Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-02-2024 01:54
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240221-en
General
-
Target
file.exe
-
Size
136KB
-
MD5
1bc8dd1a5e08a1dcaeefb1a03f5c71eb
-
SHA1
9fbb0b46be6b7b0d60841f6c4d6940cdd1b4b08e
-
SHA256
30845b56fd4b84afa4212a7c5130b4ee2c07924524c357ea21d4b79ef21fd2f5
-
SHA512
5e8d3d808445684b08ec6e4b15d1a701c40bc80fb7d878695970a73f06fd318f6a812c7254dd7d61f74c1c36a0a989894dc80234374d9fc914142adcd9f6bc40
-
SSDEEP
1536:Y3HKFCXebMDnye3MtblERG2DnWQZWSqaiWz5AAm7FcNLuAfyEDyIEpovc29OhSc4:iHKCXeC3VdZWS5ijAm7FcUMyIrjksE
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://habrafa.com/test1/get.php
-
extension
.lkhy
-
offline_id
OxV6DGl22io8sqMOW1zCCOlzPiv4f1Vqzw7Y8zt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://habrafa.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://we.tl/t-uNdL2KHHdy Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0851ASdw
Extracted
vidar
7.9
7f6c51bbce50f99b5a632c204a5ec558
https://t.me/hypergog
https://steamcommunity.com/profiles/76561199642171824
-
profile_id_v2
7f6c51bbce50f99b5a632c204a5ec558
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Signatures
-
DcRat 6 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
file.exe9F0.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8583777e-7500-4b73-b450-007b2ee298c7\\9F0.exe\" --AutoStart" 9F0.exe 2864 schtasks.exe 3060 schtasks.exe 2028 schtasks.exe 2040 schtasks.exe -
Detect Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1320-104-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 behavioral1/memory/1636-103-0x00000000001C0000-0x00000000001F6000-memory.dmp family_vidar_v7 behavioral1/memory/1320-107-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 behavioral1/memory/1320-108-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 behavioral1/memory/1320-261-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 -
Detected Djvu ransomware 15 IoCs
Processes:
resource yara_rule behavioral1/memory/2604-21-0x0000000004740000-0x000000000485B000-memory.dmp family_djvu behavioral1/memory/2700-24-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2700-27-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2700-28-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2700-51-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2552-61-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2552-62-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2552-77-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2552-78-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2552-82-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2552-84-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2552-85-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2552-89-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2552-198-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral1/memory/2320-488-0x0000000000880000-0x0000000000980000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/596-351-0x0000000004D60000-0x000000000564B000-memory.dmp family_glupteba behavioral1/memory/596-352-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/596-356-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1564-359-0x0000000004FA0000-0x000000000588B000-memory.dmp family_glupteba behavioral1/memory/596-361-0x0000000004D60000-0x000000000564B000-memory.dmp family_glupteba behavioral1/memory/1564-362-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1564-372-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1200-378-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1200-415-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1200-503-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba behavioral1/memory/1200-509-0x0000000000400000-0x0000000003118000-memory.dmp family_glupteba -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Processes:
9272.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 9272.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 9272.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 9272.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 9272.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 9272.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 9272.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\9272.exe = "0" 9272.exe -
Modifies boot configuration data using bcdedit 14 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid Process 1996 bcdedit.exe 560 bcdedit.exe 844 bcdedit.exe 2256 bcdedit.exe 3012 bcdedit.exe 2880 bcdedit.exe 2764 bcdedit.exe 1256 bcdedit.exe 2996 bcdedit.exe 2716 bcdedit.exe 2604 bcdedit.exe 2628 bcdedit.exe 2460 bcdedit.exe 2384 bcdedit.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
csrss.exedescription ioc Process File created C:\Windows\system32\drivers\Winmon.sys csrss.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
netsh.exepid Process 900 netsh.exe -
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Deletes itself 1 IoCs
Processes:
pid Process 1208 -
Executes dropped EXE 21 IoCs
Processes:
9F0.exe9F0.exe9F0.exe9F0.exebuild2.exebuild2.exebuild3.exe4828.exebuild3.exe853A.exe9272.exe9272.execsrss.exemstsca.exepatch.exeinjector.exemstsca.exedsefix.exewindefender.exewindefender.exemstsca.exepid Process 2604 9F0.exe 2700 9F0.exe 1704 9F0.exe 2552 9F0.exe 1636 build2.exe 1320 build2.exe 2284 build3.exe 2892 4828.exe 2120 build3.exe 2428 853A.exe 596 9272.exe 1564 9272.exe 1200 csrss.exe 2320 mstsca.exe 2664 patch.exe 2528 injector.exe 2724 mstsca.exe 2388 dsefix.exe 1704 windefender.exe 1680 windefender.exe 1612 mstsca.exe -
Loads dropped DLL 27 IoCs
Processes:
9F0.exe9F0.exe9F0.exe9F0.exeWerFault.exe9272.exepatch.execsrss.exepid Process 2604 9F0.exe 2700 9F0.exe 2700 9F0.exe 1704 9F0.exe 2552 9F0.exe 2552 9F0.exe 2552 9F0.exe 2552 9F0.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 1208 1208 1564 9272.exe 1564 9272.exe 852 2664 patch.exe 2664 patch.exe 2664 patch.exe 2664 patch.exe 2664 patch.exe 1200 csrss.exe 2664 patch.exe 2664 patch.exe 2664 patch.exe 1200 csrss.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Processes:
resource yara_rule behavioral1/files/0x00060000000195a6-549.dat upx behavioral1/memory/1704-550-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/files/0x00060000000195a6-552.dat upx behavioral1/files/0x00060000000195a6-553.dat upx behavioral1/memory/1680-554-0x0000000000400000-0x00000000008DF000-memory.dmp upx behavioral1/memory/1704-556-0x0000000000400000-0x00000000008DF000-memory.dmp upx -
Processes:
9272.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" 9272.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" 9272.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" 9272.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" 9272.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\9272.exe = "0" 9272.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" 9272.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" 9272.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
csrss.exe9F0.exe9272.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8583777e-7500-4b73-b450-007b2ee298c7\\9F0.exe\" --AutoStart" 9F0.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" 9272.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 api.2ip.ua 22 api.2ip.ua 42 api.2ip.ua -
Manipulates WinMon driver. 1 IoCs
Roottkits write to WinMon to hide PIDs from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMon csrss.exe -
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
Processes:
csrss.exedescription ioc Process File opened for modification \??\WinMonFS csrss.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
