Analysis Overview
SHA256
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
Threat Level: Known bad
The file 6958ACC382E71103A0B83D20BBBB37D2.exe was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
Detected Djvu ransomware
Djvu Ransomware
SmokeLoader
DcRat
Vidar
Lumma Stealer
Glupteba payload
Windows security bypass
Glupteba
Modifies boot configuration data using bcdedit
Possible attempt to disable PatchGuard
Modifies Windows Firewall
Downloads MZ/PE file
Drops file in Drivers directory
Deletes itself
Executes dropped EXE
Windows security modification
Checks computer location settings
Modifies file permissions
Loads dropped DLL
Manipulates WinMonFS driver.
Checks installed software on the system
Adds Run key to start application
Manipulates WinMon driver.
Looks up external IP address via web service
Suspicious use of SetThreadContext
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Modifies system certificate store
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: MapViewOfSection
Runs ping.exe
Enumerates processes with tasklist
Checks SCSI registry key(s)
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 15:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 15:56
Reported
2024-02-22 15:58
Platform
win7-20240221-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c2335aea-a39b-4923-a774-bce038c3ada9\\F4DB.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\F4DB.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\E0D2.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\E0D2.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c2335aea-a39b-4923-a774-bce038c3ada9\\F4DB.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\F4DB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2376 set thread context of 2504 | N/A | C:\Users\Admin\AppData\Local\Temp\F4DB.exe | C:\Users\Admin\AppData\Local\Temp\F4DB.exe |
| PID 2724 set thread context of 1412 | N/A | C:\Users\Admin\AppData\Local\Temp\F4DB.exe | C:\Users\Admin\AppData\Local\Temp\F4DB.exe |
| PID 2068 set thread context of 2764 | N/A | C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe | C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe |
| PID 620 set thread context of 2692 | N/A | C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe | C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe |
| PID 2404 set thread context of 1652 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240222155741.cab | C:\Windows\system32\makecab.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\44DF.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E0D2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F330.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21758\Upgrades.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21758\Upgrades.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21758\Upgrades.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21758\Upgrades.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21758\Upgrades.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21758\Upgrades.pif | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe
"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\D46F.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\F4DB.exe
C:\Users\Admin\AppData\Local\Temp\F4DB.exe
C:\Users\Admin\AppData\Local\Temp\F4DB.exe
C:\Users\Admin\AppData\Local\Temp\F4DB.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c2335aea-a39b-4923-a774-bce038c3ada9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\F4DB.exe
"C:\Users\Admin\AppData\Local\Temp\F4DB.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\F4DB.exe
"C:\Users\Admin\AppData\Local\Temp\F4DB.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
"C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe"
C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
"C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe"
C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe
"C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe"
C:\Users\Admin\AppData\Local\Temp\44DF.exe
C:\Users\Admin\AppData\Local\Temp\44DF.exe
C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe
"C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\565D.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 128
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 1460
C:\Users\Admin\AppData\Local\Temp\E0D2.exe
C:\Users\Admin\AppData\Local\Temp\E0D2.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222155741.log C:\Windows\Logs\CBS\CbsPersist_20240222155741.cab
C:\Users\Admin\AppData\Local\Temp\EF19.exe
C:\Users\Admin\AppData\Local\Temp\EF19.exe
C:\Users\Admin\AppData\Local\Temp\F330.exe
C:\Users\Admin\AppData\Local\Temp\F330.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Unlikely Unlikely.bat & Unlikely.bat & exit
C:\Users\Admin\AppData\Local\Temp\E0D2.exe
"C:\Users\Admin\AppData\Local\Temp\E0D2.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\cmd.exe
cmd /c md 21758
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Here + Td + Passwords + Movements + Cambodia 21758\Upgrades.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Meaning 21758\Z
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21758\Upgrades.pif
21758\Upgrades.pif 21758\Z
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\taskeng.exe
