc437e59a0a8bb4f57e6

SHA1
d74d0be8218e538c6399812aa60e38eaafe31cba

SHA256
69c4c2b5cd76b3cac6e988686faeeefd5e511b76aec9ebdc16ea9c81ae9ce2e9

SHA512
afa04c48eed9ae483b2e736fc61efd4ddde20d4cf5772180c8267d0f1e9129fa1a4fdb84922f1571922dd656ca96c60e549d61cea7cfa9bf2e1dc66841c0c9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A4D.exe

Filesize
128KB

MD5
dce16d23bd896d5a128ecbe90404fef5

SHA1
af8ac04a7e78569cc6f34b3176513e0c31a5c0be

SHA256
00a9a8c99cfa1c0da6df6fbc2aa46fca2d2c81d341bd3dd257ff367ba2f388b2

SHA512
f194a02e6b72421faad925c58142e510dd0c80e8031a46f8ac9267a93d9acecf97cc8b54599376b4e1afe6050e0d3ce80e7afe9f7e47ce8abba89e750b1072f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A4D.exe

Filesize
401KB

MD5
98882864938c594c21180954f6ec025a

SHA1
eb52cef059e146e2c2d2a16759f26daa7d857f34

SHA256
67e80ce976c5797f75a2178d5dcf0b30e2b74031433292581a8ade688186e99b

SHA512
2750568209ebc0acb3174c280b5a5c9f49fff11868fa5aaaaa20cf0b2b09f63622465b5d7067203875d102f90b9fad65bfb9579980f288ab144fdc732c7ac84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A4D.exe

Filesize
71KB

MD5
afbb0a59f34d9f859bc9cfda06b311f5

SHA1
fef98ac181e8dcc4d482dd0a2e4caa9e65a79a0f

SHA256
45c03f369b0e63ee471117f75e424b5cb475eb8eedcdf3540c518e612a7e84bf

SHA512
2461c1b1a072f8d754c7f877a11d6d702a6b3499e5606ab670e8f1b5e068b6dee5d4abff64d2748054f784280c5ae593101ab019acaa06068c8f42178fa6026a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A4D.exe

Filesize
157KB

MD5
95d330a9484d49e8ee461f91b98cea63

SHA1
5503a0a7deda966a2e1af7dac5a084dc8fda3320

SHA256
86f705a01a582d8762c705807277d1d1bd09edac2a88ec5288c03e1fee110e52

SHA512
5c5916d7577a99c1a2026add04395a649b050b63a2a209f1012008d1f9d89341c0f3c70e38144fd29c9127bcbd96c998882c89066d0a6fe4a1a2dce5cbfc3124

Download Submit
C:\Users\Admin\AppData\Local\Temp\9A4D.exe

Filesize
39KB

MD5
fb3254927970f32066abba87be884000

SHA1
0168cad1de8cd75c8aa70002ef50571ef67acacb

SHA256
1c4393e71aa31d8fc17acf6f8dec3b7ae6fa8928454759553837c72d01ad511c

SHA512
406be60f94ddb11dbb217097cec5d4ccc140198699b29d9d247b14cc45b64325825157ac569dcd757cc1e6322b56ae9a4cc5d3c45b8c80c7ed90e16ed1d3eff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2A9B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B59.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
136KB

MD5
b1574073149ec6427f5d213e44ce0e89

SHA1
c5e46f5a4c35dd77c6806685c39be59b4e1b384b

SHA256
a20c339cd5794a98c1a946fb1c02c5735f411b7fbc1f79dda5b3bd1d44cdaa18

SHA512
296544e82bdd8e7617ded5c41ce3f2d3c26308910f2d4083e9f4bba84fd0e4769ac9e2d3fb1d6d6a08f59d5100648301b487e6256c2f103db799486100faf8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
187KB

MD5
3c0de0cfa49806f1f6a1c52c3061ecf1

SHA1
f545c3fc7eaa0ce14aa2119849250db1698ec793

SHA256
882cc8ba153ee9853b2ff83fb16a7bf6916be9befed179652d998766c22853dd

SHA512
cc694db2f070ba560fa242975cd4d5a92197a135c3c55038d20ea916dd7877c1403f5315aa5f5674d1bd1355745c831c944feba7a6322fe806ea437328ce1a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
1.3MB