9F0.exe9F0.exebuild2.exebuild3.exemstsca.exedescription pid Process procid_target PID 2604 set thread context of 2700 2604 9F0.exe 31 PID 1704 set thread context of 2552 1704 9F0.exe 35 PID 1636 set thread context of 1320 1636 build2.exe 38 PID 2284 set thread context of 2120 2284 build3.exe 47 PID 2320 set thread context of 2724 2320 mstsca.exe 71 -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
Processes:
9272.exedescription ioc Process File opened (read-only) \??\VBoxMiniRdrDN 9272.exe -
Drops file in Windows directory 5 IoCs
Processes:
9272.exebcdedit.execsrss.exedescription ioc Process File opened for modification C:\Windows\rss 9272.exe File created C:\Windows\rss\csrss.exe 9272.exe File created C:\Windows\Logs\CBS\CbsPersist_20240222015541.cab bcdedit.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\windefender.exe csrss.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 1976 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2688 1320 WerFault.exe 38 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI file.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 2864 schtasks.exe 3060 schtasks.exe 2028 schtasks.exe 2040 schtasks.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
9272.exenetsh.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" 9272.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" 9272.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" 9272.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" 9272.exe -
Processes:
patch.exebuild2.execsrss.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a build2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 csrss.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 patch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 build2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
file.exepid Process 2764 file.exe 2764 file.exe 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 1208 -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid Process 468 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
file.exepid Process 2764 file.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
9272.execsrss.exesc.exedescription pid Process Token: SeShutdownPrivilege 1208 Token: SeDebugPrivilege 596 9272.exe Token: SeImpersonatePrivilege 596 9272.exe Token: SeSystemEnvironmentPrivilege 1200 csrss.exe Token: SeSecurityPrivilege 1976 sc.exe Token: SeSecurityPrivilege 1976 sc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9F0.exe9F0.exe9F0.exe9F0.exebuild2.exebuild2.exedescription pid Process procid_target PID 1208 wrote to memory of 2604 1208 30 PID 1208 wrote to memory of 2604 1208 30 PID 1208 wrote to memory of 2604 1208 30 PID 1208 wrote to memory of 2604 1208 30 PID 2604 wrote to memory of 2700 2604 9F0.exe 31 PID 2604 wrote to memory of 2700 2604 9F0.exe 31 PID 2604 wrote to memory of 2700 2604 9F0.exe 31 PID 2604 wrote to memory of 2700 2604 9F0.exe 31 PID 2604 wrote to memory of 2700 2604 9F0.exe 31 PID 2604 wrote to memory of 2700 2604 9F0.exe 31 PID 2604 wrote to memory of 2700 2604 9F0.exe 31 PID 2604 wrote to memory of 2700 2604 9F0.exe 31 PID 2604 wrote to memory of 2700 2604 9F0.exe 31 PID 2604 wrote to memory of 2700 2604 9F0.exe 31 PID 2604 wrote to memory of 2700 2604 9F0.exe 31 PID 2700 wrote to memory of 1884 2700 9F0.exe 33 PID 2700 wrote to memory of 1884 2700 9F0.exe 33 PID 2700 wrote to memory of 1884 2700 9F0.exe 33 PID 2700 wrote to memory of 1884 2700 9F0.exe 33 PID 2700 wrote to memory of 1704 2700 9F0.exe 34 PID 2700 wrote to memory of 1704 2700 9F0.exe 34 PID 2700 wrote to memory of 1704 2700 9F0.exe 34 PID 2700 wrote to memory of 1704 2700 9F0.exe 34 PID 1704 wrote to memory of 2552 1704 9F0.exe 35 PID 1704 wrote to memory of 