taskeng.exe {903D9B52-DFB1-4FF4-A332-93B3C5E3AB5B} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| PE | 190.187.52.42:80 | brusuax.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| PE | 190.187.52.42:80 | brusuax.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| PA | 200.46.202.73:80 | habrafa.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| PA | 200.46.202.73:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| FI | 95.217.29.171:443 | 95.217.29.171 | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| FI | 95.217.29.171:443 | 95.217.29.171 | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| FI | 95.217.29.171:443 | 95.217.29.171 | tcp |
| US | 8.8.8.8:53 | mahta-netwotk.click | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| FI | 95.217.29.171:443 | 95.217.29.171 | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | notmalware.top | udp |
| RU | 5.188.88.181:80 | notmalware.top | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trypokemon.com | udp |
| US | 104.21.51.193:443 | trypokemon.com | tcp |
| US | 8.8.8.8:53 | loftproper.com | udp |
| US | 104.21.11.77:443 | loftproper.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| DE | 185.149.146.82:80 | 185.149.146.82 | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | AKDHTrZGmMfGSiQC.AKDHTrZGmMfGSiQC | udp |
| US | 8.8.8.8:53 | 6bed9fd5-08c5-4f99-85c0-32f1f1f7c8a4.uuid.localstats.org | udp |
| US | 8.8.8.8:53 | r.l1nc0in.ru | udp |
| US | 104.21.58.54:80 | r.l1nc0in.ru | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | server12.localstats.org | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| ZA | 74.125.27.36:19302 | stun4.l.google.com | udp |
| BG | 185.82.216.111:443 | server12.localstats.org | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 104.21.23.184:443 | walkinglate.com | tcp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp |
Files
memory/1720-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1720-1-0x0000000000600000-0x0000000000700000-memory.dmp
memory/1720-3-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1364-4-0x00000000025C0000-0x00000000025D6000-memory.dmp
memory/1720-8-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1720-5-0x0000000000400000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D46F.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\F4DB.exe
| MD5 | 5648348e81a70ef7ab40f963b44713f6 |
| SHA1 | 3e2d708a95de8e53ba4a6b9359cc0cc6dfcddea7 |
| SHA256 | 4bf966f6dd9cb739b073a8bc48f521eb9c35b4f050e799be6eac795fe615263d |
| SHA512 | 899d833a1a43ca6160bfb89775c83a049afaa0e3e8cf48dde112f7de351d307fd194c97ffe3ab0c2e86fc7bb75ed3b3d53b0d95ea1fa80252020153ca4813a8f |
memory/2376-27-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2376-28-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2504-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2376-31-0x00000000008A0000-0x00000000009BB000-memory.dmp
memory/2504-34-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2504-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2504-38-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2504-59-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2724-61-0x0000000000330000-0x00000000003C2000-memory.dmp
memory/2724-62-0x0000000000330000-0x00000000003C2000-memory.dmp
memory/1412-69-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1412-70-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 04e1c0fb7c50efaf86ba32ac99af0cd4 |
| SHA1 | 844aeeaba2b3c0a23a3f3580ee9eafde8eee9aa0 |
| SHA256 | 59cd12f0b76ce31550e9068fed1da5c917f8b4361ef4f3c62c9522473162705a |
| SHA512 | 3394f7025fe90250bc8ae1caeba12ec23019a31c1762e5ab757cd874ff33160b1596be9bb079b5641b7476c306c8ebd520fab5f00a0dca06372c67387f21ce40 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 0fc7fd4e9436d6ddfc9330ada2aed490 |
| SHA1 | f223486cd69f5b8c0a8f0763fad9ecf783159366 |
| SHA256 | ed4046de6ded153893856e122a91fe8c1a81e4acc3cee5bde3be407dfe0c99aa |
| SHA512 | 17f7e1ff1e1b2158f105dd093631d02d98be574a926940ad5d60c5b484f8163e42e57f1e1ae94f27ff564ca0ab63765bf3fc2ae81ad75a48312bbb10b7402ab1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 31ef2da866f96e78a00fc9e18d660a80 |
| SHA1 | 893276a843f849798bb01cec3eda7fbe8b97052c |
| SHA256 | e3502879afb5ecddd4ffeb1cd6b0d6f22af323e0618535d07f8f85714512dda2 |
| SHA512 | ea730569172877dd60c66bf0adf2f02591209170e11b07e33a41c56761e5bfd48c999dbe161c301b2efc5e011d8b49c070a33fe55211d3c6334cb0b2634fbfdb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 45efa9b472bd53c150a425f28d5e324f |
| SHA1 | 51ac28f0d1e624b2309b648d63befedcd8d0c2b6 |
| SHA256 | 1f09ea9bc8dff6f0e6dc464976df405d9ea51a2170f31d57d71918ff995a9244 |
| SHA512 | 495a559747434f4b1f19f0757da310e2cbe92cf5176590f699e2511ebb675b6a962846fc6d035aae14f4ee1d4f09eaa950b09493c6ed291659a2f6702eb82895 |
C:\Users\Admin\AppData\Local\Temp\CabA0F.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/1412-83-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1412-84-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1412-88-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1412-90-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1412-91-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
| MD5 | c6d3d647baad8a5b93b81d2487f4f072 |
| SHA1 | e9c1105dc41f85d4f7e94d4e004f8427787c8802 |
| SHA256 | 7754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a |
| SHA512 | 55425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049 |
memory/2068-104-0x00000000005F0000-0x00000000006F0000-memory.dmp
memory/2068-107-0x0000000000230000-0x0000000000266000-memory.dmp
memory/2764-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2764-109-0x0000000000400000-0x0000000000649000-memory.dmp
memory/2764-112-0x0000000000400000-0x0000000000649000-memory.dmp
memory/2764-114-0x0000000000400000-0x0000000000649000-memory.dmp
