Analysis Overview
SHA256
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
Threat Level: Known bad
The file 6958ACC382E71103A0B83D20BBBB37D2.exe was found to be: Known bad.
Malicious Activity Summary
Glupteba
Stealc
Djvu Ransomware
Lumma Stealer
DcRat
Windows security bypass
Glupteba payload
Detect Vidar Stealer
SmokeLoader
Vidar
Detected Djvu ransomware
Modifies Windows Firewall
Downloads MZ/PE file
Loads dropped DLL
UPX packed file
Modifies file permissions
Deletes itself
Executes dropped EXE
Windows security modification
Checks computer location settings
Checks installed software on the system
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Enumerates processes with tasklist
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Runs ping.exe
Suspicious behavior: MapViewOfSection
Modifies system certificate store
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 15:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 15:57
Reported
2024-02-22 16:00
Platform
win7-20240221-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2a5bdfbc-fe67-4016-9470-48e4bc54a82f\\386F.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\386F.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\F7E.exe = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\F7E.exe = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2a5bdfbc-fe67-4016-9470-48e4bc54a82f\\386F.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\386F.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1252 set thread context of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\386F.exe | C:\Users\Admin\AppData\Local\Temp\386F.exe |
| PID 2232 set thread context of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\386F.exe | C:\Users\Admin\AppData\Local\Temp\386F.exe |
| PID 1016 set thread context of 1492 | N/A | C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe | C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe |
| PID 1812 set thread context of 2660 | N/A | C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe | C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe |
| PID 788 set thread context of 2172 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240222155939.cab | C:\Windows\system32\makecab.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7957.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\vbssutc | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\vbssutc | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\vbssutc | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\vbssutc | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\F7E.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1E04.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22141\Upgrades.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22141\Upgrades.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22141\Upgrades.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22141\Upgrades.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22141\Upgrades.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22141\Upgrades.pif | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe
"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECB0.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\386F.exe
C:\Users\Admin\AppData\Local\Temp\386F.exe
C:\Users\Admin\AppData\Local\Temp\386F.exe
C:\Users\Admin\AppData\Local\Temp\386F.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\2a5bdfbc-fe67-4016-9470-48e4bc54a82f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\386F.exe
"C:\Users\Admin\AppData\Local\Temp\386F.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\386F.exe
"C:\Users\Admin\AppData\Local\Temp\386F.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
"C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe"
