Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-02-2024 21:38
Static task
static1
Behavioral task
behavioral1
Sample
d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe
Resource
win10v2004-20231215-en
General
-
Target
d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe
-
Size
6.3MB
-
MD5
c67cb967230036816fd0cbbfd96959c6
-
SHA1
d2fe988a302dce4bc0f34a1003a623f96a06b250
-
SHA256
d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76
-
SHA512
2f51046e44bdfa470f676071c69da8c05d50d8f79e748748f25ac13ec53d346f1c3988148000fea3ece38623fd629d1b3dcc943006e80b7bee95da7f1f42920c
-
SSDEEP
196608:GHqO3grg0lAc4G+JCJjsP8BXkf/hmzJzFYngA13jvHKvj4:GHzCOc4G+oB0BmdFY31zq
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.ldhy
-
offline_id
pIGzEr0bxHiTz7xnvNidWeqzKkxMfVdHTyCkzwt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-hPAqznkJKD Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0849ASdw
Extracted
vidar
7.7
655507914130aa0fe72362726c206a7c
https://t.me/newagev
https://steamcommunity.com/profiles/76561199631487327
-
profile_id_v2
655507914130aa0fe72362726c206a7c
Signatures
-
DcRat 7 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
netsh.exed21cbe21e38b385a41a68c5e6dd32f4c.exeschtasks.execsrss.exeschtasks.exeschtasks.exeschtasks.exedescription ioc pid Process 1520 netsh.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" d21cbe21e38b385a41a68c5e6dd32f4c.exe 1884 schtasks.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe 284 schtasks.exe 760 schtasks.exe 2096 schtasks.exe -
Detect Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1644-538-0x00000000002E0000-0x0000000000311000-memory.dmp family_vidar_v7 behavioral1/memory/1224-541-0x0000000000400000-0x0000000000644000-memory.dmp family_vidar_v7 -
Detected Djvu ransomware 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1588-344-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2504-348-0x0000000001EE0000-0x0000000001FFB000-memory.dmp family_djvu behavioral1/memory/1588-350-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1588-349-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1588-402-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/980-495-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/1644-537-0x0000000000510000-0x0000000000610000-memory.dmp family_djvu behavioral1/memory/980-603-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 12 IoCs
Processes:
resource yara_rule behavioral1/memory/2384-42-0x0000000002AB0000-0x000000000339B000-memory.dmp family_glupteba behavioral1/memory/2384-45-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/320-71-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/320-80-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2924-238-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2924-257-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2924-289-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2924-299-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2924-303-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2924-306-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2924-310-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral1/memory/2924-313-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Processes:
d21cbe21e38b385a41a68c5e6dd32f4c.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Detect binaries embedding considerable number of MFA browser extension IDs. 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1996-236-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs behavioral1/memory/1996-237-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs behavioral1/memory/1996-239-0x0000000000740000-0x0000000000840000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs behavioral1/memory/1996-245-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1996-236-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral1/memory/1996-237-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral1/memory/1996-239-0x0000000000740000-0x0000000000840000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral1/memory/1996-245-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects Windows executables referencing non-Windows User-Agents 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2384-45-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/320-71-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/320-80-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2924-238-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2924-257-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2924-289-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2924-299-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2924-303-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2924-306-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2924-310-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/2924-313-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1996-236-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/1996-237-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/1996-245-0x0000000000400000-0x0000000000647000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1224-541-0x0000000000400000-0x0000000000644000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Detects executables Discord URL observed in first stage droppers 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2384-45-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/320-71-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/320-80-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/2924-238-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/2924-257-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/2924-289-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/2924-299-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/2924-303-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/2924-306-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/2924-310-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL behavioral1/memory/2924-313-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_DiscordURL -