memory/1412-113-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1412-121-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar3ADF.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f0499ebaa2ae5d076fc6b749f71e62d3 |
| SHA1 | 0ed759b10a102c18da701fe311175774ae6578e2 |
| SHA256 | 13d335db0e893aad0fbbc74147838d5a9b01dac5b9e3c4ffd4e60ded8f66ab80 |
| SHA512 | 19e5b0dd83bd41c3857f8f51143b897efb7167eecbccb5bb9fa7dea4823a03cb54f115c37f0204af926976d82b8da9e94a03d0aa98103890c62144b8f46e4947 |
memory/2764-181-0x0000000000400000-0x0000000000649000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44DF.exe
| MD5 | 5df8f343b9d2649849a7a8db8137c1dd |
| SHA1 | 1dd3f72eb0857a64164333a1fc793c41050fb1ef |
| SHA256 | 50b094b81aecdd5af82c7bb21027dc16e192fea3db1f8ee64fe0b9397b9c7394 |
| SHA512 | 2eb592bf895e5889e1d28bd179c8d47198a2d0481642d88d6b76a1e5be1edcb2e1e7da71a1f8be9af0397c1c0839d3338e0a1d443e41764adb373ee91ce22060 |
memory/1580-203-0x0000000000EA0000-0x0000000001977000-memory.dmp
memory/1580-211-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/1580-209-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/1580-213-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/1580-224-0x0000000000100000-0x0000000000101000-memory.dmp
memory/1580-223-0x0000000000EA0000-0x0000000001977000-memory.dmp
memory/1580-226-0x00000000773FF000-0x0000000077400000-memory.dmp
memory/1580-227-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2692-234-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/620-236-0x00000000001B0000-0x00000000001B4000-memory.dmp
memory/2692-239-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1580-238-0x0000000000110000-0x0000000000111000-memory.dmp
memory/1580-233-0x0000000000110000-0x0000000000111000-memory.dmp
memory/620-232-0x0000000000270000-0x0000000000370000-memory.dmp
memory/1580-230-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2692-253-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2692-257-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1580-258-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1580-254-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1580-260-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1580-244-0x0000000077400000-0x0000000077401000-memory.dmp
memory/1580-243-0x0000000000110000-0x0000000000111000-memory.dmp
memory/1580-261-0x0000000000130000-0x0000000000131000-memory.dmp
memory/1580-262-0x00000000773FF000-0x0000000077400000-memory.dmp
memory/1580-268-0x00000000773FF000-0x0000000077400000-memory.dmp
memory/1580-273-0x00000000773FF000-0x0000000077400000-memory.dmp
memory/2764-279-0x0000000000400000-0x0000000000649000-memory.dmp
memory/1580-281-0x00000000773FF000-0x0000000077400000-memory.dmp
memory/1580-288-0x00000000773FF000-0x0000000077400000-memory.dmp
memory/1580-293-0x00000000773FF000-0x0000000077400000-memory.dmp
memory/1580-300-0x00000000773FF000-0x0000000077400000-memory.dmp
memory/1580-309-0x0000000077400000-0x0000000077401000-memory.dmp
memory/1580-314-0x00000000773FF000-0x0000000077400000-memory.dmp
memory/1580-339-0x00000000773FF000-0x0000000077400000-memory.dmp
memory/1580-343-0x00000000773FF000-0x0000000077400000-memory.dmp
memory/1580-356-0x00000000773FF000-0x0000000077400000-memory.dmp
memory/1580-357-0x0000000000200000-0x0000000000201000-memory.dmp
\Users\Admin\AppData\Local\Temp\44DF.exe
| MD5 | 861ae53aa28b607d949835a9db78fbd9 |
| SHA1 | ece2bfb5c26dc46de2b8ad8b94047d8bc3d8635a |
| SHA256 | 3fbf6a4a1ea8638e156d607a21ba808c876a1130c24b085d6d9ebc2c396ac9a0 |
| SHA512 | d4f56daa11ac4fff5dbe6bf60929388cc12550dcb8d8ff57bc57c0bd9eda984a65a6674935dcff7d9784b7a7a28bf4d0e80cbbef2a66b621527aa9e2ce14f537 |
\Users\Admin\AppData\Local\Temp\44DF.exe
| MD5 | 32a1119e9e052e87c2191ff1e024828a |
| SHA1 | 332630a9ce5cc83ee5b94916795b7b16efee2943 |
| SHA256 | 9e880055edb669dd2c720796a023270066da47c7d0982cf541e25773eaf112b3 |
| SHA512 | d5d333924a0d20d786c2d76b66a9b176293dbb9e7f40b0652b67a9cacbc3fb76eec6d1a8f9a0a0abad26493f5044d7a50f5a16b5cf1f39d057f88459e5084c00 |
\Users\Admin\AppData\Local\Temp\44DF.exe
| MD5 | bd14e0e7edbee808863f6fa75a3147cd |
| SHA1 | b46a3078b72b1ec0299c21cc416a534f10d122ae |
| SHA256 | c454256378db1286cce2edc08d069de98a439ec2f2741b8da57d414401bf61cf |
| SHA512 | 2d137aedac74246660f509138b983c118af894fb796da51edd1bb51f42a708c4785b29df75fba6cda72dbf9782fd93ee0fa1c44f8c4a5f2e35a83e3c2f355f89 |
\Users\Admin\AppData\Local\Temp\44DF.exe
| MD5 | 2f862fc32746d7524a00c07e2bf58d78 |
| SHA1 | 15d09a77c9c84048f66a44aa19b837c2d5f040ca |
| SHA256 | ddd4bcde4a6464f0c9698eded820023f0dbfa354b290a1717eb953c9f6fdfc68 |
| SHA512 | 6f86851f9b09a4b0151d2e6e92219a7706d4e9507e0a98cc55e2c9b7b113426409209a3ae6b237bd3cf0b788430e00cbd27a8e307538d133d59c271f321edfd2 |
\Users\Admin\AppData\Local\Temp\44DF.exe
| MD5 | f44bd1b33f6d53a22cd84b75a4ed6c68 |
| SHA1 | 17d94afeca022f067c37f018a91c923050967f1e |
| SHA256 | 8f45c8689c3037b835cb6b65aa3032d934b5ff73395b67fb5511bf948f32bad5 |
| SHA512 | 558045e9358652121d09dcbdb7cd515fd1498359f50445df3c27cb8e39ea6a9853a776c7676db17eccba180edf8eac2391348f323943a900b804a5d9ec639b0a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2ebe8368e36388c685d993e083fbae1d |
| SHA1 | 0b38cfd6824417faf4d86c437bfe4444a125e497 |
| SHA256 | 9c305cf70e8c001bf5442ce4c3667e8b27e14ca4b4d6668c67e9e4bbb7bdeb1d |
| SHA512 | b0607a22d73c8147a3d9b0e6207d2bf9bce311a2290364db2aa69d0308aa37a3ce5b44973508e9e562363f33ef86b9d69875e37e9f60f27201169ba1317617c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 79db5b7f04d7ceadbc93e4eeef7e09a6 |
| SHA1 | ca144196081ea2a624ce55e078f130bd01f9e005 |
| SHA256 | a05c66ebfecf850de2fe9e3e06138cd27399ebf3c4d555f03d8f68eea3dc2903 |