MD5
763c6465ffb504096c76f8cf1102f3aa

SHA1
5665bd3c6a0bc83f4aac795ae1ce71b112aa84fb

SHA256
8d8c2baec6cb7251e0aa16babbe2bca4d666194d8cdda07ec0b7bd5ec20ce354

SHA512
7fc786337a4d3bb3e1c4221ec265d1a0e6122127844e8772c2ef269ac4fa00acb456807338eeff98bfed9bc4b8ab09491ffefc28724fdb50805e11f0142edc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
2.1MB

MD5
f8b98e90b8fea9474ea285ffa5da7d74

SHA1
60df6869c93343303056bcb21cea98da8133842d

SHA256
a63b2751f5531cffcccc503f469893967c8a84fd82cd85040c35d2237cd7ab36

SHA512
3853ba6d749b6e61b110da080a5fc6dcd865bd7526f540a5f2a3d198e3c8e4be194dedc8a866f5951b9a11b6b11c0a1a8d54a612c58ea41a4c07b8153d44b729

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
1.7MB

MD5
1cc93c4375dd275e828b499f38d019fb

SHA1
44a4f93ceb7ee62f0f2482664b3e07dfa9d3c946

SHA256
c857f60aee41a09fa6156be2a682fa153508e2f162110af098c0d89347cdb025

SHA512
507f1543b860f970f92bc8eb5b10066a06a99965b47132013ffb7554fe242f43786c6508134de25a6bc4b0f07a0b1db4886e70b13c2b9fa3fd53c653630b389c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
1009KB

MD5
a0d0e4a177967fc4fe5741b0feb7fb77

SHA1
4eea5bb9f8010cd3c678196271c4ad7b9c36d61b

SHA256
075dc6bc940dc6ad63c865ce8472bd8fe734d631686430a4434565008aaa7b37

SHA512
f5645a57afe76c649aec934719a80e865a0975b069c37da0f944d91e22305b3c78d184f224741761abf074bb738e732b4f2a8441b69291a2584eef39f37fe8c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
150KB

MD5
599fa52f87e65330120846e1d2e08966

SHA1
d22e618dec4c967a5db2889c9c20e3124376db10

SHA256
2cb209191b38acc326be716274f5c344303fac2e633dc7c00df9325b8c7f9d39

SHA512
43f9400ff38ea84dfdd8ce6002ced345fd5171f76fdce7cb448ef0a21c38d2e52e770293ecbe5a8638e828aa69d7502eabbf5a449d30555523c190151d1cc936

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe

Filesize
715KB

MD5
8dc1f88ae1fcedeb3983c5f5c3d486b0

SHA1
d40e67ba5558d90cb11eeca04d213322159336fc

SHA256
4a15d91920a4da9a64935248c126fb60e8302198df8e5759da8129ac1841beca

SHA512
0b2263fe049e280af1178fd396a06a04e6b99f7c971839207ae225161257ed9d9b7eaa8d0ceb1f14d3aa2094b53ce91dd045ebc169102e707ea7285f91432ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

Filesize
238KB

MD5
8c20d9745afb54a1b59131314c15d61c

SHA1
1975f997e2db1e487c1caf570263a6a3ba135958

SHA256
a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1

SHA512
580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

Filesize
143KB

MD5
e6afdddd5151f05c46cbe40ddf54028b

SHA1
3d60ffdb4d26d318ccffe8d854f0c2e2d81b4761

SHA256
eb0258a9665f7b9f874f2ebe749a093753864a4b228d30544dbc528bcecc7624

SHA512
6287cb49675165cfc47a192881736ef9084f991203c9659d8a15460cfe7eb776a0d7240c810945d1bade191a4b8ac30f27d7295b65916d0bcb60718348639f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1s8.0.exe

Filesize
320KB

MD5
7c0b88535c506fc8bec1510f08f3329c

SHA1
026965f027f53725e0e93d069a7143d12badd35c

SHA256
7f2b4169d20bb191467b02abcae4dbc05e80bb5a20aece8e3d04aac7f05b0382

SHA512
3e5d80f017b99e556a2ce8ac1849ac52e5e1ec38812d015e1dd8e4c276c45e3b5462ca0961d3c806113266b130b350fc993f6734a07a093a5a50bccc7c5f160b