C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
"C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe"
C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe
"C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe"
C:\Users\Admin\AppData\Local\Temp\7957.exe
C:\Users\Admin\AppData\Local\Temp\7957.exe
C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe
"C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1480
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\871D.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 128
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\F7E.exe
C:\Users\Admin\AppData\Local\Temp\F7E.exe
C:\Users\Admin\AppData\Local\Temp\1952.exe
C:\Users\Admin\AppData\Local\Temp\1952.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222155939.log C:\Windows\Logs\CBS\CbsPersist_20240222155939.cab
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Unlikely Unlikely.bat & Unlikely.bat & exit
C:\Users\Admin\AppData\Local\Temp\1E04.exe
C:\Users\Admin\AppData\Local\Temp\1E04.exe
C:\Users\Admin\AppData\Local\Temp\F7E.exe
"C:\Users\Admin\AppData\Local\Temp\F7E.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\cmd.exe
cmd /c md 22141
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Here + Td + Passwords + Movements + Cambodia 22141\Upgrades.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Meaning 22141\Z
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22141\Upgrades.pif
22141\Upgrades.pif 22141\Z
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\taskeng.exe
taskeng.exe {DBD5BF41-5DD2-4058-8F1D-F140C77CF6EC} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\vbssutc
C:\Users\Admin\AppData\Roaming\vbssutc
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| UZ | 195.158.3.162:80 | brusuax.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 188.114.97.2:443 | api.2ip.ua | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 188.114.97.2:443 | api.2ip.ua | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| UZ | 195.158.3.162:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| MX | 187.156.75.116:80 | habrafa.com | tcp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| MX | 187.156.75.116:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| FI | 95.217.29.171:443 | 95.217.29.171 | tcp |
| FI | 95.217.29.171:443 | 95.217.29.171 | tcp |
| FI | 95.217.29.171:443 | 95.217.29.171 | tcp |
| FI | 95.217.29.171:443 | 95.217.29.171 | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | mahta-netwotk.click | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | notmalware.top | udp |
| RU | 5.188.88.181:80 | notmalware.top | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trypokemon.com | udp |
| US | 172.67.185.36:443 | trypokemon.com | tcp |
| US | 8.8.8.8:53 | loftproper.com | udp |
| US | 188.114.96.2:443 | loftproper.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| DE | 185.149.146.82:80 | 185.149.146.82 | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | r.l1nc0in.ru | udp |
| US | 172.67.201.20:80 | r.l1nc0in.ru | tcp |
| US | 8.8.8.8:53 | AKDHTrZGmMfGSiQC.AKDHTrZGmMfGSiQC | udp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 8.8.8.8:53 | bbb87345-8c8b-493e-8abe-50d02d7f046e.uuid.localstats.org | udp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp |
Files
memory/2768-1-0x0000000000290000-0x0000000000390000-memory.dmp
memory/2768-2-0x00000000001C0000-0x00000000001CB000-memory.dmp
memory/2768-3-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2768-5-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1208-4-0x0000000002BC0000-0x0000000002BD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ECB0.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\386F.exe
| MD5 | 5648348e81a70ef7ab40f963b44713f6 |