| SHA512 | dcf0d01d5f95f8d72c0d1e1fcfc8966476e20be1ca4b86a6187ab6a72cb3faae6c6d56b18b14cd5d687e5fe5e492b48c44595dde125d5b84bddb4a7b51c44721 |
C:\Users\Admin\AppData\Local\Temp\E0D2.exe
| MD5 | c9e01ab6208b39a9f1a1253dca7e89bc |
| SHA1 | 5bcba5cc0dc560772f8026cb6dd4f236acbfd8bb |
| SHA256 | 0e1ccfee9b80ca2c36a53cc104ef5e8d3a702dabbcc1daafecca2a7f7db043b8 |
| SHA512 | 4cacf3f7794a8e06ca2da7aaa0bef37009206fde58a5d5ce4326ef84addd7bdbfd7477b437ac6a72fa31023c17e9a7f7079bb0e97ff772d880d090bbb96d1da1 |
memory/2052-489-0x0000000002810000-0x0000000002C08000-memory.dmp
memory/2052-490-0x0000000002C10000-0x00000000034FB000-memory.dmp
memory/2052-491-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EF19.exe
| MD5 | 14c94c064e19e7f27fb2f540b3488f78 |
| SHA1 | 19dddef106245f41bca6f0a60a98dbdd479f6e42 |
| SHA256 | 9b152367f59b72a872d3bd65252fd0a9b810da375659a61c5f69b67108a76582 |
| SHA512 | a3a96a4ee3c903a67f5e76f613192d3e3e0162fbb119a9445d4f1447a24ebac5444d56cdb4c4d66fad2c504075b3c3b1855e97d6806f439d87c424a58989802a |
C:\Users\Admin\AppData\Local\Temp\F330.exe
| MD5 | 3d3ae7c2eddea19c3146543b95cdda7e |
| SHA1 | ea36133e7bfc1b57cd8e78a6daf24f59526ceba0 |
| SHA256 | 1f2a148765b1ef3247ca4312ea8d1460673744448ebd4559377eabd1ca1702f2 |
| SHA512 | 2ee471f0e0423610dbac9f9d472d529d0b9da22f7ca45ae973a80080920f9ac04342051ad16858918ac4bbab48068b16d78d4d177b8a029c21dde509e333c775 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Unlikely
| MD5 | 19bc1bbe515dee767f02d503fa9d2cff |
| SHA1 | acc900deea8e8eff4e1bda1ac2c89aa70ef0e7f9 |
| SHA256 | 51ad4dc19fa436ac00a8b019da9ca49f30dcfe31d9aee0aabbb037fd10bca367 |
| SHA512 | fd0b3d6a867d8c7923d1166f546d4e14db0209df8d13dc46e9d08578ee78d4fc8739638e01f456f542cc383a2d086ed600931a8e889dcb1c4eb93d3cfe3a3dac |
C:\Users\Admin\AppData\Local\Temp\E0D2.exe
| MD5 | b353d4d5da37ad267ec9fe9cd09dac8a |
| SHA1 | 6d1d4b493c599135f962ffa26f809ab6db83b0fe |
| SHA256 | e844f6f11287e884eaec91fd3c740ec4cab68c81e7e4ad1a85f245a3a4cb4d72 |
| SHA512 | 6daef3f290f6f6d38315b434fa16f37b399c20b5dc427f3468ff58c66f864c5256a35aeb2466fff9cbe134ae23c3d3ef4a3f75635bc388a332d83a302bca698f |
memory/2052-523-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2052-524-0x0000000002C10000-0x00000000034FB000-memory.dmp
memory/1812-525-0x0000000001360000-0x000000000136A000-memory.dmp
memory/1812-526-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp
memory/1540-528-0x0000000002740000-0x0000000002B38000-memory.dmp
memory/1540-529-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cambodia
| MD5 | 4e9db9155039f5a6a04e16a6a6bfe3b0 |
| SHA1 | b293c7fe05d7e92ce7d9cc6f36940eba14f5d460 |
| SHA256 | bd3cd1801a2c226c63186f6fe3182fff1847609c5d99ca22209c7e9dbdd3db2d |
| SHA512 | 8692e29ec7717ddad30ea365bd4408a178f1d3ff7f7c3535f8ba1545ffdcfe78ae108259d4feb81b1ca819eedf4ef79531103512d29f7fd0fd8146beb14e854a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Movements
| MD5 | d7563558933a24bd74f0254272cf7830 |
| SHA1 | 6982d08318ff2204d3714ce12d68a99b4f726fe7 |
| SHA256 | 1b11dc628b44a4982b7b13891fae62471a380eb2973af359655cf65254ac5a7e |
| SHA512 | fccdc060fd5ddd9b3892f82c343dcd80fdbc1bc24a24c50e9f86a1d917867c2b4189a3d4d6762daf8e9c719b999988a0d568f481c09802c5168010c490fdfcb5 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Meaning
| MD5 | a6c58504594ab91fc0ca6102abd10e80 |
| SHA1 | 03edc02d3806aa46d5e4c3c1aa8b6cff1b5c80f6 |
| SHA256 | b07a3cb7f4af841db56d43b6d8d35aea563993b8e0ec6d921eab372f637260f7 |
| SHA512 | 07d68c06afc66c71b04da74d387536cd800f7dcda422f4b67dbff60ba2b883fa360e9292190655448fc130d1ebbeb31af828ee1ba279f904b2a7e556dbb8f1ea |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Passwords
| MD5 | 334f84837c9bcece9220e2c979503f68 |
| SHA1 | bdbdc63f1b85f72f8cf487dec6aaeb98e352c283 |
| SHA256 | 10dfb698a8c05eff79092b546608c15e7df803d4aa759090509da6d5d96373d7 |
| SHA512 | 37c3315a16d9f0e8ab044415a61220e2fa180e6f70f85435de7ccd7d1dcde84a0c13d48f670204e02ba7cfbe892a76f2efa979717b6b2b844a15aea0a845dcbb |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Td
| MD5 | e32d058720e98d0fab73018ce1753b55 |
| SHA1 | f6b431cf3f225c3563591fbec4af922f6bff05d9 |
| SHA256 | 1cf7bcef592ee857c079e82d39a1c371868597ee1c33e692556d780b5040b83b |
| SHA512 | 8f259f0f2eccbe01dc4efe5d4ad34a94dcb0b97f20c3f36c6b7e6c24c14a73fbb6aeefc11e76142cdba83f9bf1dd4d0647bcd1ad2d3a6780e063c48d872caa11 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21758\Upgrades.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Here
| MD5 | 1e7e25167c2a8f93c2d176e935b21834 |
| SHA1 | 95b93372222ebde1bed0e0efec167bdda7ef04bc |
| SHA256 | d022378a9b3074cf3fb5ea080588846c0aaadb2112cfd5554a0068e76cdd5736 |
| SHA512 | 503f7b6797182ed5f1ef42d3b52b2815e140ebed505fc9b81ee8f920e49c36f379881c1a51afb4b398c9577a583155a0d2c66ca6cdaf303ac9538746571efdb1 |
memory/3024-543-0x00000000773F0000-0x00000000774C6000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 1dfffb99621b2a3a1a1330668f730c18 |
| SHA1 | 8f91b9512d52317fdb1c93b1e29967a5ba9c8097 |
| SHA256 | 944abcd3fe150890a9a1c5ec6df44222facecb3bc602dba44b1d8b96f8d2131e |
| SHA512 | e081da0a655605d5f7c2f598b8fc737d6bc04155200e4f110d5539abd1392619f4ef926da872377fb0f4fb5bfabe56839cac336c2f2c2e0b5427595db984c19a |
\Windows\rss\csrss.exe
| MD5 | 0f38e0f6845f85699d91209997ee5cfa |
| SHA1 | def4f6666a54d6f911f289c2aaa83c012bbbdd8d |
| SHA256 | 40315c8b55a3f3d109c3b2bf83b3e8624fe3c42c7b60d8d171f76b32d1ba21d7 |
| SHA512 | 32cd2263978b178c18d583796ac937991b298a1d9138cbda4727bd7afb13602678ceb6b795693272a2128d5fad04d201290c9ac4f1c03ec99537df24bde1ffdc |
\Windows\rss\csrss.exe
| MD5 | 85628295f9d51e5c1b5cb93381457a13 |
| SHA1 | f059d31450811d832643d3a2b3f8dd4e504eb428 |