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1s8.1.exe

Filesize
82KB

MD5
d960954ec7facb297c73996139c650a5

SHA1
446ad6574e506940b20dfc909a96bb3694c8837c

SHA256
faf5b4646dd2b88ffcf5208ccd58e6e75caf1db82c6487d8863c3d7027ed4afb

SHA512
85476cca06569986664a4f089274cc1ba35a665fc61fc84ec227b5416142866d293430bea468e0dad6eaf8b146b6f2e6c616dd32ab6dcd6983dd09b900c8af09

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1s8.1.exe

Filesize
161KB

MD5
0c95c638937cf3914066e80a7ad1a89d

SHA1
3e6c7579dce87c90306a9efac466e531e5142258

SHA256
863687bbec26faf86b0082b19f83ecf0d7364b0efe9ebcae783ece8ed3d5d4fa

SHA512
4a52215e98a2e7a97e2b960d179e74bc1d70fc979122a4453f1d1c005d47bdaa2f7c8ba96d75720fb8e27b380d3a5d1237d5a82bd9b3b7b1f8d01b38d783d439

Download Submit
C:\Users\Admin\AppData\Local\e363a746-1d06-4d00-a750-973c42805e5c\9A4D.exe

Filesize
192KB

MD5
fe8a21b7d7e9efb4ab0939a32718bc5a

SHA1
0cae9b8cb846c60d4c2997593e6d8b4d2391487d

SHA256
5c107309884f19fe336b7fa6550b0a3d8846fe85ac42987b76c3eb3c97425c80

SHA512
da7f7bc8a66c9b50f07be9ba2267da33e1fe8ef18cefc8e9b03f33b56df4038d522537a3113dbe764e545283b12c9d6c425102a5d9801f5c66cd7500699ef0f6

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\rss\csrss.exe

Filesize
147KB

MD5
68fed58cf0a6c59b82f3506e9b9633e8

SHA1
8ef1f91e5d0b2e81ec7d38f68c6dbb7797dd7256

SHA256
0b9577b3c00d87b684bbabc01e2446e593bdd2543a0a1008b868f89f3b4baa04

SHA512
43b1315b67cea7e8d06fe599d93d71a2f239c170d093418937c6e1dc465f3eb54ec6ea00207e0c3ffea5585367fbef9ebfbb72919bbeb8a4093c43db915858eb

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1KB

MD5
be35f9eeb45308cf54f8a9448acb6de7

SHA1
e8096e6db97b063ad4c4fa5122ae22e61085cb7a

SHA256
94474e1e84009fe5f3ef14d61c478e05fdcf27a70ed652e8fb97d16102e5d78c

SHA512
0b729f0f70c100462a3d5d1df20f2727ab25b2c0807b3b9b6a50fd0e49378f70da200450148f7d329a1ce08f78cd45ac7c64ec673077fbf8636fb9af752656df

Download Submit
\ProgramData\mozglue.dll

Filesize
72KB

MD5
5d11d04f8d7f47a35309e4f3e9a6dda2

SHA1
b3c66b71ac9b4e706132706950b61b5355ee9aad

SHA256
788d164d30efe7eeae163e3a83453011c56253c25c45c8dcd684f298d7cb5556

SHA512
090a136b9685b4793a450a2647a6a32c61ac00629f0c1a4f6ededca4b2619b41500412a567b88cf4a909a5872a8dd23f62ba7220a082269207a690e047e9f41e

Download Submit
\ProgramData\nss3.dll

Filesize
77KB

MD5
ef69faa6d08e2f139db58c69de95b43f

SHA1
bbe5a40456acc24ea88e22a02d8b19ea8a9d845a

SHA256
82059fe1a71f310a99a32586b8f8c252c1de4fe1d396a87392189db98a1fd6e1

SHA512
d875a367e9ba1528cbd6d6de5e15b1be0c0306121b083da6474f6fc13d99498cf361ab1f7b4ccc2481c0c9a8692e0b9bf6e4b7d8d47c62415f5ad2a2461596e0

Download Submit
\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build2.exe

Filesize
135KB

MD5
59d2775d967e20b9278ceac0cf7423fc

SHA1
f0e96ceb6f643b9fee896412b9094cdfcf66a238

SHA256
d66edfb2ffb423cfb8f09735e76900516a5108cbaee4fb013311a7551ed92cae

SHA512
f92a5b6189676f1090946a92510141087cb1d4ec9310f96eb37c25934dd85d41937db5c31497977801228a45cc3225b42da6f1684e9713e9a06602442488a8ec