2552 1704 9F0.exe 35 PID 1704 wrote to memory of 2552 1704 9F0.exe 35 PID 1704 wrote to memory of 2552 1704 9F0.exe 35 PID 1704 wrote to memory of 2552 1704 9F0.exe 35 PID 1704 wrote to memory of 2552 1704 9F0.exe 35 PID 1704 wrote to memory of 2552 1704 9F0.exe 35 PID 1704 wrote to memory of 2552 1704 9F0.exe 35 PID 1704 wrote to memory of 2552 1704 9F0.exe 35 PID 1704 wrote to memory of 2552 1704 9F0.exe 35 PID 1704 wrote to memory of 2552 1704 9F0.exe 35 PID 2552 wrote to memory of 1636 2552 9F0.exe 37 PID 2552 wrote to memory of 1636 2552 9F0.exe 37 PID 2552 wrote to memory of 1636 2552 9F0.exe 37 PID 2552 wrote to memory of 1636 2552 9F0.exe 37 PID 1636 wrote to memory of 1320 1636 build2.exe 38 PID 1636 wrote to memory of 1320 1636 build2.exe 38 PID 1636 wrote to memory of 1320 1636 build2.exe 38 PID 1636 wrote to memory of 1320 1636 build2.exe 38 PID 1636 wrote to memory of 1320 1636 build2.exe 38 PID 1636 wrote to memory of 1320 1636 build2.exe 38 PID 1636 wrote to memory of 1320 1636 build2.exe 38 PID 1636 wrote to memory of 1320 1636 build2.exe 38 PID 1636 wrote to memory of 1320 1636 build2.exe 38 PID 1636 wrote to memory of 1320 1636 build2.exe 38 PID 1636 wrote to memory of 1320 1636 build2.exe 38 PID 2552 wrote to memory of 2284 2552 9F0.exe 40 PID 2552 wrote to memory of 2284 2552 9F0.exe 40 PID 2552 wrote to memory of 2284 2552 9F0.exe 40 PID 2552 wrote to memory of 2284 2552 9F0.exe 40 PID 1208 wrote to memory of 2892 1208 42 PID 1208 wrote to memory of 2892 1208 42 PID 1208 wrote to memory of 2892 1208 42 PID 1208 wrote to memory of 2892 1208 42 PID 1320 wrote to memory of 2688 1320 build2.exe 43 PID 1320 wrote to memory of 2688 1320 build2.exe 43 PID 1320 wrote to memory of 2688 1320 build2.exe 43 PID 1320 wrote to memory of 2688 1320 build2.exe 43 PID 1208 wrote to memory of 2640 1208 44 PID 1208 wrote to memory of 2640 1208 44 PID 1208 wrote to memory of 2640 1208 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2764
-
C:\Users\Admin\AppData\Local\Temp\9F0.exeC:\Users\Admin\AppData\Local\Temp\9F0.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\9F0.exeC:\Users\Admin\AppData\Local\Temp\9F0.exe2⤵
- DcRat
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\8583777e-7500-4b73-b450-007b2ee298c7" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:1884
-
-
C:\Users\Admin\AppData\Local\Temp\9F0.exe"C:\Users\Admin\AppData\Local\Temp\9F0.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\9F0.exe"C:\Users\Admin\AppData\Local\Temp\9F0.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe"C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe"C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe"6⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 14727⤵
- Loads dropped DLL
- Program crash
PID:2688
-
-
-
-
C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build3.exe"C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build3.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2284 -
C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build3.exe"C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build3.exe"6⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
PID:2864
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\4828.exeC:\Users\Admin\AppData\Local\Temp\4828.exe1⤵
- Executes dropped EXE
PID:2892
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\5276.bat" "1⤵PID:2640
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\853A.exeC:\Users\Admin\AppData\Local\Temp\853A.exe1⤵
- Executes dropped EXE
PID:2428
-
C:\Users\Admin\AppData\Local\Temp\9272.exeC:\Users\Admin\AppData\Local\Temp\9272.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:596 -
C:\Users\Admin\AppData\Local\Temp\9272.exe"C:\Users\Admin\AppData\Local\Temp\9272.exe"2⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1564 -