Detects executables containing URLs to raw contents of a Github gist 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2384-45-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/320-71-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/320-80-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/2924-238-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/2924-257-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/2924-289-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/2924-299-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/2924-303-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/2924-306-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/2924-310-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL behavioral1/memory/2924-313-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL -
Detects executables containing artifacts associated with disabling Widnows Defender 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2384-45-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/320-71-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/320-80-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-238-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-257-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-289-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-299-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-303-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-306-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-310-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender behavioral1/memory/2924-313-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_DisableWinDefender -
Detects executables referencing many varying, potentially fake Windows User-Agents 11 IoCs
Processes:
resource yara_rule behavioral1/memory/2384-45-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/320-71-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/320-80-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/2924-238-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/2924-257-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/2924-289-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/2924-299-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/2924-303-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/2924-306-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/2924-310-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA behavioral1/memory/2924-313-0x0000000000400000-0x0000000000D1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA -
Modifies boot configuration data using bcdedit 1 TTPs 14 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid Process 2664 bcdedit.exe 1260 bcdedit.exe 2320 bcdedit.exe 1196 bcdedit.exe 1112 bcdedit.exe 292 bcdedit.exe 1668 bcdedit.exe 1072 bcdedit.exe 1056 bcdedit.exe 2676 bcdedit.exe 608 bcdedit.exe 1656 bcdedit.exe 672 bcdedit.exe 1968 bcdedit.exe -
UPX dump on OEP (original entry point) 7 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000018ba1-292.dat UPX behavioral1/files/0x0008000000018ba1-295.dat UPX behavioral1/files/0x0008000000018ba1-296.dat UPX behavioral1/memory/2060-298-0x0000000000400000-0x00000000008DF000-memory.dmp UPX behavioral1/memory/2744-297-0x0000000000400000-0x00000000008DF000-memory.dmp UPX behavioral1/memory/2744-302-0x0000000000400000-0x00000000008DF000-memory.dmp UPX behavioral1/memory/2744-309-0x0000000000400000-0x00000000008DF000-memory.dmp UPX -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
csrss.exedescription ioc Process File created C:\Windows\system32\drivers\Winmon.sys csrss.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 1520 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Executes dropped EXE 21 IoCs
Processes:
d21cbe21e38b385a41a68c5e6dd32f4c.exeInstallSetup9.exetoolspub1.exeBroomSetup.exed21cbe21e38b385a41a68c5e6dd32f4c.exensd2129.tmpcsrss.exepatch.exeinjector.exedsefix.exewindefender.exewindefender.exe96B4.exeAB4E.exeAB4E.exeAB4E.exeAB4E.exebuild2.exebuild2.exebuild3.exebuild3.exepid Process 2384 d21cbe21e38b385a41a68c5e6dd32f4c.exe 2064 InstallSetup9.exe 2620 toolspub1.exe 2700 BroomSetup.exe 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 1996 nsd2129.tmp 2924 csrss.exe 1828 patch.exe 2200 injector.exe 1184 dsefix.exe 2060 windefender.exe 2744 windefender.exe 2536 96B4.exe 2504 AB4E.exe 1588 AB4E.exe 1400 AB4E.exe 980 AB4E.exe 1644 build2.exe 1224 build2.exe 2788 build3.exe 2100 build3.exe -
Loads dropped DLL 41 IoCs
Processes:
d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exeInstallSetup9.exed21cbe21e38b385a41a68c5e6dd32f4c.exepatch.execsrss.exensd2129.tmpAB4E.exeAB4E.exeAB4E.exeAB4E.exeWerFault.exepid Process 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 2064 InstallSetup9.exe 2064 InstallSetup9.exe 2064 InstallSetup9.exe 2064 InstallSetup9.exe 2064 InstallSetup9.exe 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 856 1828 patch.exe 1828 patch.exe 1828 patch.exe 1828 patch.exe 1828 patch.exe 2924 csrss.exe 1996 nsd2129.tmp 1996 nsd2129.tmp 2064 InstallSetup9.exe 1828 patch.exe 1828 patch.exe 1828 patch.exe 2924 csrss.exe 2504 AB4E.exe 1588 AB4E.exe 1588 AB4E.exe 1400 AB4E.exe 980 AB4E.exe 980 AB4E.exe 980 AB4E.exe 980 AB4E.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe 1352 WerFault.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/files/0x0008000000018ba1-292.dat upx behavioral1/memory/2060-293-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/files/0x0008000000018ba1-295.dat upx behavioral1/files/0x0008000000018ba1-296.dat upx behavioral1/memory/2060-298-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2744-297-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2744-302-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/2744-309-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Processes:
d21cbe21e38b385a41a68c5e6dd32f4c.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
d21cbe21e38b385a41a68c5e6dd32f4c.execsrss.exeAB4E.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e7df7b80-7041-42cd-9769-eb172e892a0b\\AB4E.exe\" --AutoStart" AB4E.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 api.2ip.ua 43 api.2ip.ua 57 api.2ip.ua -
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMon csrss.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
AB4E.exeAB4E.exebuild2.exebuild3.exedescription pid Process procid_target PID 2504 set thread context of 1588 2504 AB4E.exe 97 PID 1400 set thread context of 980 1400 AB4E.exe 100 PID 1644 set thread context of 1224 1644 build2.exe 103 PID 2788 set thread context of 2100 2788 build3.exe 107 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
d21cbe21e38b385a41a68c5e6dd32f4c.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Drops file in Windows directory 5 IoCs
Processes:
makecab.execsrss.exed21cbe21e38b385a41a68c5e6dd32f4c.exedescription ioc Process File created C:\Windows\Logs\CBS\CbsPersist_20240207213827.cab makecab.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\rss d21cbe21e38b385a41a68c5e6dd32f4c.exe File created C:\Windows\rss\csrss.exe d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 2632 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1352 1224 WerFault.exe 103 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
96B4.exetoolspub1.exedescription ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 96B4.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 96B4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspub1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 96B4.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsd2129.tmpdescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsd2129.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsd2129.tmp -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 1884 schtasks.exe 2096 schtasks.exe 284 schtasks.exe 760 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
d21cbe21e38b385a41a68c5e6dd32f4c.exewindefender.exenetsh.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" windefender.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-422 = "Russian Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" windefender.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" d21cbe21e38b385a41a68c5e6dd32f4c.exe -
Processes:
patch.exeAB4E.exeAB4E.execsrss.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 AB4E.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 AB4E.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 AB4E.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C AB4E.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C AB4E.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
toolspub1.exed21cbe21e38b385a41a68c5e6dd32f4c.exed21cbe21e38b385a41a68c5e6dd32f4c.exensd2129.tmpinjector.execsrss.exepid Process 2620 toolspub1.exe 2620 toolspub1.exe 2384 d21cbe21e38b385a41a68c5e6dd32f4c.exe 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 1996 nsd2129.tmp 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 1996 nsd2129.tmp 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2924 csrss.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2924 csrss.exe 2200 injector.exe 2200 injector.exe 2924 csrss.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe 2200 injector.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid Process 480 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
toolspub1.exe96B4.exepid Process 2620 toolspub1.exe 2536 96B4.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
d21cbe21e38b385a41a68c5e6dd32f4c.execsrss.exesc.exedescription pid Process Token: SeDebugPrivilege 2384 d21cbe21e38b385a41a68c5e6dd32f4c.exe Token: SeImpersonatePrivilege 2384 d21cbe21e38b385a41a68c5e6dd32f4c.exe Token: SeSystemEnvironmentPrivilege 2924 csrss.exe Token: SeSecurityPrivilege 2632 sc.exe Token: SeSecurityPrivilege 2632 sc.exe Token: SeShutdownPrivilege 1404 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid Process 2700 BroomSetup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exeInstallSetup9.exed21cbe21e38b385a41a68c5e6dd32f4c.execmd.exeBroomSetup.exebcdedit.execsrss.exepatch.exedescription pid Process procid_target PID 2012 wrote to memory of 2384 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 30 PID 2012 wrote to memory of 2384 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 30 PID 2012 wrote to memory of 2384 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 30 PID 2012 wrote to memory of 2384 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 30 PID 2012 