| SHA1 | 3e2d708a95de8e53ba4a6b9359cc0cc6dfcddea7 |
| SHA256 | 4bf966f6dd9cb739b073a8bc48f521eb9c35b4f050e799be6eac795fe615263d |
| SHA512 | 899d833a1a43ca6160bfb89775c83a049afaa0e3e8cf48dde112f7de351d307fd194c97ffe3ab0c2e86fc7bb75ed3b3d53b0d95ea1fa80252020153ca4813a8f |
memory/1252-26-0x00000000008A0000-0x0000000000932000-memory.dmp
memory/1252-27-0x00000000008A0000-0x0000000000932000-memory.dmp
memory/1252-28-0x0000000002100000-0x000000000221B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\386F.exe
| MD5 | a18e279f98aaaa58539b477e2e3ee8e8 |
| SHA1 | 0f23e9dbb4c52463407fbd03b4c81b46eeac5074 |
| SHA256 | 9a710d5529063a7fb16e6c1a4fb0eabbba95f783e24bc2cd2acee997459f7084 |
| SHA512 | dadae9fe3fabd62873327a4ea728a76fc5c9dc33db716930e0cbd8e2162cd3513a58549f8b9696d82b7c190677e720f8037ce2dd193d88d02b41d00e4bc13aa4 |
memory/2436-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2436-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\386F.exe
| MD5 | 4a63d28d3bd5fcb5166030842fc85b87 |
| SHA1 | 4bb1c13045bb46ead5099a54f9ff6041e6e071cb |
| SHA256 | 242b5b3e89bbd10b2131dcb88cb032f70c965a616d677a8599eb57af6128b71b |
| SHA512 | 275fbc4e40e1c5718444fb77784000c00a06759b1ac53f55a15bb98b4b5ac7b4a98b48240618d99d227435b272263df93d282c75622000fdd3f5709809591afe |
\Users\Admin\AppData\Local\Temp\386F.exe
| MD5 | 245ff167651a986a8d990a9c43179389 |
| SHA1 | e94c5b646e9f6eced2d531bd6d1499918587d4d4 |
| SHA256 | d9b57420bc9140b61ac48579564a446df435e912d3838509702014c0db775f56 |
| SHA512 | 583b91ba6ea719f803ec669fdb635999d742528d76f83dde8a2006483d12f118db97e06a9d93050d467cbcbaf90a9fca03d90844740a9f8b633abee4ddc4d1fd |
memory/2436-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2436-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2436-58-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2232-60-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2232-61-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2084-68-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2084-69-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 8cfc4b11c6c1a77c77a8b92e2e245606 |
| SHA1 | ce72cc4b26895883e361b181d7d128a2a4dc959a |
| SHA256 | 98fe25f849beb04c2398908cf94ddd32fe1fba8758509bf39784614e2e205ee8 |
| SHA512 | 2ba0f69cfe43c74daca270898cd6ef388ba6bffd090f5be0299524e6baf6d3649f44619af405ee975847eb199db4e3d4041947be9385c309d1940c1628854f5e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | d32350d7b7e01589827debfe8147a629 |
| SHA1 | 4277846e13488f6fe127c0f061448d8b15e425bd |
| SHA256 | da5e416d313099491f937a03edab205c087f327fb7a34cd443d3cb229877f474 |
| SHA512 | 04b149d07501838336d36bf0edbde5ab05e01f4fffcdec431cadcb8d47d74600fc23ba7e16df69a9761071a211215a3536af8bb67809e9a6e259c2dc9dfff990 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 04e1c0fb7c50efaf86ba32ac99af0cd4 |
| SHA1 | 844aeeaba2b3c0a23a3f3580ee9eafde8eee9aa0 |
| SHA256 | 59cd12f0b76ce31550e9068fed1da5c917f8b4361ef4f3c62c9522473162705a |
| SHA512 | 3394f7025fe90250bc8ae1caeba12ec23019a31c1762e5ab757cd874ff33160b1596be9bb079b5641b7476c306c8ebd520fab5f00a0dca06372c67387f21ce40 |
C:\Users\Admin\AppData\Local\Temp\Cab4AA7.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 14bf68be70d3243a2d6e8c6fa0279a88 |
| SHA1 | 0dda267957e48ba89498940f6550ce2c656f4278 |
| SHA256 | c487946caf8e7dcd03d2f5d252df4c460ea770660ad1fbffb390aa1e6c7e5a4e |
| SHA512 | 4ed1304a27c6d9f181094eee40c3f73c072ab2fa2db8cfb2ad8cb875f74404bc841bfb6a8d28483e28e64aecf25004dd9f3615414673a5122345bae354dbd557 |
memory/2084-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2084-83-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2084-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2084-89-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2084-90-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