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵PID:836
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:900
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Manipulates WinMon driver.
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1200 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:3060
-
-
C:\Windows\system32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵PID:2072
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2664 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER5⤵
- Modifies boot configuration data using bcdedit
PID:1996
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:5⤵
- Modifies boot configuration data using bcdedit
PID:560
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:5⤵
- Modifies boot configuration data using bcdedit
PID:844
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows5⤵
- Modifies boot configuration data using bcdedit
PID:2256
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn5⤵
- Modifies boot configuration data using bcdedit
PID:3012
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 05⤵
- Modifies boot configuration data using bcdedit
PID:2880
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe5⤵
- Modifies boot configuration data using bcdedit
PID:2764
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast5⤵
- Modifies boot configuration data using bcdedit
PID:1256
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 05⤵
- Modifies boot configuration data using bcdedit
- Drops file in Windows directory
PID:2996
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}5⤵
- Modifies boot configuration data using bcdedit
PID:2716
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}5⤵
- Modifies boot configuration data using bcdedit
PID:2604
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 15⤵
- Modifies boot configuration data using bcdedit
PID:2628
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe5⤵
- Modifies boot configuration data using bcdedit
PID:2460
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
PID:2528
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
PID:2384
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe4⤵
- Executes dropped EXE
PID:2388
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
PID:2040
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵PID:2944
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
-
-
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222015541.log C:\Windows\Logs\CBS\CbsPersist_20240222015541.cab1⤵PID:2996
-
C:\Windows\system32\taskeng.exetaskeng.exe {B584DB60-14C3-4C7E-9180-7C62F1EB7873} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵PID:1660
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2320 -
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- DcRat
- Creates scheduled task(s)
PID:2028
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
- Executes dropped EXE
PID:1612
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
PID:1680
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
4Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5d59bf18e04eb0da9f0dbd3079eb92b8a
SHA17c66b5040018fdd07ac6018c38e5852a15a6e4ef
SHA25602ebe8851ff0624357b42b43dc5684fca0db014d817f01cfc8df4b344dc25b32
SHA512f5151651e9d61d4402318f5e6e850957f94726eee42a67dd6c8979720d44f00363de40c67a13b3101b9fa93188c27e1c00a21b9b316e024046543e44e51c15ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD502a572a444f6aea574f70847b4b261ac
SHA164f339990b4b45efa6cc1ee7943b4be43e2c6112
SHA2562e3d6df847c8f6206b8430b8eae66344b087bda1c53003e3fe0ba6cb42c8716b
SHA512503e72a4dcb10c70120cc6675478f6d4f378252dcb91e24375a34bf2551163c9f82af160683cb5b5b3f84d221ee0e8f8319907a283d12056b5658b6f140bfa6b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5870d42b688d18b63fb52bc6cff68b762