Download Submit
\Users\Admin\AppData\Local\21a701e8-2041-4bd1-b10d-c53c5829f17c\build2.exe

Filesize
187KB

MD5
6292675059a55367969ce812fdceff06

SHA1
ab802a2cbe0fe26a8fd0bdfaaf336fd89334b190

SHA256
e6c797997f6819d3d31fb6f273f634c0f9c8d81e6cbe87b4ef074a868bb059aa

SHA512
518155f9ca2ce827d1a262903f992c8ffee1f3382ac2c2d972ed0f2bbaeb25c79a77ee016fa263bb20508400fd931bfa06584a5349a1678fc0a829d3f2dd375e

Download Submit
\Users\Admin\AppData\Local\Temp\9A4D.exe

Filesize
380KB

MD5
63e2c771eae3ace454683aea5f74a37d

SHA1
724a83202fd6223256fa3bb12626fc5ff9b6ae21

SHA256
2a5414ff3f920c6f0b6a28fb8175351bcca24bcc91be0ae6d197290895d2f1a0

SHA512
2d91a3767a9d4132692b1cd9db759e98142bc5bc6a272e1b25106bfad4dde9ad491c3e3843f5536fc33018bb74eb5d715ee3c97db3fe91ba525cc185f45ccb4a

Download Submit
\Users\Admin\AppData\Local\Temp\9A4D.exe

Filesize
149KB

MD5
ede9ab9f4bc2264e879eae9cdfb11c9d

SHA1
925fa4141187eacacf6aef9a3be1c6c7323ab5c1

SHA256
0d22fff36086a22a0727dd6c9e5b0f9c738cbda970cf187a54e79c9fb6626e5a

SHA512
c56897b1b7a0541addb3552bb7b61cb7c4fdcb89d89592a1901132f7b96f360c6ffb347bc20816ea3232202b4e0742eec4e67cb22d161d7edcace6cd279da18d

Download Submit
\Users\Admin\AppData\Local\Temp\9A4D.exe

Filesize
95KB

MD5
00b1c78fc49c03644d12bf3b56fd3f92

SHA1
c39faba9a633484150c8d2c5e839bb433fc20fb1

SHA256
b00168a109159612d033bb2cdfc6f0ed7a83449fc2e98dc57c1197002f4a7ed6

SHA512
1eda87da7ac0d9bcb019c93bfc5c1196c1dfb940d8589f2b0470e6aa21f5ab4c7793f73cb8b9b23cf78f22099218d2958a039dea783dbaed740ab03e05c25f8f

Download Submit
\Users\Admin\AppData\Local\Temp\9A4D.exe

Filesize
71KB

MD5
f1096fd68ab5be443cac00197512cc6d

SHA1
dcbc1166f4b3f0c2977a3d4e73cd67c929fec338

SHA256
7af00cc0a448cecda29630081fa24b57aee775f0a59e136c65e330113054c354

SHA512
d006dd7bd8c900f3359e3d263efc05c1105cb2b13caee691e6b29fb60d17cecebbc0a3b0578856469ef32d1b6b84ef6992baa00d888c7cdf5076af0b68d66720

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

Filesize
419KB

MD5
654abe1db0f972272b5b012914d9e5d6

SHA1
1ac7b42167369dcfa528837f13a2c80de7bcc161

SHA256
5f2bdf7f83ab075f7dafaf7493cbf4ab08d2e79b95cd3382621acfe73ba96094

SHA512
18823ab8a9a160ac169052ec210e6adb356190dc0644c8b5fd6f5ccbc8de2666c5e9d44ef90c954d5b6e948c81ef2666900c0fe40b7d5e4b644a39e8b93c1a12

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
125KB

MD5
1dc33d6661152ed97ec94c5689283071

SHA1
6923ed1538179afa6f44d7da934d7ff40e77c219

SHA256
f81c9d984e7ea026709a2df9773246345fbfb7022bfe5c38f190add96e63d253

SHA512
f61e4bf41461fdac450c4d5c6ef4fcd50a62ac01bcf28b6d7450681b4f918b0ed66bf435a24412da4d6e488d7538e4a623641077ac7817517ba8cafdfe29c6eb