wrote to memory of 2064 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 29 PID 2012 wrote to memory of 2064 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 29 PID 2012 wrote to memory of 2064 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 29 PID 2012 wrote to memory of 2064 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 29 PID 2012 wrote to memory of 2064 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 29 PID 2012 wrote to memory of 2064 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 29 PID 2012 wrote to memory of 2064 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 29 PID 2012 wrote to memory of 2620 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 28 PID 2012 wrote to memory of 2620 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 28 PID 2012 wrote to memory of 2620 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 28 PID 2012 wrote to memory of 2620 2012 d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe 28 PID 2064 wrote to memory of 2700 2064 InstallSetup9.exe 31 PID 2064 wrote to memory of 2700 2064 InstallSetup9.exe 31 PID 2064 wrote to memory of 2700 2064 InstallSetup9.exe 31 PID 2064 wrote to memory of 2700 2064 InstallSetup9.exe 31 PID 2064 wrote to memory of 2700 2064 InstallSetup9.exe 31 PID 2064 wrote to memory of 2700 2064 InstallSetup9.exe 31 PID 2064 wrote to memory of 2700 2064 InstallSetup9.exe 31 PID 2064 wrote to memory of 1996 2064 InstallSetup9.exe 36 PID 2064 wrote to memory of 1996 2064 InstallSetup9.exe 36 PID 2064 wrote to memory of 1996 2064 InstallSetup9.exe 36 PID 2064 wrote to memory of 1996 2064 InstallSetup9.exe 36 PID 320 wrote to memory of 1628 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 39 PID 320 wrote to memory of 1628 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 39 PID 320 wrote to memory of 1628 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 39 PID 320 wrote to memory of 1628 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 39 PID 1628 wrote to memory of 1520 1628 cmd.exe 40 PID 1628 wrote to memory of 1520 1628 cmd.exe 40 PID 1628 wrote to memory of 1520 1628 cmd.exe 40 PID 320 wrote to memory of 2924 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 42 PID 320 wrote to memory of 2924 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 42 PID 320 wrote to memory of 2924 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 42 PID 320 wrote to memory of 2924 320 d21cbe21e38b385a41a68c5e6dd32f4c.exe 42 PID 2700 wrote to memory of 1656 2700 BroomSetup.exe 80 PID 2700 wrote to memory of 1656 2700 BroomSetup.exe 80 PID 2700 wrote to memory of 1656 2700 BroomSetup.exe 80 PID 2700 wrote to memory of 1656 2700 BroomSetup.exe 80 PID 1656 wrote to memory of 2104 1656 bcdedit.exe 45 PID 1656 wrote to memory of 2104 1656 bcdedit.exe 45 PID 1656 wrote to memory of 2104 1656 bcdedit.exe 45 PID 1656 wrote to memory of 2104 1656 bcdedit.exe 45 PID 1656 wrote to memory of 2096 1656 bcdedit.exe 81 PID 1656 wrote to memory of 2096 1656 bcdedit.exe 81 PID 1656 wrote to memory of 2096 1656 bcdedit.exe 81 PID 1656 wrote to memory of 2096 1656 bcdedit.exe 81 PID 2924 wrote to memory of 2200 2924 csrss.exe 54 PID 2924 wrote to memory of 2200 2924 csrss.exe 54 PID 2924 wrote to memory of 2200 2924 csrss.exe 54 PID 2924 wrote to memory of 2200 2924 csrss.exe 54 PID 1828 wrote to memory of 1968 1828 patch.exe 84 PID 1828 wrote to memory of 1968 1828 patch.exe 84 PID 1828 wrote to memory of 1968 1828 patch.exe 84 PID 1828 wrote to memory of 2664 1828 patch.exe 56 PID 1828 wrote to memory of 2664 1828 patch.exe 56 PID 1828 wrote to memory of 2664 1828 patch.exe 56 PID 1828 wrote to memory of 672 1828 patch.exe 82 PID 1828 wrote to memory of 672 1828 patch.exe 82 PID 1828 wrote to memory of 672 1828 patch.exe 82 PID 1828 wrote to memory of 1656 1828 patch.exe 80 PID 1828 wrote to memory of 1656 1828 patch.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe"C:\Users\Admin\AppData\Local\Temp\d2682ee0fe9e5bf429b7bea89d32cf417c3b684429dbff5e060b07e7335aaa76.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2620
-
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵PID:1656
-
-
-
C:\Users\Admin\AppData\Local\Temp\nsd2129.tmpC:\Users\Admin\AppData\Local\Temp\nsd2129.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
-
-
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"3⤵
- DcRat
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
- DcRat
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1520
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe4⤵
- DcRat
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f5⤵PID:1936
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:6⤵
- Modifies boot configuration data using bcdedit
PID:2664
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn6⤵
- Modifies boot configuration data using bcdedit
PID:1260
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}6⤵
- Modifies boot configuration data using bcdedit
PID:2320
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 06⤵
- Modifies boot configuration data using bcdedit
PID:1112
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast6⤵
- Modifies boot configuration data using bcdedit
PID:292
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}6⤵
- Modifies boot configuration data using bcdedit
PID:1668
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 16⤵
- Modifies boot configuration data using bcdedit
PID:1072
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 06⤵