SHA1a4d91178d2cb148e393a9affcc540fabcb0803f1
SHA256dbfd9cc4bcbc0da3d193de0c53076db3b2205d824113ae3caa3ea7b33b3fd2a6
SHA51224dfc60c87d636432fddc6b3ede2f8d8cb753b9138c78345aac589b0e882c80dc2dc257d99e7bedcb0eab781f307fc04b199566639f2f626b1a678d9e719dcbc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD552f53906957f2b289f14dc21b4d2e5ab
SHA1f3ebf2e3b931e313d01e8cb4d3de096cfeefcdae
SHA25611d7208a3d730e4d859f81284d2fb3b50368f167fb1f2a10387b0944a2891611
SHA512b3e3d5b992ae4d3cc01e0ff77dac6d637dd334eefcebe75ae48c69ecb2c50fd90e8db91d694ae0a2790f03dbf348eff206b1c08ea2761963a603c132c5b9e07b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e389ff719d4f3fadd40ade0281d07262
SHA1979c767d32da9fbc71e141585ea9a01a3b4cd609
SHA256aa4cc57c8ff98f4c5f9d53bdc52e2b38fd4105c70d13062ba656f74ce0b999bc
SHA512d20b95bef0594330c467329ed5324c4359e5819f9b9b4974d3cd2fc047722f16767f677e166dd79d14619bb1f33abde191bf88f2e20771ea91323cd1cf49b1be
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52ca93fb3d4ffebbd18a948dcf8329957
SHA16485e2815da6a6aee8ae7e85a6b49843c06da907
SHA256d1f35d5dbde3b82e0d0d39dc1d5d6e4f04f5a20e8f3acf4369d590181884277f
SHA512002b51adba4debafd880a855f98573987f665d9989bd8f5b8cb210f613e3bb168675f1a144a79f050c554c9ae0910ec02f6f01f3a0b24cd70f613d16d769c3fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54e05cac40082c891a11196d21c7d0ee3
SHA1b2bcd705ceda4859fdc71beb26ce6c3bbecff435
SHA25681069225d47a075dab4b20ebeece57c86966532866d1904eb04e0033362c2fc0
SHA5127e4b770e87c264d624cda7b10f6202a003221dd3805bb72568e95e37876cb4f1c3a40e0a003d3971990734ff074690128257d34671afc1ac2a4d319a0a54af95
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize392B
MD57dc6a32b54522e9cdea942ab36b3c46f
SHA10a98eb4a14489810ebd616ea2657a6802be26c4f
SHA256d4f60fa83eb77a23b13ad37587b494462f91ad8988066b4e5beae887c2e78287
SHA512382c9e35786ac99bfd068d119c32d9bb6236f77e092e7f6dfef25bdd742c373dcd1d1f75dc1c04b4c2629731d58403cdfcf4c321b28e54d9be9179bfe0feeeb4
-
Filesize
3.4MB
MD52970507fe29e4a666b075521ef8d664e
SHA1711434ed76c0a8319f43a34daf9b43a7d150a5d3
SHA25632f356c8c15a6bd52c739049b36a80f1afae3d5df9bd197d1781873103ed462a
SHA512ff7ca3f758e62ae872da1feaecd41cfb0ce6fbabe7173d5bb7f2784683a35e98bde215b1b0732328915b078f255167177cd20225064245d996f1fe5cabac2e19
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
388KB
MD50d6a426119a1622fe87f00c1a0e1c1a4
SHA12f8ff1764b2cad5b00385849e47f70675034e675
SHA256ee3eebd9f86353bfcb7bfc1af0b572ea76a0f39d846f9706d227fd3f1f390f13
SHA51226fd7b7253cd6c86905dfdb838efc4582455827dfbe938388a851d4c7dceb5607e507eaeacb992a79ae6834263f3804201185af54f827f7eeee7762aa0d6e366
-
Filesize
143KB
MD54245b8cbf6c03a2c84154ca2cf1307d8
SHA1f5da20335f9e85c3d532b7a8c8cd629e73c6ee48
SHA256ddcb18c6d0aaf1ae1b0bfebbc7921834b54efd2d9833b9392b21fccb903a3032
SHA5129b4904464570607a2651af11bd29ef1740007a83ebb5566c31984ffd7ee1cd62e4a1c3d036da3e520034edd2e30ce07e48387b61ae4c2291fd3d1d79c9e5ccc0
-
Filesize
646KB
MD56757766a3537ae6d29bb650d7e3447f8
SHA1de51427bcd1961d24bcbd21fbda749b1b04bf5ff
SHA2564e90ee8363bd7400cce1d6b4bd91a4dfb83d61bba7801e7ef2fc496d2bea3212
SHA51284dce5a061e00cc0915482a191f5241e8931d648e0d82eb1ef80a0225f967675a7bbab6f8ddcce710696b935910092d41e96a5ec60b288d0437c371cdcfb88ab
-
Filesize
576KB
MD5dd253f5071b1111fdd6dec42b12fe8e4
SHA19b28d2d0934f2f98bae2f46cca79341ea9067ad3
SHA256b51034919b413fa9910f036781a2b730d736699b09fb5399706e5d26e4247757
SHA512fba54ffb72e0788e26340aad044ab5af6f1b24eb91786a2fb4f785fbff0330f6ff12dfef296ab5d38efb19565e49e573c5e5fca6d90e5fea5db326c664656a7e
-
Filesize
713KB
MD59d9114ab84aa79f8a22356d35ce7fd66
SHA180ace18221477538d8219bd0495e79875c334fa7
SHA25605cff8cebc34d942d16d5fe3eae68ceb3420e96264819f8dd3fd6bb28028e514