| SHA256 | 2e75e061f13ab2108421b761c96f4ba579a43fc8e24867350ccbc45e9ec78fe5 |
| SHA512 | 55654a6e486bd34a367a6a2d365c4974ba3da7217b5ede4b9450e4cbb2765b8869e103572bb9755da21a8f278437c5c42e26976c7426e01fe1efdf2fb1a9c08c |
memory/1540-554-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1540-556-0x0000000002740000-0x0000000002B38000-memory.dmp
memory/960-557-0x00000000025D0000-0x00000000029C8000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 4407f3e8fd1529328263d15c1911f384 |
| SHA1 | 7ae679882398ce4878f0a0ee4116cd4587e29dd2 |
| SHA256 | 2a08927b113f12104d8a3c5e743241d9b9a28dacdde0a0bc1fcfe97bc0f58d0c |
| SHA512 | eb71f9738b9f28f86ee0c41c729667979081d990f1e38db8c0b4072f9e32f94f71e21e961470387d703811c13d3f619a3634d85d3da4a0dc3102477c26eb8d74 |
memory/960-559-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1812-560-0x0000000001260000-0x00000000012E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 4df48318a1c4345ba7a0baeb8a38ce18 |
| SHA1 | 56a8920501e61a4f6f39505012e009466a2de361 |
| SHA256 | 737932c0bfb98c5a2232643a115889910d0bc28e58506e9dbb8b9a9f8fefc19b |
| SHA512 | 410bb70b67c67c7f3540293625f21a56f5054e32341856e81f4056533980d56a4fb215754e77390fc231c3e1eff29577f32fdde5b60248026cf933a71e3de454 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 80186ddb0b3bf88a09d324e6513bbbbf |
| SHA1 | 7d78af42244c6f2f619dff97f7f03bedd92e1c03 |
| SHA256 | 41c1623a1ed8bdb2725d452c5a2176775556601b271bc03c105f04b4ea1b61fe |
| SHA512 | 73903bbcfaa66d71c6a8b52f6bbadbd877dc008bdd2def94d42f6ea7a41e70d9f68b5de4c9b8ec101ee77a813b959792930cc4d32bfaf4948b6dece63d7cfec0 |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 02feacd692d74c7a3bd4139519ace805 |
| SHA1 | 116255e3d00c7e1e5df92e3b50290072a0eacca3 |
| SHA256 | 57a299a2afabf6ef193c2a77ba5cc7ce6c2cec816b7934b00c54e1629463997a |
| SHA512 | 94cff79ba054125b08f4eb86f8cdd5514da7e0b01077e0bf675d83997c8eed37dcaf3115025fff46652e342bba35c217794167bd71bef01324146599b60b4f82 |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 84005d2c02e37230c8203b1929e8d77e |
| SHA1 | c24f830e19260a87eb541f24114fb3a2eed6cb12 |
| SHA256 | aec831f541971e7875b9750acadbf59462aea94590442b972cdf3a104ba8b71d |
| SHA512 | f470c5d8023cb3686b9aad2c1310e2485763b1f4fc6f1bcc536c4fbcb8e23019cdc73c1fc1d1a95de33922425c1cadab2ab8b7fa25d37a69dd45ea58c7f97091 |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 3a1eb17e9faaf7e43a91af955a614427 |
| SHA1 | 7d1537d1324aad2c0b4d413a60fe3e39104b57fc |
| SHA256 | 1c0f6e536ef45076e006d4a17a8bc4ffc68f5232759d2efb3a7beec3b0caa294 |
| SHA512 | 5354549aa7d592a998d9daffcfec2c86de29b2659a4643bff2f90c424402bc066251b5341a8a53ae2c316bf64113eee0ceeacaad7a88731b020b321a960e5111 |
memory/1560-579-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1812-634-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | 8f4ab65de7cf9b00e8a94ee5fb4ad1cf |
| SHA1 | 207856abfc6f37b5b0754d3c64876a9119cd47f4 |
| SHA256 | 0373d9468e733302f4afe53b7b6efd9235ba332945cda33858ad7c79a3a39aa6 |
| SHA512 | e697c9b2148c9e80e4be692da233b8e6f0abd17e9503b5d862cc7fb229483ab08ced353004b101891ebcd9495ed5a8a29c78de52bb4041cde96572291106ee13 |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
memory/2404-676-0x00000000008C0000-0x00000000009C0000-memory.dmp
memory/960-675-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1812-688-0x0000000001260000-0x00000000012E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-22 15:56
Reported
2024-02-22 15:58
Platform
win10v2004-20240221-en
Max time kernel
85s
Max time network
151s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e42abc41-a440-4a78-9a14-43b385d904d3\\D41A.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\D41A.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\D41A.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\99A0.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D41A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D41A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D41A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D41A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\934.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8D1C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\99A0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9CED.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e42abc41-a440-4a78-9a14-43b385d904d3\\D41A.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\D41A.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3948 set thread context of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\D41A.exe | C:\Users\Admin\AppData\Local\Temp\D41A.exe |
| PID 4644 set thread context of 3664 | N/A | C:\Users\Admin\AppData\Local\Temp\D41A.exe | C:\Users\Admin\AppData\Local\Temp\D41A.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\D41A.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9CED.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe
"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCE7.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\D41A.exe
C:\Users\Admin\AppData\Local\Temp\D41A.exe
C:\Users\Admin\AppData\Local\Temp\D41A.exe
C:\Users\Admin\AppData\Local\Temp\D41A.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e42abc41-a440-4a78-9a14-43b385d904d3" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\D41A.exe
"C:\Users\Admin\AppData\Local\Temp\D41A.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\D41A.exe
"C:\Users\Admin\AppData\Local\Temp\D41A.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3664 -ip 3664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 568
C:\Users\Admin\AppData\Local\Temp\934.exe