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
331KB

MD5
245580f7f5a27d24148f80c75e72f07e

SHA1
b93d98721034aab7020c4c75fbe127e192676351

SHA256
684e2037e245208a1e2ae434844a829ffa134910f101c3ca7c0e09fb041410ce

SHA512
63ec397b809478454cd12069d043b0c26ce9013cde02e210e2d0cbe504d3d81803ed492f8eed6b20a8f3bf9dc18a02edcab2e9f3b1a5cafa87dd22e3c24e76a0

Download Submit
\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
1.7MB

MD5
de78fad33563f1ab364b19ed1d696695

SHA1
4d304e703f6143793297c9e02a95a2334f7d4853

SHA256
1642bb4a0c8c687856f7a2a2009defbce7f95fe78db8593d9402a9e8aadbd285

SHA512
141ace22c067864229c8cacba179f826d67a4ca40d8df18589f614ea83b4c924d60640fc3880e10e8ce9723598b07eef4cc0bc260201eeddfada340cd1cb3221

Download Submit
\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
2.4MB

MD5
9377be5d112ee71b6d58117dec934390

SHA1
4bbcb259e68959a6eafe6043cc3947c2a42991cf

SHA256
01c6b6d01a028779a7fcda15841e1c251c32365bd8f186e02cf6e8f358400d57

SHA512
90400a1d6d77e637751044b380341b5609e6f63d739d48c597343164e01ed1dcd17a8c93f3f4945ebc5c9544028e40c23f966f2989ffcfb063b178fbea64eff6

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
157KB

MD5
cd1b17ee0a4542795f58535a8e006230

SHA1
c5e413c3f00241fc9689fb21c56d531e302224be

SHA256
eab17cef64705b883d32587e0d29e6e982d5dbce55f695207da55480c1395be6

SHA512
e823fcb3d812fa12d424a0f8d340da5b64a08a240a7330513c7a6a0d30f037f79d0bec1acb68a1a3e717cec0440d8abf788afb7b7db033e604fc84a4b2c5c41c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
204KB

MD5
ad8807768b247102878098fb1f5bfab2

SHA1
095316ba4271438b334970374f514779ed0f90ba

SHA256
536d2688049419af7ed4d8fd8c987e24a8b1855cf9295873b3e4a6a2434750fa

SHA512
25cc0d6e4bbb9fc862666dbf21d428d252cf1885a86a1e9313de1f625a12733b3921d34ebbe1489bc60b84e35fd1a6d3bf1cf7245b33eae252d96bc92c4f7baf

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
64KB

MD5
03e03703fe5fc79e7f1d5e44e3c27b1e

SHA1
8f25ba10b5e479ae63c4c3867475502e1a6499fa

SHA256
504111bf8fb1386663a5f92bab46dc7b1171fb9c9a8b8cd100945a6c6bde311e

SHA512
1926c83c1f301800c289b16458ae30bc0927b231a5b11b12663d8a608c5ded27d8d73987ec6af46011e2f2b4e7e4c65fa7cfd50e5370d00e47784982874b88fa

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
129KB

MD5
fb3597f1026b4c0d0d785480800d9165

SHA1
213a5c2d56e28f34caed4ed04c397349bed21714

SHA256
be4a3d54642018303aee0fdc9f2a13da1c9850e8a34eda88e22511d736f9ed1f

SHA512
5a3a65a1771995c1e96f3d4c05e0c787949fdbaec3698286aaf28c66cf8eac2f703f317aa3403291bf2aa46d4c5b39ad7885a292c098cfc665fea1809b5648bf

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
136KB

MD5
0aee413a9a03650cc0e710d783c2cd67

SHA1
196854c914a57e028ea75f569881b4dce10f0c7a

SHA256
1de8416c4dbe020046618970f8151ea385d1023eaf0f01ed4050b6c1994d5b48

SHA512
9478b826acea0dacfa39b8578c7c276a2ba873e7d657b7ec37ce3f8b25195356f064ef229223ad6aefb51317707d9dd370bf2f61b0e64d2a577baeaefeb3145a

Download Submit
\Users\Admin\AppData\Local\Temp\u1s8.0.exe

Filesize
213KB

MD5
92360b43bae5d3ee178de5689975a601

SHA1
4694f39c836a3bc1c7d3cc4982edfb0e3a5cc00f

SHA256
3a6582a04dbd6b97bb935ab3f5a680eb4f19d315b70851ab99357e9b29f2f8f4

SHA512
c8cf91fa56caa5ef222c5de85334cdb5bd27d1efe2b689fd35a9202967c21a344d325efd2c22fb0b1b414419eee499f34121afba2972f7f8805c86b379abe404