| MD5 | c6d3d647baad8a5b93b81d2487f4f072 |
| SHA1 | e9c1105dc41f85d4f7e94d4e004f8427787c8802 |
| SHA256 | 7754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a |
| SHA512 | 55425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049 |
memory/1016-105-0x0000000000260000-0x0000000000360000-memory.dmp
memory/1492-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1016-107-0x0000000001B90000-0x0000000001BC6000-memory.dmp
memory/1492-108-0x0000000000400000-0x0000000000649000-memory.dmp
memory/1492-111-0x0000000000400000-0x0000000000649000-memory.dmp
memory/2084-113-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1492-112-0x0000000000400000-0x0000000000649000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar66C0.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2084-131-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7957.exe
| MD5 | a09dfad823cdcbf527bf15aa92769422 |
| SHA1 | 9f1b89154dd4f023c5ab8285a1c7ca628e6a06a7 |
| SHA256 | cd70d31ef5300bdbc9729cd80af1082a1fd089babaf9aa96947d05788749bae9 |
| SHA512 | e5439ce485bdd19ce084d8c3fd698466a4b0b3ab581b98e83cbcf47c9bf2544d01315244fb9f68d080a80f6709198f86bfc7ddbcd4fe8c00134e182c2b093118 |
memory/2620-251-0x0000000000310000-0x0000000000DE7000-memory.dmp
memory/1812-256-0x0000000000220000-0x0000000000224000-memory.dmp
memory/2660-259-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1812-255-0x0000000000930000-0x0000000000A30000-memory.dmp
memory/2660-265-0x0000000000400000-0x0000000000406000-memory.dmp
C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe
| MD5 | 5c883ef6d1ad03173f30db4fc691d0a7 |
| SHA1 | 4007444885a94ad3092e287a196249bc6c1301ef |
| SHA256 | b1e0b896d1cdbe0cfe16d1d6f604640e2b22aeb144eb411086fa31d2073f316e |
| SHA512 | 125b18de452ee08cc42806f15864bb5429403ca696e385d5fb32d87cde841629e12f0d64c308c8ff7444d36c5da71e75fdc66733418bc886cad6a6e9ba7eb816 |
memory/2660-266-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2660-262-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2620-268-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2620-271-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2620-273-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2620-270-0x0000000000310000-0x0000000000DE7000-memory.dmp
memory/2620-274-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2620-275-0x00000000775AF000-0x00000000775B0000-memory.dmp
memory/2620-277-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2620-279-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2620-284-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2620-282-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2620-280-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2620-285-0x00000000000B0000-0x00000000000B1000-memory.dmp
memory/2620-287-0x00000000000B0000-0x00000000000B1000-memory.dmp
memory/2620-289-0x00000000000B0000-0x00000000000B1000-memory.dmp
memory/2620-290-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2620-291-0x00000000775B0000-0x00000000775B1000-memory.dmp
memory/2620-293-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2620-296-0x00000000775AF000-0x00000000775B0000-memory.dmp
memory/2620-298-0x00000000775AF000-0x00000000775B0000-memory.dmp
memory/2620-308-0x00000000775AF000-0x00000000775B0000-memory.dmp
memory/1492-322-0x0000000000400000-0x0000000000649000-memory.dmp
memory/2620-323-0x00000000775AF000-0x00000000775B0000-memory.dmp
memory/2620-328-0x00000000775AF000-0x00000000775B0000-memory.dmp
memory/2620-333-0x00000000775AF000-0x00000000775B0000-memory.dmp
memory/2620-339-0x00000000775B0000-0x00000000775B1000-memory.dmp
memory/2620-350-0x00000000775AF000-0x00000000775B0000-memory.dmp
memory/2620-363-0x0000000000310000-0x0000000000DE7000-memory.dmp
memory/2620-364-0x00000000775AF000-0x00000000775B0000-memory.dmp