C:\Users\Admin\AppData\Local\Temp\934.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DF8.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\8D1C.exe
C:\Users\Admin\AppData\Local\Temp\8D1C.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\99A0.exe
C:\Users\Admin\AppData\Local\Temp\99A0.exe
C:\Users\Admin\AppData\Local\Temp\9CED.exe
C:\Users\Admin\AppData\Local\Temp\9CED.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Unlikely Unlikely.bat & Unlikely.bat & exit
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\cmd.exe
cmd /c md 21719
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Here + Td + Passwords + Movements + Cambodia 21719\Upgrades.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Meaning 21719\Z
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21719\Upgrades.pif
21719\Upgrades.pif 21719\Z
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\8D1C.exe
"C:\Users\Admin\AppData\Local\Temp\8D1C.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 182.126.12.185.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 123.140.161.243:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 243.161.140.123.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.2:443 | api.2ip.ua | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | mahta-netwotk.click | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | notmalware.top | udp |
| RU | 5.188.88.181:80 | notmalware.top | tcp |
| US | 8.8.8.8:53 | 181.88.188.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | 118.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 188.114.97.2:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.179.17.96.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trypokemon.com | udp |
| US | 172.67.185.36:443 | trypokemon.com | tcp |
| US | 8.8.8.8:53 | loftproper.com | udp |
| US | 188.114.97.2:443 | loftproper.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 36.185.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| DE | 185.149.146.82:80 | 185.149.146.82 | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | r.l1nc0in.ru | udp |
| US | 104.21.58.54:80 | r.l1nc0in.ru | tcp |
| US | 8.8.8.8:53 | 82.146.149.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.58.21.104.in-addr.arpa | udp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 8.8.8.8:53 | AKDHTrZGmMfGSiQC.AKDHTrZGmMfGSiQC | udp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 8.8.8.8:53 | 67e0ea98-a4a2-4042-be82-81b547a82946.uuid.localstats.org | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/1692-2-0x0000000002190000-0x000000000219B000-memory.dmp
memory/1692-1-0x0000000000470000-0x0000000000570000-memory.dmp
memory/1692-3-0x0000000000400000-0x000000000044A000-memory.dmp
memory/3468-4-0x0000000000F80000-0x0000000000F96000-memory.dmp
memory/1692-5-0x0000000000400000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BCE7.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\D41A.exe
| MD5 | 5648348e81a70ef7ab40f963b44713f6 |
| SHA1 | 3e2d708a95de8e53ba4a6b9359cc0cc6dfcddea7 |
| SHA256 | 4bf966f6dd9cb739b073a8bc48f521eb9c35b4f050e799be6eac795fe615263d |
| SHA512 | 899d833a1a43ca6160bfb89775c83a049afaa0e3e8cf48dde112f7de351d307fd194c97ffe3ab0c2e86fc7bb75ed3b3d53b0d95ea1fa80252020153ca4813a8f |
memory/3948-20-0x00000000024F0000-0x0000000002589000-memory.dmp
memory/3948-21-0x0000000002590000-0x00000000026AB000-memory.dmp
memory/1948-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1948-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1948-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1948-26-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D41A.exe
| MD5 | 25e2a1d7fbb3141fa9f6224af53647ed |
| SHA1 | 3a63db49d5d1eae22abd10bade603364b88651ca |
| SHA256 | f270d2b99b9a02a7673c871e583054df7029048efd78a5c9681418a9d0c5e64a |
| SHA512 | 8cdd4d80fdf2079f678ca056132e25dfadd38b58f16d1ae508d50a4d8f39bc020931798854743c98a911a7abd53fc9f0be4534573230b73e9f428d505dbc7d81 |
memory/1948-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4644-39-0x00000000024E0000-0x0000000002576000-memory.dmp
memory/3664-42-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3664-43-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3664-45-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\934.exe
| MD5 | 479342d62078aaf31881972c7574f6f2 |
| SHA1 | 382fa9a95746ca6199e7dfb9ae2bd035f4000fb4 |
| SHA256 | a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d |
| SHA512 | 0e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da |
memory/3988-51-0x0000000000760000-0x0000000001237000-memory.dmp
memory/3988-59-0x0000000001270000-0x0000000001271000-memory.dmp
memory/3988-61-0x0000000001290000-0x0000000001291000-memory.dmp
memory/3988-62-0x00000000012A0000-0x00000000012A1000-memory.dmp
memory/3988-60-0x0000000001280000-0x0000000001281000-memory.dmp
memory/3988-64-0x0000000000760000-0x0000000001237000-memory.dmp
memory/3988-63-0x00000000012B0000-0x00000000012B1000-memory.dmp
memory/3988-66-0x00000000013D0000-0x00000000013D1000-memory.dmp
memory/3988-65-0x00000000012C0000-0x00000000012C1000-memory.dmp
memory/3988-68-0x0000000002EA0000-0x0000000002EA1000-memory.dmp
memory/3988-67-0x00000000013E0000-0x00000000013E1000-memory.dmp
memory/3988-71-0x0000000002EC0000-0x0000000002EC1000-memory.dmp
memory/3988-72-0x0000000002ED0000-0x0000000002ED1000-memory.dmp
memory/3988-70-0x0000000002EB0000-0x0000000002EB1000-memory.dmp
memory/3988-73-0x0000000002EE0000-0x0000000002EE1000-memory.dmp
memory/3988-74-0x0000000002EF0000-0x0000000002EF1000-memory.dmp
memory/3988-79-0x0000000002F50000-0x0000000002F51000-memory.dmp
memory/3988-78-0x0000000002F40000-0x0000000002F41000-memory.dmp