Download Submit
\Users\Admin\AppData\Local\Temp\u1s8.1.exe

Filesize
168KB

MD5
aa706c42a2fe0f9de11191c800d5b8dc

SHA1
99d4b9cc8ef028aa397bcddcd61dc060932331b9

SHA256
d1d3c08663a321398fbee52fae7914805abfab0a2a1830f1aaef890eb9c44543

SHA512
24c293a61da9bfe6bbff6c1d8d28fe4068a45cc290e07a27bf6ae91b3d4da5180df6c2fb647e03f732027e3fe650b5177a94caa770b0252274d9d8bb89be5145

Download Submit
\Users\Admin\AppData\Local\Temp\u1s8.1.exe

Filesize
216KB

MD5
b82ffc4a446b8f96e6904b3eab388db5

SHA1
4fd2bba5b67c6f612195a4c8cc94c345951f3803

SHA256
1b828f3a5f6bf5e7485a28007116115994e81d16f1c10303493b76a3830642e7

SHA512
c9f11d85fc59292a665df64c6dedbf93b58ccd44d3a248d0f6a46918222804f0a863e82cfeffa3e1b1e1ce97243e4f6b1c8fd023cb36cef8d82259da52382874

Download Submit
\Users\Admin\AppData\Local\Temp\u1s8.1.exe

Filesize
61KB

MD5
dec1015ee3e0d160624f0c0e303ef180

SHA1
1d36cb1913e7145de642b36a6aba2784bfb736df

SHA256
320b8474b55bec40f99401af09a3ad55c8974e0a287fa39782f31da2e62e4ba8

SHA512
a85b97686782e7f28da84043a7210490bc1f0708ce2f9f87a16cf88ed9406083639f0af43a2ab76d09f27ef92a67ae7dbbe68feabb19682d1003d429fc16813c

Download Submit
\Users\Admin\AppData\Local\Temp\u1s8.1.exe

Filesize
96KB

MD5
8de0c63aa8506f394e71c3b7e17b7852

SHA1
c021effef1664b20f670a2db4e6159a0b201c265

SHA256
0572eabe203182341e20333a19fedfa324f8f096271f14b7df3cd5104256ef13

SHA512
bdf95dc3886ad72ccd1941ff2ffac15a7a9bd236bc12e036843b15314b733e96e6f65f9ee7bbc609376e308dee546134bed7d9f20e9b501df24421079392e24b

Download Submit
\Windows\rss\csrss.exe

Filesize
212KB

MD5
31711a3e10b045bb416ff91cff80ac51

SHA1
3f58a8aca1acf2d2cdf1bcbd3695de443ea7df97

SHA256
4ae3eef8cf637d6fb228484c710a4df8c1011f6d9d9a12c5b9b6193a29e99e08

SHA512
ecc50c7e4f344918403b67110bd9a8ed599500517c44160287092b93e13e3dbbdaf0d85213ce9910e41e83cf539c4e5c8d0d22ac142c224d772c2f4931e3a851

Download Submit
\Windows\rss\csrss.exe

Filesize
283KB

MD5
f1c10afd83c85e11224e0f5401d99650

SHA1
caa0cc6af0e1703264245d527f3bdffd61399e0f

SHA256
20f8f686e0ba5e6ffccfcdf4ea9741e87328c5ff4c7667aec1f0b3998aeb8297

SHA512
dce2745df48cda831e83352739d8eb04aec595c2432ee3d3b4b68396337fe121e517cd83f4f8e2faf68d62dca8617d4efc318436e355110a984b825714723edd

Download Submit
memory/268-497-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/268-498-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/288-392-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/288-391-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/288-401-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/352-89-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/352-398-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/352-100-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/352-360-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/352-196-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/352-371-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/352-92-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/352-399-0x00000000007D0000-0x00000000008D0000-memory.dmp

Filesize
1024KB

Download
memory/352-380-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/696-643-0x0000000000290000-0x0000000000390000-memory.dmp