- Modifies boot configuration data using bcdedit
PID:1056
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe6⤵
- Modifies boot configuration data using bcdedit
PID:2676
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe6⤵
- Modifies boot configuration data using bcdedit
PID:608
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows6⤵
- Modifies boot configuration data using bcdedit
- Suspicious use of WriteProcessMemory
PID:1656
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:6⤵
- Modifies boot configuration data using bcdedit
PID:672
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER6⤵
- Modifies boot configuration data using bcdedit
PID:1968
-
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:284
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2200
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe5⤵
- Executes dropped EXE
PID:1184
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v5⤵
- Modifies boot configuration data using bcdedit
PID:1196
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- DcRat
- Creates scheduled task(s)
PID:760
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"5⤵
- Executes dropped EXE
PID:2060
-
-
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240207213827.log C:\Windows\Logs\CBS\CbsPersist_20240207213827.cab1⤵
- Drops file in Windows directory
PID:1912
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F1⤵
- DcRat
- Creates scheduled task(s)
PID:2096
-
C:\Windows\SysWOW64\chcp.comchcp 12511⤵PID:2104
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1091656747-129088512-1020560859-20491829131440274221-539001101-12600292401612220339"1⤵PID:2096
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)1⤵PID:2756
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)2⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2744
-
C:\Users\Admin\AppData\Local\Temp\96B4.exeC:\Users\Admin\AppData\Local\Temp\96B4.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2536
-
C:\Users\Admin\AppData\Local\Temp\AB4E.exeC:\Users\Admin\AppData\Local\Temp\AB4E.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\AB4E.exeC:\Users\Admin\AppData\Local\Temp\AB4E.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
PID:1588 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\e7df7b80-7041-42cd-9769-eb172e892a0b" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2088
-
-
C:\Users\Admin\AppData\Local\Temp\AB4E.exe"C:\Users\Admin\AppData\Local\Temp\AB4E.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\AB4E.exe"C:\Users\Admin\AppData\Local\Temp\AB4E.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:980 -
C:\Users\Admin\AppData\Local\9d3287d8-3a37-4ca6-85fc-147c675f4571\build2.exe"C:\Users\Admin\AppData\Local\9d3287d8-3a37-4ca6-85fc-147c675f4571\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1644 -
C:\Users\Admin\AppData\Local\9d3287d8-3a37-4ca6-85fc-147c675f4571\build2.exe"C:\Users\Admin\AppData\Local\9d3287d8-3a37-4ca6-85fc-147c675f4571\build2.exe"6⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 13807⤵
- Loads dropped DLL
- Program crash
PID:1352
-
-
-
-
C:\Users\Admin\AppData\Local\9d3287d8-3a37-4ca6-85fc-147c675f4571\build3.exe"C:\Users\Admin\AppData\Local\9d3287d8-3a37-4ca6-85fc-147c675f4571\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2788 -
C:\Users\Admin\AppData\Local\9d3287d8-3a37-4ca6-85fc-147c675f4571\build3.exe"C:\Users\Admin\AppData\Local\9d3287d8-3a37-4ca6-85fc-147c675f4571\build3.exe"6⤵
- Executes dropped EXE
PID:2100
-
-
-
-
-
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"1⤵
- DcRat
- Creates scheduled task(s)
PID:1884
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD55c8a85c95610a91e6dc302e71b06e26b
SHA195bab71f21c7d7e8b6f5c1b977be359b931674c7
SHA256116ad231b3f92be74cd030b233b35799b18041cc3d59e0fa52b24a87b0d2c267
SHA5124f99638598642e6f6029a1c60006582e334bb6336e4c3a6714acb05d8d72b1df9c283359a76c5e8d9e4b1445b8e93ae7b4b8544c7e4e4ba0d6403c08972d901b
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5a8fd0f346badd5f7ebef81aaaf76c596
SHA1cdc19ad5f1645eb986f7692ec3da91b87ae370de
SHA256dd6883b7f81be79d0b3bad2f4d2d944cb13459d7dada0d7d02a29f016bb26cb3
SHA5122fbdbf6918a7aba3905a4c8993262a22d8010aa93748ff2938c5edd58b3941e05f7b3fc38b985a33319f995e19f73d23a6ce35c39433d6db1ebdaa4f98acdb76
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cf897a2e0db498cd476764d5387ce327
SHA1c92f63db6dd3a9fc39b659b4437ba85277412249
SHA256252943bf97291672cf7885c2ca9f4b541bdbed91e5486ea8487666b94a42a866
SHA512431e033b6b338a9f840c57b2415626128cf37cb94f27fa8c5f4c3403526a760e3be1a342f84a464a9a87ef33852d4614fecae968b2c4e03233e70c104480c42e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52a25bafac37becf9a066deff062d68d7
SHA1a6d9893cc1dd6cdc307a39fe16b3a0a84cfd6e56
SHA256125ead4d45ff6be0068caa63c06936f9e023de48abdfb9fbdcbe5fa287fc719c
SHA512a9b1f7f9cf41d8a913351f15e2636f9d7788ba2d10d44f633f38db9d797b1325bf34b539e7fc4ff56bf2b81367465535d30aaa5237f4761dcb37578447db5cb2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD594a0e7e36e59d698120c94644ecdbc98
SHA1251daff719f663ded9c3a634a20509ea744f458f
SHA256ba5108ed5b8b6eed69417a2b535323c900d5ec8e6f246ba7fa1443458914cade
SHA512df037c30b2411ab0b9219669692ddcfc1d041d5868a9f4497825e62023fb4cb5205ed90ee3201980bd7000dab8ac5614c935785d53909b92d0308ec3729e94f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD595356b60774d983921e248cab048a61b
SHA167c4bcf05c836c8e5a40c165fcf527ec17d27651
SHA2567346c15548daa3d63007d8e5f349e55b726afc4170e7c46bf4c6dbffb24cc090