memory/2620-377-0x00000000775AF000-0x00000000775B0000-memory.dmp
memory/2620-379-0x0000000000E20000-0x0000000000E21000-memory.dmp
\Users\Admin\AppData\Local\Temp\7957.exe
| MD5 | be294f38a21d9b4e6eb144e06162d299 |
| SHA1 | 4c5537aaa32228fcba8bbcfc02dc4f54112e3b9c |
| SHA256 | a7e580ad02ed67ddbcb3f8b10262cee44b6054f96a535040f5b13b2f0f768ef6 |
| SHA512 | 60dd6c734d632d55ca0d2f0f9baace25e497741f35f009877b426d39f3dffbebb28293ce89be7690be555161179499be38c76c44f875c277b6d388a1aaf3bec3 |
\Users\Admin\AppData\Local\Temp\7957.exe
| MD5 | 6412f45985f8316102d85f3b4fa87d94 |
| SHA1 | d58e122e555c2af2dc381a3f270a2441473ef663 |
| SHA256 | d550f5297471b5413a587e5e9fa8875c5d7f79f278113db3c3f14c92697d060a |
| SHA512 | 884ee423f2200fe9d5ad2926e2e01238928a301b311e97921973ba123cc095401c0105644279b74711a662bc064bbddd67bcb77ad95cdbc66f271e573eec2303 |
\Users\Admin\AppData\Local\Temp\7957.exe
| MD5 | f070aab842aa4396e14585d8c283eb0b |
| SHA1 | 1ff3c1de51843c1eb4b0b2472cfe7103f1de9e66 |
| SHA256 | f8a591aa7b4c0300111159db515193bfa7ba091f105c8ee3ee00b06dd08f8f93 |
| SHA512 | 0cc3f133a280cff38c8be6c0b09ca06635891f3571c2730bf7ce0995fedb4169219ece8a3936ad2db126862caf43ca790d5f8760f2eb4b199302180defb18583 |
\Users\Admin\AppData\Local\Temp\7957.exe
| MD5 | dc316c79793f2940cb2d0b2a3d34d906 |
| SHA1 | 1e1219d3bd665b04628a681a73713dbdec328700 |
| SHA256 | 9b6b57ff04e1108412bc31dc24b8ac0b3a6835422b2c0eb51aac85e2e2894734 |
| SHA512 | 7edb26fbf62549c9fac4285488c032377e93c92f7fc20a968451e2aa99865d5b7b6a60f6486457ae9c13a815cfcd177e53016173a3bad3f8a5cf11e8b31426f0 |
\Users\Admin\AppData\Local\Temp\7957.exe
| MD5 | 0a5cbcde409f211f0a74b20899c93642 |
| SHA1 | cb40f721df063ecfd2310453171d97fee4d3041b |
| SHA256 | 14877cc7f69e4b1833530f36c9bd7ba02774ba8b3dfa09efd048e4e6f6c0dd2f |
| SHA512 | 307bd91e52d1680ccad9df593e71ac20326c90603ff8d0f35c83b87bd8b0615d561a892464b67e911a8e4a45fe2a0c5663affeca66d86cc307e746be8126a218 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 44d4b2b3554d34a4de4bfd1f449d3bc1 |
| SHA1 | 5f3d051a16867f1a31f9d04710e00bb89588d097 |
| SHA256 | 8a03e16d05baf7300a5f166f383061704c77118d0ed2e989deec1a13efc175c4 |
| SHA512 | c7a8ad27681d18d6db627444ac8f3578c44338cd735df829870e4d7584d9a84e0217b1265ea0b363f7885207f711f6c1c6f133204536cb312e1c54d11b187d19 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9db2d9ac6d0e8bbf47f330d1ab3183d |
| SHA1 | 336a815cd0a4643bcc9069d1f56195fced2792b3 |
| SHA256 | 390680d9df9bc9e05a26d48511ca2d9738b0513ddd10f17ab1a2b92467352ddc |
| SHA512 | 941dc02aee8aa12a5d6693760f8f8e41219478a0c1843c2554ee6214e81f86998db927698aef7e971f991a50771b8fdb0112af25a00036540fb1f9f2b10aae42 |
C:\Users\Admin\AppData\Local\Temp\F7E.exe
| MD5 | c9e01ab6208b39a9f1a1253dca7e89bc |
| SHA1 | 5bcba5cc0dc560772f8026cb6dd4f236acbfd8bb |
| SHA256 | 0e1ccfee9b80ca2c36a53cc104ef5e8d3a702dabbcc1daafecca2a7f7db043b8 |
| SHA512 | 4cacf3f7794a8e06ca2da7aaa0bef37009206fde58a5d5ce4326ef84addd7bdbfd7477b437ac6a72fa31023c17e9a7f7079bb0e97ff772d880d090bbb96d1da1 |
memory/2044-480-0x0000000002890000-0x0000000002C88000-memory.dmp
memory/2044-481-0x0000000002C90000-0x000000000357B000-memory.dmp
memory/2044-482-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F7E.exe
| MD5 | 887ab8d1e93ef061e6c8bb9b7d69d609 |
| SHA1 | f44a86d92f94d84ab35fd3edae2e194efc498744 |
| SHA256 | b3fecd566bd0518e95513607278b57afe6b79ce50b3b37966ec8d7f6e33a5f7d |
| SHA512 | d497ef963069d7bacbc6ed85eb95c3b89e346f04751b9d006fb224c4d3bfc64609ddb19081404e70da9adf8a62b4b7cebed0042abd466f5ecc5dbb468a5287a5 |
C:\Users\Admin\AppData\Local\Temp\1952.exe
| MD5 | 0f81629bc70111f74fba07ec424cdfd4 |
| SHA1 | 827ce84d850e15dfd34aadbc82bccac6199c219a |
| SHA256 | 1c6276dab0189565566a3ddb34b6e965e90be730005fcfe4eb1679f4b5710d37 |