memory/3988-77-0x0000000002F30000-0x0000000002F31000-memory.dmp
memory/3988-76-0x0000000002F20000-0x0000000002F21000-memory.dmp
memory/3988-75-0x0000000002F10000-0x0000000002F11000-memory.dmp
memory/3988-80-0x0000000000760000-0x0000000001237000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\934.exe
| MD5 | c5b783820533a49456d95f5e348130e9 |
| SHA1 | 68e9917aacd4b8e28ea2333915a926ab72e31402 |
| SHA256 | 8c3f28a7d02bcc522ae19861c7bdd208fe0d60727cd9b7049249af34f25e538e |
| SHA512 | f67dbae8c75041800e425e71ca975b9f9a6b26a3c197dca62e8cfcfe42946ded0f45d22c5c2ebe23f64f3e28627bb18e015f6c6df04ef4e14366cadcba8d39dd |
memory/3988-84-0x0000000002F60000-0x0000000002F92000-memory.dmp
memory/3988-83-0x0000000002F60000-0x0000000002F92000-memory.dmp
memory/3988-82-0x0000000002FC0000-0x000000000355F000-memory.dmp
memory/3988-85-0x0000000002F60000-0x0000000002F92000-memory.dmp
memory/3988-86-0x0000000002F60000-0x0000000002F92000-memory.dmp
memory/3988-87-0x0000000000760000-0x0000000001237000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8D1C.exe
| MD5 | c9e01ab6208b39a9f1a1253dca7e89bc |
| SHA1 | 5bcba5cc0dc560772f8026cb6dd4f236acbfd8bb |
| SHA256 | 0e1ccfee9b80ca2c36a53cc104ef5e8d3a702dabbcc1daafecca2a7f7db043b8 |
| SHA512 | 4cacf3f7794a8e06ca2da7aaa0bef37009206fde58a5d5ce4326ef84addd7bdbfd7477b437ac6a72fa31023c17e9a7f7079bb0e97ff772d880d090bbb96d1da1 |
memory/1952-93-0x0000000002AB0000-0x0000000002EB3000-memory.dmp
memory/1952-94-0x0000000002EC0000-0x00000000037AB000-memory.dmp
memory/1952-95-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/5076-97-0x0000000074080000-0x0000000074830000-memory.dmp
memory/5076-96-0x0000000004FF0000-0x0000000005026000-memory.dmp
memory/5076-99-0x0000000005140000-0x0000000005150000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\99A0.exe
| MD5 | cbacac5745b48fdfde1a98958e155c0a |
| SHA1 | d2fef4507b48d5717570221147ddce5e84939a08 |
| SHA256 | 835536d2bf4649a5dfddc7e24fb7dcc83396f94cf621d62ae9b42d1c1711fd98 |
| SHA512 | 589e42afbbdb1bbcef64bcc3998acf2f22aacc1dfc56f3d5970c9afcebfcaa7a6d01d0d58a6b30cb0048c5ee560fd599a40a3f7858c4381ad11d55bf2c0b2cff |
memory/5076-102-0x0000000005780000-0x0000000005DA8000-memory.dmp
memory/5076-101-0x0000000005140000-0x0000000005150000-memory.dmp
memory/5076-105-0x0000000005600000-0x0000000005622000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\99A0.exe
| MD5 | 6bbbd247c42458c986fdd64a975d4f37 |
| SHA1 | 0ea0f242a2ea0e350209688e6637fd98bd688777 |
| SHA256 | d73ed54d3d0bcfd99c26a4f6311b1af9c980a8d79caeb88b82eefa1cff6c5de3 |
| SHA512 | 52013b335a2c42b6b8237cccbcfd6588648d368fcf9f356b4bb0843e6d199c26ba731384bb3906b106781a7b6369c9e297f304efb705321d5b95e58fda08958c |
memory/5076-107-0x0000000005F20000-0x0000000005F86000-memory.dmp
memory/5076-108-0x0000000005F90000-0x0000000005FF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gsbnriyv.yua.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\9CED.exe
| MD5 | 3d3ae7c2eddea19c3146543b95cdda7e |
| SHA1 | ea36133e7bfc1b57cd8e78a6daf24f59526ceba0 |
| SHA256 | 1f2a148765b1ef3247ca4312ea8d1460673744448ebd4559377eabd1ca1702f2 |
| SHA512 | 2ee471f0e0423610dbac9f9d472d529d0b9da22f7ca45ae973a80080920f9ac04342051ad16858918ac4bbab48068b16d78d4d177b8a029c21dde509e333c775 |
memory/5076-123-0x0000000006000000-0x0000000006354000-memory.dmp
memory/376-122-0x0000000000100000-0x000000000010A000-memory.dmp
memory/376-130-0x00007FFE62CB0000-0x00007FFE63771000-memory.dmp
memory/376-133-0x000000001AE10000-0x000000001AE20000-memory.dmp
memory/5076-140-0x00000000065F0000-0x000000000660E000-memory.dmp
memory/5076-141-0x0000000006630000-0x000000000667C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Unlikely
| MD5 | 19bc1bbe515dee767f02d503fa9d2cff |
| SHA1 | acc900deea8e8eff4e1bda1ac2c89aa70ef0e7f9 |
| SHA256 | 51ad4dc19fa436ac00a8b019da9ca49f30dcfe31d9aee0aabbb037fd10bca367 |
| SHA512 | fd0b3d6a867d8c7923d1166f546d4e14db0209df8d13dc46e9d08578ee78d4fc8739638e01f456f542cc383a2d086ed600931a8e889dcb1c4eb93d3cfe3a3dac |
memory/5076-143-0x0000000006B50000-0x0000000006B94000-memory.dmp
memory/5076-144-0x0000000005140000-0x0000000005150000-memory.dmp
memory/5076-145-0x0000000007930000-0x00000000079A6000-memory.dmp
memory/5076-146-0x0000000008030000-0x00000000086AA000-memory.dmp
memory/5076-147-0x00000000079B0000-0x00000000079CA000-memory.dmp
memory/1952-149-0x0000000002AB0000-0x0000000002EB3000-memory.dmp
memory/5076-148-0x0000000007B70000-0x0000000007BA2000-memory.dmp
memory/5076-150-0x000000007F490000-0x000000007F4A0000-memory.dmp
memory/5076-151-0x000000006F540000-0x000000006F58C000-memory.dmp
memory/5076-152-0x00000000702A0000-0x00000000705F4000-memory.dmp
memory/5076-162-0x0000000007B50000-0x0000000007B6E000-memory.dmp
memory/5076-163-0x0000000007BB0000-0x0000000007C53000-memory.dmp
memory/5076-164-0x0000000007CC0000-0x0000000007CCA000-memory.dmp
memory/376-165-0x0000000002420000-0x0000000002432000-memory.dmp
memory/376-166-0x000000001ADA0000-0x000000001ADDC000-memory.dmp
memory/5076-167-0x0000000007D80000-0x0000000007E16000-memory.dmp
memory/5076-168-0x0000000007CE0000-0x0000000007CF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Here
| MD5 | 1e7e25167c2a8f93c2d176e935b21834 |
| SHA1 | 95b93372222ebde1bed0e0efec167bdda7ef04bc |
| SHA256 | d022378a9b3074cf3fb5ea080588846c0aaadb2112cfd5554a0068e76cdd5736 |
| SHA512 | 503f7b6797182ed5f1ef42d3b52b2815e140ebed505fc9b81ee8f920e49c36f379881c1a51afb4b398c9577a583155a0d2c66ca6cdaf303ac9538746571efdb1 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Passwords
| MD5 | 334f84837c9bcece9220e2c979503f68 |