SHA512c38b27f953e79edf5f7cd90b4eee1ece11eb75c94a215ffb4b376be8e7b438c294b7b6fb98e31134f59e1ca69706e8185b523f23920a18925fde906d1049d225
-
Filesize
332KB
MD5a0cc1241aa4803dc23ff778af73e3768
SHA175d07c8f1784e8e64e7520c2666bc63c2a477ffa
SHA256c0b12bbdcb41f6941d4356309fd8a43f61cbfd18eee044ff1771cbdbba248466
SHA5123ccb46eca07827f5c86b31da5f7ab1b4a4b80f0cf3c1f8245c9ea57cf7c2244bc5f867a09696ce1c80cce38c631c7f6a13dca537b8e4b297735324f52cabb755
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
89KB
MD533af432abdc2355868344ef62e396b57
SHA1765ffa1fc29f5c08cf8187c261e7ea7aa01f9eae
SHA2564fac7b60fed8dd22f121d8177004d838cad597dd2bb1c4a7643e4c112347c40a
SHA5123f43ccc2a0a657b7167d9c2d60167e5ec35e5dfdf9b5d88c6b0e586bdf55627dbfb4eccee8c50e3ad34f1d58ba20781a8713b8bd2e75e5961b9c463df8ec687d
-
Filesize
73KB
MD545709a9a8c93e51c2ae02cf4ca0b8041
SHA15415b05253450462a0779eb5ee63f430cd9b4110
SHA25639e80b4b3d94106b0569d66047226e952c26ed79621b43aba9aae42834db035b
SHA512c7c04f5e2410bb2c2e3bbc20b01fc565a8bf8c61c15d5fb84c77dff26a97cfbf7c8e6a2890fc8eb56c935605562e53dedd1de3ec7998cee06d2208e52a2f2532
-
Filesize
216KB
MD5ce65e866f8e98eafe27151421b967d31
SHA1099ecc98b73228ae337a1684ffd45102cc9adc5b
SHA25671ea534ecfe3430a315656d9b10e6c2deea4fdecd4dbf8a62429f302fadf20aa
SHA5124706aa13ddd8db3e3958fdad6a75c13ea4d0782dadc45f8ab21593b1a8d688e3093ec11000338330c7d1adf2885f9281fa227c4e47801c3168bf095dad43d46a
-
Filesize
459KB
MD5634d80139e6189e8a3609434c323c9c2
SHA17f28e90d2220fdca6d77b96cc1235615bf7ec785
SHA256b65b5664efcc75d9e0939304cb86756de72cf7d7de6bb0d4897b7c6bff1e081e
SHA5121c9526024a6b90481b573276dd986e78b31ac9a47711d06a25f41b6883089602cce8ae9eceb031c6a5cc373ceb89449cd3ffef05309053ca82c37f209182871c
-
Filesize
143KB
MD5ca3f77165d6f8988637aad94b0795e13
SHA1cbd6252549dd62d12dd1f210cb05c5fb0ae91014
SHA2560afcf39dd2bc93ee49a2136d51afd20984f20dc68a9b550fc7e9334a719c9699
SHA512c9c5ac6c09d48e4135394f213d9d0701014d474e6fb8c3a78baaa911e1bf11843cdfeedb4799c0f9e058a77a076ab6fc7022bad6780097e8abb73afe48a2bbb0
-
Filesize
91KB
MD5c8b7b77160917ae64aa5b559052fa79f
SHA1e8a25ac7c7d79c503f998e7c4ee7b0f08ad88eae
SHA256080c8ecf084cde9c7cbc23ef540097dd8179276b96ee89096274cce062787465
SHA512cb7fc7a016939e9cfa575921898476748dfcee92c979a2a17c2bf32f1d6087f40f6a1604d99f6583075c6921e42fb1cde515d3299d9e0777ed48eec0963e6e0d
-
Filesize
481KB
MD561e54b9ffe730f4ff93ac8be82b58b8f
SHA10cb064bad60e5021a8f747a5ea1bae1ef7e732e7
SHA2565d0ef680b9a8f8e345e773bc4a556c7eb25e550fbcb61282a907a13eaa8c8f1a
SHA5123308b35b9d0b2359f75851786be1d80fd23945916d3aff6c3dbd242d55f3bdf99c3e1ebc9c412641123fe91d5e70ee78fe56f9155f0904c7f855ecedac6d308a
-
Filesize
531KB
MD593b5a43bdd7527bb1adf88967f27484d
SHA1fdb6af54f6eaa7478ded4df5a8d60a9d192fc161
SHA256f2f7865b48c680ed2f499305a90b0c12592a752895813f1bb53c4b33c3c5e52b
SHA512c264df7eca47efc7c84bc9ed571e90e474f497bfad641a7adf945e546d221901237d0aed78587d4737c5f9f510397c6af4e67ce1f6a12266e6c495476f3212fb
-
Filesize
327KB
MD5caf46e76e53071fa9cdf10104123831e
SHA1fbed83ac7d6fbbe247bc5774be5d63011aced226
SHA256ba7fd919ae54f7981c1c20be844820adf722312eb58a91a1d84ab4b1f60c1e15
SHA5120708cb29286b1aa8187cf38045bf85b8a8b452d141ff8b8875b4910f9b3a9b53d3152b7ea9ff4f00af2e1c508cdb20a98ede2229e96b218d8fd39aef68007f9a
-
Filesize
331KB
MD54adaa7be57a56490073f63c412a0484f
SHA1157580b3d968bfd56764a6abd956d86977c7fefa
SHA2568b0a30f0d123c8240fcec772915a617ab3cc93235ac42f4c1b3af72f96f811ce
SHA51262a40b2925cef3bd649e92a34f9d13aeb7f691d2a49bc58c1f36040daf4c8961a0dc836a831347920a3fde118ef9b2f78e0c93c08dbe59cf4e4bd531d466207e
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize106KB
MD5c0d412b2b01f0b7927c2cdb4f3bba9be
SHA10974694d094c2f55537c14215fa3d626f31a9a16
SHA256d4090261b18d885ee587396ffd3b2d4f80adc4f34987e2f208f8464f3bd94b4c
SHA512759cd7427e2e67189658266aa8f6caeed8ba1dd08c69b5803f40821b974a8befbcda4dd5136d223079b921e24b70276d5dd9425a9ed3f6c0f8103f90fa8f0f41
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize154KB
MD56a5af5ba285c894c6be475eb69ef2fae
SHA12680af34294864b1dd8184328576df16f87d1164
SHA2563e54242cee0b4e423947e3c9ae63e72a593d3b138dad03195957ce7fb13c26c9
SHA512af7828db3dbfc74a076f76abc9ff20210e8705438a94df4ca22fdaa42b2c48b82c8d8122dc56bb2745e51cb05a11d102f7b3a2f3927b1d1b18e6babe2574aa39
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
94KB
MD5d98e78fd57db58a11f880b45bb659767
SHA1ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831
-
Filesize
60KB
MD556fa688adfbc8bbf34a765416b552dc6
SHA1ed760660a50712d471a0bbb352aa34a26908401b
SHA256b3de845ee721546f40f255d6b1682e7c04260e4021e1f0b80b3748a5867d2d81
SHA512a547b77db3649de4e7a47f1b48cde697a2055ee77c1d178f48fc933076d0b1c557aa836731f1ab18aa8a248f95d515861254e4c6df2da52b9c24bee3c3060472
-
Filesize
141KB
MD532d3b5d329095cbcf39387a0356b9fc1
SHA1e013cfc73cc92da801b38ed56b9db04108b44edf
SHA2568906029d74b0ebcd074789eba257bfeeec175bbfc534beea25d9c6b7cdec8ff4
SHA512b7cb561e2b884e741df69065c55d5183a40aab1e60aa637f46f45b5fda23b54202e2c14c4362b4a857e843800c59d9e83b4d89d2532b73b7f108cbb373d99ffc
-
Filesize
230KB
MD5b18abe6d611347a603ff9975686338d1
SHA10572844902521dbde3d988947501d56bf3f567de
SHA25633913c9e797346a5b5c264ab9d54c006397f043863f8be9db23067f3d717149d
SHA512a61db7430f8da94fc26b875feb5eaed92ed07f572ada2598528eb6988556009c9b38878cee4a46b0ea3314d46c07fdec7d8b8d8d454f1ddcbb59a37dbfad5e09
-
Filesize
19KB
MD5ca490b96da63d743c172f1f8c9247a45
SHA121d34ca0fb4b58c71851e53032147149aa1cc28c
SHA2563102f62e34bd84da0bba67dee839575ce10feb9f1bac97b8d2eacd2956df68ff
SHA512d97cea958dec3910da52cc2ef9abb0b376a2c16c3f1f972f86c98c0399f72b28f2c60019f86cd45f242a9673ca82ad99c2634d02abca38cf511baabaef25d1cf