Filesize
1024KB

Download
memory/696-644-0x00000000001B0000-0x00000000001B4000-memory.dmp

Filesize
16KB

Download
memory/904-793-0x0000000002380000-0x000000000239A000-memory.dmp

Filesize
104KB

Download
memory/904-791-0x00000000000E0000-0x0000000000736000-memory.dmp

Filesize
6.3MB

Download
memory/904-792-0x0000000072060000-0x000000007274E000-memory.dmp

Filesize
6.9MB

Download
memory/904-794-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/992-381-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/992-412-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/992-347-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1044-255-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1044-45-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1044-43-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/1044-44-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/1092-755-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1092-722-0x0000000000980000-0x00000000014DB000-memory.dmp

Filesize
11.4MB

Download
memory/1140-400-0x0000000003D10000-0x0000000003D26000-memory.dmp

Filesize
88KB

Download
memory/1140-253-0x0000000002D30000-0x0000000002D46000-memory.dmp

Filesize
88KB

Download
memory/1356-192-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1356-191-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1820-649-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2312-41-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2312-28-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/2312-181-0x0000000000320000-0x0000000000387000-memory.dmp

Filesize
412KB

Download
memory/2312-27-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2312-174-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2312-342-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2312-301-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2400-70-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2400-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2400-68-0x0000000002790000-0x0000000002B88000-memory.dmp

Filesize
4.0MB

Download
memory/2400-69-0x0000000002B90000-0x000000000347B000-memory.dmp

Filesize
8.9MB

Download
memory/2400-48-0x0000000002790000-0x0000000002B88000-memory.dmp

Filesize
4.0MB

Download
memory/2516-37-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-1-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-0-0x0000000000340000-0x00000000008D0000-memory.dmp

Filesize
5.6MB

Download
memory/2520-459-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2520-683-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2520-478-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2520-460-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2520-482-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2520-480-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2520-481-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2520-474-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2520-473-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2648-390-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2648-369-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2648-449-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2648-139-0x00000000026D0000-0x0000000002AC8000-memory.dmp

Filesize
4.0MB

Download
memory/2648-168-0x00000000026D0000-0x0000000002AC8000-memory.dmp

Filesize
4.0MB

Download
memory/2648-170-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2648-382-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2648-370-0x00000000026D0000-0x0000000002AC8000-memory.dmp

Filesize
4.0MB

Download
memory/2652-770-0x0000000000C60000-0x0000000001680000-memory.dmp

Filesize
10.1MB

Download
memory/2652-769-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/2652-760-0x0000000000C60000-0x0000000001680000-memory.dmp

Filesize
10.1MB

Download
memory/2652-762-0x0000000077C50000-0x0000000077C51000-memory.dmp

Filesize
4KB

Download
memory/2652-761-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2680-348-0x0000000003890000-0x00000000039BC000-memory.dmp

Filesize
1.2MB

Download
memory/2680-307-0x0000000002BE0000-0x0000000002CEA000-memory.dmp

Filesize
1.0MB

Download
memory/2680-308-0x0000000003890000-0x00000000039BC000-memory.dmp

Filesize
1.2MB

Download
memory/2680-25-0x00000000FF2E0000-0x00000000FF397000-memory.dmp

Filesize
732KB

Download
memory/2712-418-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2712-415-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2712-445-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2712-423-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2712-422-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2740-39-0x0000000002960000-0x000000000324B000-memory.dmp

Filesize
8.9MB

Download
memory/2740-40-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2740-47-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2740-49-0x0000000002960000-0x000000000324B000-memory.dmp

Filesize
8.9MB

Download
memory/2740-18-0x0000000002560000-0x0000000002958000-memory.dmp

Filesize
4.0MB

Download
memory/2740-38-0x0000000002560000-0x0000000002958000-memory.dmp

Filesize
4.0MB

Download
memory/2784-503-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2784-689-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2784-496-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-500-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/2788-410-0x0000000001C70000-0x0000000001D01000-memory.dmp

Filesize
580KB

Download
memory/2788-648-0x0000000001D90000-0x0000000001EAB000-memory.dmp

Filesize
1.1MB

Download
memory/2788-419-0x0000000001D90000-0x0000000001EAB000-memory.dmp

Filesize
1.1MB

Download
memory/2788-417-0x0000000001C70000-0x0000000001D01000-memory.dmp

Filesize
580KB

Download
memory/2840-451-0x0000000000330000-0x00000000003C1000-memory.dmp

Filesize
580KB

Download
memory/2840-447-0x0000000000330000-0x00000000003C1000-memory.dmp

Filesize
580KB

Download
memory/2980-680-0x0000000000A02000-0x0000000000A12000-memory.dmp

Filesize
64KB

Download