| SHA1 | bdbdc63f1b85f72f8cf487dec6aaeb98e352c283 |
| SHA256 | 10dfb698a8c05eff79092b546608c15e7df803d4aa759090509da6d5d96373d7 |
| SHA512 | 37c3315a16d9f0e8ab044415a61220e2fa180e6f70f85435de7ccd7d1dcde84a0c13d48f670204e02ba7cfbe892a76f2efa979717b6b2b844a15aea0a845dcbb |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cambodia
| MD5 | 4e9db9155039f5a6a04e16a6a6bfe3b0 |
| SHA1 | b293c7fe05d7e92ce7d9cc6f36940eba14f5d460 |
| SHA256 | bd3cd1801a2c226c63186f6fe3182fff1847609c5d99ca22209c7e9dbdd3db2d |
| SHA512 | 8692e29ec7717ddad30ea365bd4408a178f1d3ff7f7c3535f8ba1545ffdcfe78ae108259d4feb81b1ca819eedf4ef79531103512d29f7fd0fd8146beb14e854a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Movements
| MD5 | d7563558933a24bd74f0254272cf7830 |
| SHA1 | 6982d08318ff2204d3714ce12d68a99b4f726fe7 |
| SHA256 | 1b11dc628b44a4982b7b13891fae62471a380eb2973af359655cf65254ac5a7e |
| SHA512 | fccdc060fd5ddd9b3892f82c343dcd80fdbc1bc24a24c50e9f86a1d917867c2b4189a3d4d6762daf8e9c719b999988a0d568f481c09802c5168010c490fdfcb5 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Td
| MD5 | e32d058720e98d0fab73018ce1753b55 |
| SHA1 | f6b431cf3f225c3563591fbec4af922f6bff05d9 |
| SHA256 | 1cf7bcef592ee857c079e82d39a1c371868597ee1c33e692556d780b5040b83b |
| SHA512 | 8f259f0f2eccbe01dc4efe5d4ad34a94dcb0b97f20c3f36c6b7e6c24c14a73fbb6aeefc11e76142cdba83f9bf1dd4d0647bcd1ad2d3a6780e063c48d872caa11 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Meaning
| MD5 | a6c58504594ab91fc0ca6102abd10e80 |
| SHA1 | 03edc02d3806aa46d5e4c3c1aa8b6cff1b5c80f6 |
| SHA256 | b07a3cb7f4af841db56d43b6d8d35aea563993b8e0ec6d921eab372f637260f7 |
| SHA512 | 07d68c06afc66c71b04da74d387536cd800f7dcda422f4b67dbff60ba2b883fa360e9292190655448fc130d1ebbeb31af828ee1ba279f904b2a7e556dbb8f1ea |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21719\Upgrades.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
memory/1952-182-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1952-183-0x0000000002EC0000-0x00000000037AB000-memory.dmp
memory/1592-184-0x0000000076EF1000-0x0000000077011000-memory.dmp
memory/5076-185-0x0000000007D20000-0x0000000007D2E000-memory.dmp
memory/5076-186-0x0000000007D30000-0x0000000007D44000-memory.dmp
memory/5076-187-0x0000000007E20000-0x0000000007E3A000-memory.dmp
memory/5076-188-0x0000000007D70000-0x0000000007D78000-memory.dmp
memory/5076-191-0x0000000074080000-0x0000000074830000-memory.dmp
memory/1596-194-0x0000000002A70000-0x0000000002E6E000-memory.dmp
memory/1596-195-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/376-196-0x00007FFE62CB0000-0x00007FFE63771000-memory.dmp
memory/4152-197-0x0000000074080000-0x0000000074830000-memory.dmp
memory/4152-198-0x0000000002850000-0x0000000002860000-memory.dmp
memory/4152-199-0x0000000002850000-0x0000000002860000-memory.dmp
memory/4152-209-0x00000000057A0000-0x0000000005AF4000-memory.dmp
memory/4152-210-0x0000000005D40000-0x0000000005D8C000-memory.dmp
memory/4152-211-0x0000000002850000-0x0000000002860000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/1952-232-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e3df5fc52bc7cc34acb3017e4cef0dd8 |
| SHA1 | 8629ea4c8328610724f782bcfba3045f07cc3f8d |
| SHA256 | d944bdbb4f21d29cf465915c4b5fb9561d0ebed808956eb9c1adfb4bdf97d328 |
| SHA512 | 7fd5908bd85073268af7c30a9aeab1d1d4e7ec278d6e1e8904f4ad14a95fe0fbba39f1ccf29a7f09d75b24198ea4f814d03931c9aff6d1faa52c04f7abf7235d |
memory/1596-261-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | edef19eeacd42fb4c7c8267cec102622 |
| SHA1 | 1614734f746e4545b4c79643c702bbf217606c19 |
| SHA256 | 163de557926c34e81b308216f716ca8e2baac75289c356eedf04b05e497ea2b4 |
| SHA512 | f293f18812b038567ce3ef9847f28c99f14e72efb03d8a852e8f5b0abd0a926fd55ad75d8c3e1e2f812e2405c42247a91ee2523924e41c7987f7fe1905f0f151 |
C:\Windows\rss\csrss.exe
| MD5 | 998891128c1f42e935af48736c2e96bf |
| SHA1 | e797d61c94d6842e4be69500788360d69c8da896 |
| SHA256 | d84927d42c239e62a3da8a69bdf9c9b8b3c9da7d2facc031bbeea470086170f9 |
| SHA512 | 51f4d08fa48e4b74d4e5d4c3bb7b5089c4891d37f769c3c2384f3652239065b3178107b4124b2d9ba5cebbf13d878e9a9c0adf9abfc76ae25fe85732221fa0d3 |
memory/1596-296-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 1dfffb99621b2a3a1a1330668f730c18 |
| SHA1 | 8f91b9512d52317fdb1c93b1e29967a5ba9c8097 |
| SHA256 | 944abcd3fe150890a9a1c5ec6df44222facecb3bc602dba44b1d8b96f8d2131e |
| SHA512 | e081da0a655605d5f7c2f598b8fc737d6bc04155200e4f110d5539abd1392619f4ef926da872377fb0f4fb5bfabe56839cac336c2f2c2e0b5427595db984c19a |
memory/992-303-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | cdf3dd1bb2d0ed1c7e5b0345baf8e1a0 |
| SHA1 | 2d164b0de9eeb98314622009e4cc7dc42db3e008 |
| SHA256 | 2e99b751c45edff6280a02a5df80ce9fc37c4bdd1d940e210169e7254e8d5384 |
| SHA512 | ad68e91fde3521dc9007dd53046bdd363a7bc2228f3e4d7aed1a0fbd6a1c272884511fb1685d1b56a4f5d52826f0880d0a4cc2eedf893f750fd347c700666694 |
memory/992-332-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e49f3051d850b0e734a03692d897de66 |
| SHA1 | 9d1437b24766312894d7e0e2f65c711833043566 |
| SHA256 | f057d0b2e3aad5507716955a02e736c044455a497ab29853442b7cc16ea477c5 |
| SHA512 | 95d1ee3b3efe5177772495a925304a23d5bb07fd1cf63dc38589e25e45452194c2c687b1eea2ff33cfd992ba048725d11c36d76620d1ecb43e241b26163f449b |
memory/992-350-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1ceaafac8938e3e9b3fb723fde31f0f9 |
| SHA1 | dca316bb3bb1702b1ec25bc7759c2f4ade5e8fe6 |
| SHA256 | a3172e2bf0bc30b9411b6bd142f1599aeeea0eb31a6543a3ce63c39659b59d8c |
| SHA512 | e389a7d73a433cd3414725f8f1bdef545a8b17788a1afac9fce7efb908b616cd7d828bd47cc411b7235a98d621e0bc339ce8eeb57fba212c2a81dd16abcbfc96 |