SHA512ba12481c78ab484781fb3466f28140f653230fa8b947a3afe4327621195de259258587c143f4e79a2dc5658439216b9fa11b337ec4c7794d910ce1262c915968
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
Filesize1.5MB
MD5b099f708b9c5b20252d6cd807f58c0cf
SHA17935cb7a7081aebb49f0e08bac24e0326c827b97
SHA256e2e3aa82268a72034f456e36e5da51f68c20cd4894760eeb1c2cc9e8cb920cb6
SHA512f8e0a02871ce948a2623d8a92eea80c68751b5ce558cdc1dbd4ab1a24c95ee4aea12556c4a28852a8d22321f0302b5c081f5c3c14b506f6f94938d8c349a66c3
-
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
Filesize214KB
MD5a6e7281b25e92468c451434fa8ab45b1
SHA13e524fe95885c02272b6171a5aa8c91de2797c68
SHA256fe61379f35c2ce8aadf4a1b5d0df67b915da5e68c3f527676410cd14ebffb040
SHA512fa54deab5b6363d4832d5b2f7aace7a78966942936a0a3be31d23586dbad8c34024f5855d9b75524eab9579f4447f6918868f635ffe3d587eacb48953cef1903
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
265KB
MD55f492c5ba94d6a41ceddcf10d5258efc
SHA1173a9e157806cc55192504ceba316bdf1c1bd670
SHA2562a0d1b759fa4ebad516f914594deb9b677beb97c14b1d7f4f6e0534ffbe51bed
SHA512ae0d68ab9aa2fa3e578fd25475774427de0e65dbae4fdd95c265b693441566087689566336971e7ed34d010e59b288490975442ff46cfdb5b70053b215dbfc12
-
Filesize
1.7MB
MD513aaafe14eb60d6a718230e82c671d57
SHA1e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3
-
Filesize
763KB
MD5e3524370dc3f0849761673f48ea826d9
SHA125edb10d4fefa0b1418e15d8373365380cf07fa3
SHA25693834706244fdba144ca5e2dc0c4665c926d32229dc25d6307c15757e22b8604
SHA51249424383e886032be994a20031a596600568df62e67718b509598c9922751cbcd0ea378b1a51b4a72ddb678d625f3b5f1ace7e8113a0c02a97c3743fa684cfc6
-
Filesize
591KB
MD5e2f68dc7fbd6e0bf031ca3809a739346
SHA19c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA51226256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
334KB
MD5c6d3d647baad8a5b93b81d2487f4f072
SHA1e9c1105dc41f85d4f7e94d4e004f8427787c8802
SHA2567754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a
SHA51255425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049
-
Filesize
232KB
MD51b6ce5438f7c424a45425ab1865b5cfb
SHA1617f901b6a338259c88b7e489a04db6f3a19d6bb
SHA256f13102e1ee3b7ecc118b2c4eef088f64891ede52227656065e92ec824ee01530
SHA512f0e10fd15c78f9b040d939e69e0cea051c20ec7e51c7da5867f36014ffcb9f2a0ce0e0b9e5706f174dcc16530b62a2a1d1c172ae77a829f7e5b867f15447d852
-
Filesize
451KB
MD5f40cc995d0db3713af2fd558e9b22d72
SHA151995c2c0677e07776477ed49afeebca1c0f9276
SHA256ab6ee9f7d0ca2740a3a147c9d4ed168243a3d8be677764f2f04dd6413e90b4bc
SHA51218f73c9e747c1836900aba6e713fbe965756410710103c4a0075d9ce60d60bd9ddf30a6c2e2ec5e21367edcd56de64131fa14c453adafb13376b5ff80edfc31e
-
Filesize
1.4MB
MD5db4568248637d138cd979dd0ab07716a
SHA11dade0abf38232fdf4113de926692b2391c65af7
SHA25601ba9d35c4f58a7c04cd2957a204794f62d7c04782bc4d9f74127c8a33f3a3ae
SHA512fc93294961b67fb378f1fc76f00a759d586741fe80b04198d54602ec97b6e0cf7e2dc2c46a4aad1dc1f5e7041f114b2f23505bfb754c101c9f465b997341b1f6
-
Filesize
518KB
MD5717c8e39887363435fd56b3e8dda0339
SHA19fb784f0fec788b21d91393b9514d753ff4d108d
SHA2561e3d04f4bef851af0865db164b5806e7dd9c2043e9d057e5848a5462322701f5
SHA512cb98ecffda239b65e8f31461ebd47631a00b77ba6c255a67f9c8b1d6faf344156aab74ef539bd282273dc751b91f49c95ec694f9904806d394e80d2172cd8363
-
Filesize
287KB
MD5acc81fb2816e38f832eb5967aa47b8ae
SHA1fd447a435a962e47844a08c698367d0cc92ffd0f
SHA256742d6cdfd7205e4aaca81dd131349b95eebb17eefeef2e1451ddfe58d185650d
SHA512f60c166136c3de32380db58eb563faffdfef7f84ace22489410da7907f085ccf13f4aee967990aeb7ca9e3a3483e7ddaf7b9d1937c7af8e8d2210c5abcc9a230
-
Filesize
1.9MB
MD5b2b4879290de8e43ccbcd92b507de1cd
SHA1de32697442f04035415d6c89d3398f778ed50bf2
SHA2563800084470a4fde43467a91cba0e08399f7bdf70b0f03af2f99c282b18f1aa49
SHA512179ffc5976e0a9a033816863cbb71ca0b8bc513e3f93a0da9773da1b7b5f3109d1442623f13482dd2a5632694262d5497e10c434149eb267ed028318c45a0bf1
-
Filesize
655KB