-
Filesize
285KB
MD5f2bbdbd28832e7d5c26742deb71f013a
SHA19edd11ea9b9ed61c808cc31c6ed1695cd6c7f3ad
SHA256c6150988b3b4cabfc812a9817c10a1651766ecf344db993bd298dfaac7ee2d51
SHA5122a672b8b955a6dac151cb8aeaa01c1eb1f467f3a8691f0d5d06a775cb8ff5baf4cd72fdba287e4ee0cdc65b4c60cfe97e4054a7e175312aedde960aae01e1fa5
-
Filesize
197KB
MD51f2d5d6906b6709046c6023b76f1d9cd
SHA195ef31e04d630fa340486e7770d8aaa49c535749
SHA256909d4c7a9d2c8eddae76b15e3ad98fa2b2c3fb6293a5a46ebbae92b25f88670b
SHA512898898fa4b8299975c5916969170d44d757a3d2fe051318347d2be68476bd2a395bd35d3d8971ac49a65f251e8fc65da31c8c6c7b1cdcdd2e5be948005d28850
-
Filesize
246KB
MD53244c06695ef5135a8af748ee200eef9
SHA167a29f86fe53905448a7c72328464c8af3a85b61
SHA25654e08a1eca7dec78755da1bc1075471945e0cc5a2baa0050c9a6341d242024c3
SHA512af2d25e50533ea1b7ab25d6e7e08dad3f2aad144bef69ffbd26f7ec184846dc2a69c8c158cba2aaf32d96e623e3dc91109ee4174e1ee3cc2257aa29160c64d73
-
Filesize
196KB
MD572f349a97549e9383fcead7682ac0bfb
SHA1f1bd2514da75959297d4a0ab9114726e63e737d0
SHA2561fd24f6f5ed4f7c69290ad8ca408b38c4714da50d7d360a4403c7e0968bbfd5d
SHA5120bd81986d2d1c37be0e12f5a1f1ff033301f1f07bb93c13810cecb03dda1956542d8ef729528b1eda8c8a25af26453acff7b89feb185dc95ddaeaa45d1e3085f
-
Filesize
166KB
MD5450ffa7692c966ae98e40b0f58a6df4a
SHA11cf689a4cf8d31fe1421b36ab4db31633f9f21f7
SHA256e7abee385d8b56745f91ef4e719a4cb633ee6f99c13fb921fb84c7ae0e307fb3
SHA512b92e2ccda5715305075dc83d62a486859e3e9627c3a4f4df047c73cf248ebd20b743830063d4f9798bd5bbe20704fcf7c0c18592167ff310bdb1bfcd80870519
-
Filesize
1KB
MD5ba28e2a2f186d232d0cb8784041b65ae
SHA1fdb5c6bd907e4990970c7fc6cd2d7a1d84e52e08
SHA2564bde582e142fd8de63c022b2d8962998308fd6a5e459d0fedfc251464f4667df
SHA5125c353cf7f00213c0c5a0d25fecaf56b76c1d61b39e0bc18275de216193c249e222fae6ac0e39ed1d9b47f4a33095ee9a57a7fc1a0d4acb9ea9246694f254f089
-
Filesize
171KB
MD54d1a4b3096f4a39f3a91df2f6efd43c6
SHA1af7b52300363fa6f5ce8b5f99f753a9b1e0af94f
SHA256ca5b5e71addd8a56460eefad5cd368a5f6aca71b7a2d6dcfb312f45d1ae6e20b
SHA512d7cc6cf36fa0da5c22b531f7b3f58cbbcc206aaa47d40ebc0256fa5ede758fa7f636f9b70fa8077664067c8cbd3b38633ef2ca1e2e8e349b3b05c3cec1f8afd7
-
Filesize
5KB
MD5fd2d639c02d2d60aabe1b208de34f3b0
SHA152f3b72ca5abf625340e1e1e0162ac8bf2eb1eb3
SHA25645785c5074bd9832bdae11eb8d2626d9d74363d66bf9b0656e9c62569b4eb65f
SHA51252ae5880c9b484c29d93e37c6b60b9d74da6a201236b18246f8f5d51da29e82dee71cd48d9e6699be4d76a4330160bc7cee57064302c05a52cd6943b857712ba
-
Filesize
468KB
MD5ec8c2f65797d7cecf97cb383ba67d90f
SHA1e734ecfa670e809ae7221c9486b793a8c6704fc7
SHA2563fe97a48f24b75a12ddef5098dec44cb0946a26a1c0f9c3b24d93d26ca4aa630
SHA5129e9b5731c07a9fa41bcaa3c486d3dfd3993690ffe6c8a3ff038d99c07cc0e4f113e1cbd3363f495b4f114db588f200adcad3dda65a0344546bb41ed98a70b39a
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
82KB
MD584397a4bb02e34ee2c65ee1c683b483a
SHA1881af5ace90c9fcda2f49c3305ae0ba53ba09837
SHA256420626eef2d8293708003cb85a1f815ae44b0aeedaeea76f54c54f3ccd0ef4f5
SHA512da04cf43f4e9275473dabfe72292f7615d9805dcb6c4bc8831c1eb7a239d1fa21eba28656df0fab4420b74becd12b7d187f8edb57f189ab16ecacdc2c5b68b2c
-
Filesize
37KB
MD5667f23f89c3f858f2d5988d86a83c804
SHA13851f0c923b9436afc264c0476cb7457ebc06a06
SHA2568e51683e813becf89c5f4c921177bf0ca9277536d3ffe0d8def3d28e1b5d1649
SHA51224fdfe203227a670b6f34b783a6a69d525e1a345c523b36508b53908bbfd5ba4d241f113eb8d4905a79633527eea9a513710c2bf46199097cc20ea18650bc707
-
Filesize
48KB
MD5d28d2ee1d16d4ed23c12d5ee417d5b1b
SHA12d7af35d55f8110934f33c10f7178772de19b7b9
SHA2565856e524eadc99b4bf845b10dc22b6fea05827064fcc1a06b836759c27aeb44b
SHA5124873198337fff019259d4fe4dfe2948d7ae8643dc3633a5fb97993de3408721a9de08369aec2ac4637f9a08298631f4e7a993cc49550ae68a20b23759c720684
-
Filesize
47KB
MD56b513a103dd086d3dd5ce29ed41ec67b
SHA12655f2a4dfebfd9a3ab2e20b7e404c9e711ba94f
SHA2565a79fc6803c6e9e9f69d89d4795a4733aafa038f33a97243b9321dcf48fedfd5
SHA512eb6fa6284d81f445f5067b3ad69ebee05726420a436ed69de28c14d77e3a9691c18634663d11990eda7ab866c429bff47afa3dcd66b50121b63d57821c47715b
-
Filesize
97KB
MD507def8fa1674d4c4b18541ea755558ce
SHA1aebe70a9607f564f44e4adddf1391e0d2e5c538a
SHA2564308091a2d541f8f07e674b3b31643420204ef530ccfa99235fb1f6060d97fe0
SHA512901d4fa1b787aa5ace838958fd30d98dba9bf62f50229b073d47f7c4fe45b73e6916b4ba6667434a21a7568eaa86597debfc9eb44c59482c1e669581d16a857f
-
Filesize
1KB
MD5b8916f445195adf0ccd5396d55a4e005
SHA15ca47e0ed1a8ae5e39baa4565fa8fe50d6b7251a
SHA256e3710bfe6fbebcc17d70424f3e6ab5684a5b2856382fecb3a5a6690a9f33039f
SHA512002014a5b1e2fbd0076782df2125be42d41eb0a1d8241ccfbbd7a0819d0205813053aedfa60854f8d90553bc098e6fb0d88a6e8b32859ba87243fbc9411f44bc
-
Filesize
46KB
MD536c6632810f8e289cdddf835ceb8ccc7
SHA1b6c96570c8bd783d3a1432d6abbf28f2e3f88734
SHA256bdee2c656caee5df93e76497290207b40defe75347936cb9e545e39b92e86fd7
SHA5124c6d860130f504f572475c1d84b7bfa338f3c0341ff9459724c3b8a6e22cf1ae5d4ce42990026a9f59ceddbdd115da63627300c44c3c2efdfe1bf416f45f0661
-
Filesize
194KB
MD5227147d0991a07afe20eef6f19e23db7
SHA1e9d2dd4ee84e4ef9b7dc961521b48c67ad6691ea
SHA2565c457551e6098d98b3abf912619c3ad1425c4abb68d7e8c28bd0b5e9f8a5777f
SHA512396c80b93029a795646d4da788f2ffb147a1fcb5194c05e689b83a7973c007f3621056230e241ff54a0c26e4ffceb6f36db8f71a64a73e290aaa966444981b80
-
Filesize
64KB
MD5a1253305b78b24ddda3b77119966e1e0
SHA196eff3e17dd7075cc2f6a6abe9525fff896954b5
SHA256790010c2b51ef41610ce7af1f2ef2001b77fc57518961303ba8943d38424aea4
SHA512cf2469480f6dc9aea35a56eedf767176bf848931727cbcfc4d5ef309a1c1418409ca52ef296bd4a608bdb6e30f02f481491819188ed5652feafe3f7f517452ca
-