MD538bebd5772e1cf372d2da3ab672e0d89
SHA1b0f36508354964d8c4c3e3cb7cf5c7e53c5604d2
SHA25603cb6b801a97cdc43ba4ac0b02ba2d6ad84e4bc07f9591f06c1290bec3357ed3
SHA512a17ec01903f64c5841b95d84a89db4ce01842fb8d7fd3dccd5edc07a3ba765a4a3d3532ed25ae3a17a0cbe4d1d82921858426026486fc94ca55f41525edd823f
-
Filesize
94KB
MD5d98e78fd57db58a11f880b45bb659767
SHA1ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831
-
Filesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
Filesize
1024KB
MD5e33401b93442ca977d59e5da219a6aaf
SHA133681c24e68e86fa5bb35a7b76b7a832780def1b
SHA256a0ca2816632b39247e91f4b5b3f1c47848aa0feee756a1e0fffc72b1360c6251
SHA51230467f815aafba392be2319946e1b38a7f8d0057b770e28e49622c5e4db90a508186a0087ef09e1968075500f71eef80b69f556790c656c0c5a1cfd6aff80b3e
-
Filesize
719KB
MD59e36385b29db63b590571c7510c85f79
SHA1daee8501506c0661df7f6dedb91a2d17b2b6f75b
SHA256c0906a4c2b8a2348d0b299679bab43140c5afa69fe6f2f83be889489695c8cd9
SHA51246a380abf356a432737f6a777e8a09de285827bd9c1c10d50a8d425f29e1db3e112e4d06533d6a60f4d4416cbca00fe693b94bccfacb54b1ad39df9c8906d8de
-
Filesize
867KB
MD5a2cf03c92a9ba9f14887946beff4addd
SHA1954a835b6810f766f2fb28a3b14678225d8b73d1
SHA2560b972506b144954f83274e93c8add97983f834cad47dd2a55e1935f2c2d4c9de
SHA512753bd54227e0878599b99b7bdd0c68a80798203add6dc0f280d9b77f9f451dc68a5faaf6b21d5f1667f5b2af6e1e42938b0b0accbb9df9b42afd1922bd9415fe
-
Filesize
655KB
MD5489adf3aa6b215226925cfb5dd492672
SHA151b9121c6beed6fb22a4819c4254ededf22e1ce2
SHA2561e214c62074a2dd4b70d9b14092ea211a3d79e55d361b78b2cfbfae70713b6cd
SHA5127a62e0766aef7e8268581529a8aaa0d6c30698f0ffead32fec431bf46c6d93b40139c87da498f66d85db03e180b6840a83e38193a87c557938431341f01c5aa0
-
Filesize
450KB
MD57d8ccccabd6f818dd32640a50e0910b9
SHA1c95f1dee720251779a5f06cafb2ada857dfd256d
SHA25643c076f070054cc1500395dfe772a060cc4bb719b7c98ad83779ad14b88d3685
SHA5122286de76a3ac1f34e9069fec58596257d9e0c128ed18709bc1d27a25ad76609502098913d5e40f97435cfef90136c105e86289f0ad918d1aeb01abbeb11adb51
-
Filesize
525KB
MD566d807077e3cf9cf4628b6d78e4b3f35
SHA1f984eac178c43b85c20919831e3c1c495b32aeaa
SHA256e571a6fe410e2607d9ac5105796b318c05820e15925666c3231ba403a3fb75d5
SHA5128893ea662a939151749c56c168f2b0fb5700c4f2c2aaf09a0382a88fbeb43b1c2021b93e26e6023264763d2ef7129a3bc620f8c4ffc49de981dad3cf41a5257b
-
Filesize
163KB
MD55c399d34d8dc01741269ff1f1aca7554
SHA1e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA5128ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d
-
Filesize
332KB
MD5c106cfb56d4014fa1e6e292d18f51129
SHA1f349a08ef573fa979e6ff001e02bca312e5c03cb
SHA256f89e84ce11b8f8329d0a7baa9dbe89fbee3df8c6ae6a9a9d1278de652e9e5c7e
SHA512ba2246ea7feccb771399c6b56116b11611b19fd46015f0648b37b7b5fd62d93d3f343d79d56b358ddcf815c8f95528e93dacbfb40c57f6c47ff69591f3bad3d1
-
Filesize
54KB
MD52e24c4f0771a259cf609ac5fa6e4d8bd
SHA1ee1b06f8faf2f5bca6b2166f76ef39f92066448c
SHA25627954e80a69e65e6cfecce638da361297c754675e01d55ecd5ead3c18feecb79
SHA5125eb5f5be8705a1c4f663c0f68556aca187ca121109f6c39a9b412be5724f0c4d7bfff7f3160c485cd0be362514fc7e94871741bb96c34529499b2c3948ee52e8
-
Filesize
299KB
MD541b883a061c95e9b9cb17d4ca50de770
SHA11daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319
-
Filesize
342KB
MD5c57887b8f74ac002a62eb9d3785a6f64
SHA14444d42680383f7534b0139152ff53876cd2511c
SHA256a8211dfd3f19eed59554572195112589a14e1b86db4e38be2f7ff53e620622ee
SHA5125b03553338cba1f6af142919233c116c4727f9ed6b0e4ddca854657dd9cd4647735ea03804862232481645f1060e0ffbc98094ec2757c3fda33e1d7e96fcfb05
-
Filesize
357KB
MD58e49ca69fdeb66cf3a0767ce691ee11a
SHA1ec145f48927454e46d488270c243e3c1f238023b
SHA2565b7f60d350e3371497ebf98068735f43db8f89020426ba134908cb2f683f9f29
SHA512eecf6ad85608cadb1f818cc4215e696e0a7a5188180ae79a252273bc865b1a63a7f6317c45a7485669e284d52469cc5684127e1aade72f1cc75ea3f8063a56f7