Filesize
733KB
MD587c9f29baaf99fbb589a35656083ee11
SHA18cf90e5ddb110ea99094d38dcf7128afe22f59a5
SHA2567de9c2b4d366ffa1b0d90ceea2c25e6639a9cba23972b7f82d44a8acb1fb6e5a
SHA512ec35e2f770f762bb4fa1a697accd1b82e17d90b5d5245ff9cac54b3b8225e89d3cdd76fd1ebf630d02835513a26bd3e9f175baf1c975e6acd9112db5170662b5
-
Filesize
230KB
MD5b6fb0cb59d2ebb413cd38d9e2c0f9b14
SHA1e9fd4116ffb5bb822e6cf137605f7f4bf7f75367
SHA256bfc004ba6306f8bc243cfb94cd3ac99bcd7d5b5b7dff3c9ed60edf51ada9f101
SHA51289a0537f22308fb3ef3083d23b341f736e60f83b9319a0dd657f0f65e7f73c953bddc0b72ecf4c17b7e4d075ec9b874b57f4386503828def08f76eece1105d24
-
Filesize
414KB
MD5d1e468ec69d57c4e85164a6936dbdedb
SHA1825b25eb60e8c3f1db5deeb1604ee7d41004db18
SHA25630a9b02fc46dec20f63a9925d049a18b9d59af92dd3b4f9d91c2f005d15c2848
SHA512b56c27679168ef79d8d2d07a2dd27f3f89cc6a8dec9d7a0f9583614c9bc319ab19fe2d1662f7db8ae6f1f696a9262529ad1e34c63c61e4e88f5d502a9b9ef6e6
-
Filesize
36KB
MD500d48140f404088a0aa30c96c95b487b
SHA1ca6a73a5a09957541984f9268700c7d5ecbf321f
SHA256d30e2d0811f5c187dce1ebc0c0de20d259f1df5e52609be91715ccae05382f02
SHA5127440af5a32086279c1a0a431987af61c8fdd6142abdd70f029992e3bc4683083da7da4efb65c0a1dc9f119afe193d8b85c374cc10f680d3b864fe1ca2e6d67d4
-
Filesize
100KB
MD584da948bec19779ae3b68aefb4a40a20
SHA1d75fd6107056959aa9f2a66d097e3f75c14d4883
SHA256ec4c6f9e8bae339a36ba88848d0e10cd1cda5d55f007b454e2c7eabf869cfedf
SHA5120b54adb14da56de8995779ac309588df5eec3beefdfd897a6ae9c1088f6654a0a823250c0152e519fb818416c7b08ce8b66b9f0a35a0febb4685832dfc2e025d
-
Filesize
408KB
MD53a0f56213c69d0ae5489f9f015ed0c28
SHA11de1fa92416acfb4c2e3385d6e8fd5a22203226a
SHA256b89be157d903e0aff58b178e529e85d064e9282d80f38efba2809f0254c5bc2b
SHA512cfee7db880381910f910be2786ddb54cb4daca7b4349df063b348a27ceea1a227fd2a0e424127058c1b68076ea18f7a045b84f96f480d41309a8f39fe5edc555
-
Filesize
234KB
MD5718193b2dabded16b3c5cfeb0bc6deec
SHA12c99e70be3d70080f9b99d2ee61b84bc1330e079
SHA256f3377c274c2ae2a7be0573960e397b8f5ac09cd62b801528f2e44a8a2c8ba1e9
SHA51209f95e2543e049cb6f692be135b1bf78d44caf8fe4a8dfe02c24d6e69647f6d8c77f18e93a3c8da45979ec9e0b32160c42138cb7e753a5298e0c04a4633a18a3
-
Filesize
14KB
MD50905bf0a8951a1b9cfbd084443515ae3
SHA14613373e2b102a8828e1aea8f03723232b939c6f
SHA256266f62bbb861275e32d525f04e35efbed48a8e9bfe30d0ce27a6800b9d5d5995
SHA512e42b8b5fe04904f0ead76ff9626741f827208adee03f53c8c35d486d0d0c8b8aa5fcf8734d91759cd81339f6eb5a4c85f2f9068d203ed2c0ffe08b4894d1c7d4
-
Filesize
192KB
MD5179edff529d79cc229796965514d1a9d
SHA1bd1623f9e6b54d376b3fb2daec2e49f9d8c6e3d1
SHA2568d17ef301578c0457a714dd5a8fc3871d03973625ee48bd8aa154e89640e828b
SHA512a934ab2e08b7d83254fb79822bf409cec8afbf800495e60cefcce02d5f98736580c653e8880ace19b67a82328103a9eeb2e0e9b2dff86ce5e7ead7f4f1c7e3b8
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d
-
Filesize
166KB
MD5bb8994ca65123034e99db8efe913720e
SHA104830fb1c10d5e4e74d4db37850f269a7086fc4b
SHA2568cf8b1e7eaad295c51ada21ebdd14abd68d450c4f83e1d82fd44950149d7dbad
SHA5123285e6466600e9bf2c8f1dbaa7717e5dda6a601122e1626ed27029c0ca433f822ac324cea86d7960d2d701ce8837540dcc20943af8c6cf6a754009b84c1e571e
-
Filesize
11KB
MD548f0d8a13ac8744462c4395b148645a7
SHA16a734f0ad9669ebbd3a1ac19f4e8f28a0f431ffa
SHA25607a61474258f5d74c861767c1fdf45599485dbc41fa9374430ada3fb2185266c
SHA512c822af52d5e9baf731e5db2ab9d0ad5bab06419a1b78b39fbfe704a56ff06a1ca9282e630749003662ebc9689a4a3b58165b38b91957d8a512857a3c7500a7c1
-
Filesize
69KB
MD5389ef88c1ba7a243c7ceebe4c5fe3454
SHA18f25d7c10c63057d399dd5eddab64c010eb7adb8
SHA256a1f1a23ebe457d8f5eef326e706b8e4b8f110a646e0fcfb6d217afccc79d9728
SHA51235e46461109c1c1af506be446503c770e88c5c2f363ccd376fa54390a4b41b44eb18544f2bc003a280a2d679da781140618addb197414c9d56e6727051e257b8
-
Filesize
88KB
MD5556b003930e132cd658a1de50c55b473
SHA1d58cc94fa14c807eba178798634fa53eb7a9ea33
SHA2569eae6ad9d1a34f8e990dcd45c0ae810acaa8b7506a898c36d55697467d78222a
SHA512a52d14d043ba589f71e7c4f3beeb7310824a246c5959b3975fcc5d51edfbcf59b74aedb2cce6fbc8061c81ebe96d30ff0237c6c99333237703f4fa7b9435e05e
-
Filesize
64KB
MD5367011d594a7f38c1e1d0e88f5028fbb
SHA1d7ee26a3ed4ce1de0943a843b3e72a722da90698
SHA256cce834eea99a6757290c5a9e560f88aa1e4b58c529fff4909c9b1a62753f9849
SHA512a5a33f0640b80075878c604410eac19bd8add41e0bd5baf4bb9a052b26ab2e3af424203aec358809368fd4d53caf670cab25a272e1af7591cc0e20f548b3faa7
-
Filesize
24KB
MD5097907184c71b1576909f7b7da2ab266
SHA148fef646c04b8533faa9de97bf4c3580470f9fcf
SHA25695f46f97c473723d5eecc51653c056a2c1283c9a0d587c3fc576c0950fac4f97
SHA5120855041823f2d285bfa8873d1562d7c7ecc74aedc9e9b5849b96506e0a220b674291d1d94f2f3608771214bdf151e90bba41c486cd95d5530fa61d5fbcdd93bb
-
Filesize
130KB
MD5b100c389388dd0fb174a3aeffa0c51b9
SHA116afd4b0e487b393d2cc0cc24c58b3bf88d35bdc
SHA25689e2df654ed2bfe48fabd795a09eef0ca2c593eb25ee0f0eee515573e78f7fae
SHA5129e22222fd86c67ed8e290f68f24653e1812081127275548d4c3d691d55699dc2c28877585d636e8abebba38bb78d55e13df3440c99d14655266af9134d2820dd
-
Filesize
147KB
MD5f8a1b0f11b68e99db4b1884afddd7e73
SHA1eb79ba6f22e172639d8c1f1afaba709b3f61d598
SHA256e7b2c14d3069ebe94d3ed9322c16408bb1d3548cc6520e0dd0a650044a45141e
SHA5128dd335d4e11c3d3e628356796cef3b123193ac4c516a22fbce2b3aa5449fcb89d74012bb07f1eb7743ece6c9bb93795cf0428d27901223a9d501197082d26cb9
-
Filesize
74KB
MD516385f938ace4617f4b085192e13513c
SHA1ac7a195df6a9b1c2d1c86b718cc10d1237f03639
SHA256630b7d2c2c0042f50c2eb704a7a67ed59f09f32dca0eb320c657261d60fe6d31
SHA51247c0ce6e1bbb8c03e625eec790dca2b10874d1408522491e77dd5864d4844a22d9a98ab3605f780ab118def9d7c1fa5e21cfc23a654794513ae9e1332da9dea0