| SHA512 | 8d66b9dc5afd1e7ab77079d123c5d44a7991a75c46890dc7800667639cfa1e1ca81f2fcf0886b2c2bc109e3c22703a18bb7322e7b6d29b37ddaa8e1a0d01b713 |
C:\Users\Admin\AppData\Local\Temp\1952.exe
| MD5 | 790388875e58943ba5d1784587db5b66 |
| SHA1 | f089904c843d22f19e5b4e596befb88bd3041fff |
| SHA256 | e050b2db6fd3b51463bb2d65fb32f96b2fdaa042c7067e9257352a935807035b |
| SHA512 | 3dcb1bec490ec59447943ea1c505b317a9468d99b2c6b82c676f99d073f2460f0ae78f0bfef1302f966dfbab13fef116b9b2a6494408f353bf8542e7ce7eb54f |
C:\Users\Admin\AppData\Local\Temp\1E04.exe
| MD5 | 3d3ae7c2eddea19c3146543b95cdda7e |
| SHA1 | ea36133e7bfc1b57cd8e78a6daf24f59526ceba0 |
| SHA256 | 1f2a148765b1ef3247ca4312ea8d1460673744448ebd4559377eabd1ca1702f2 |
| SHA512 | 2ee471f0e0423610dbac9f9d472d529d0b9da22f7ca45ae973a80080920f9ac04342051ad16858918ac4bbab48068b16d78d4d177b8a029c21dde509e333c775 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Unlikely
| MD5 | 19bc1bbe515dee767f02d503fa9d2cff |
| SHA1 | acc900deea8e8eff4e1bda1ac2c89aa70ef0e7f9 |
| SHA256 | 51ad4dc19fa436ac00a8b019da9ca49f30dcfe31d9aee0aabbb037fd10bca367 |
| SHA512 | fd0b3d6a867d8c7923d1166f546d4e14db0209df8d13dc46e9d08578ee78d4fc8739638e01f456f542cc383a2d086ed600931a8e889dcb1c4eb93d3cfe3a3dac |
memory/2592-509-0x0000000001150000-0x000000000115A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F7E.exe
| MD5 | 51824fe4775131e620f669195052f140 |
| SHA1 | fc4f80342fd1e26fed2a05bfb32ea4592b68a452 |
| SHA256 | e1fe1724035c6f4a0621c70dd2172c3621ee11294b9993d2bf67180f9dbfdb63 |
| SHA512 | a5b5bc48f577a0b51e7f5bd852c7290b61e5a2a26049a3c929203322c8b2da33f6db5f513df6523965342ac61882e2a94050436e70907c9c570b537d4443a307 |
memory/2592-512-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp
memory/2044-513-0x0000000002890000-0x0000000002C88000-memory.dmp
memory/2044-514-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2044-515-0x0000000002C90000-0x000000000357B000-memory.dmp
memory/1808-517-0x0000000002610000-0x0000000002A08000-memory.dmp
memory/2592-518-0x0000000000150000-0x00000000001D0000-memory.dmp
memory/1808-519-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cambodia
| MD5 | 4e9db9155039f5a6a04e16a6a6bfe3b0 |
| SHA1 | b293c7fe05d7e92ce7d9cc6f36940eba14f5d460 |
| SHA256 | bd3cd1801a2c226c63186f6fe3182fff1847609c5d99ca22209c7e9dbdd3db2d |
| SHA512 | 8692e29ec7717ddad30ea365bd4408a178f1d3ff7f7c3535f8ba1545ffdcfe78ae108259d4feb81b1ca819eedf4ef79531103512d29f7fd0fd8146beb14e854a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Meaning
| MD5 | a6c58504594ab91fc0ca6102abd10e80 |
| SHA1 | 03edc02d3806aa46d5e4c3c1aa8b6cff1b5c80f6 |
| SHA256 | b07a3cb7f4af841db56d43b6d8d35aea563993b8e0ec6d921eab372f637260f7 |
| SHA512 | 07d68c06afc66c71b04da74d387536cd800f7dcda422f4b67dbff60ba2b883fa360e9292190655448fc130d1ebbeb31af828ee1ba279f904b2a7e556dbb8f1ea |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Movements
| MD5 | d7563558933a24bd74f0254272cf7830 |
| SHA1 | 6982d08318ff2204d3714ce12d68a99b4f726fe7 |
| SHA256 | 1b11dc628b44a4982b7b13891fae62471a380eb2973af359655cf65254ac5a7e |
| SHA512 | fccdc060fd5ddd9b3892f82c343dcd80fdbc1bc24a24c50e9f86a1d917867c2b4189a3d4d6762daf8e9c719b999988a0d568f481c09802c5168010c490fdfcb5 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Passwords
| MD5 | 334f84837c9bcece9220e2c979503f68 |
| SHA1 | bdbdc63f1b85f72f8cf487dec6aaeb98e352c283 |
| SHA256 | 10dfb698a8c05eff79092b546608c15e7df803d4aa759090509da6d5d96373d7 |
| SHA512 | 37c3315a16d9f0e8ab044415a61220e2fa180e6f70f85435de7ccd7d1dcde84a0c13d48f670204e02ba7cfbe892a76f2efa979717b6b2b844a15aea0a845dcbb |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Td
| MD5 | e32d058720e98d0fab73018ce1753b55 |
| SHA1 | f6b431cf3f225c3563591fbec4af922f6bff05d9 |
| SHA256 | 1cf7bcef592ee857c079e82d39a1c371868597ee1c33e692556d780b5040b83b |
| SHA512 | 8f259f0f2eccbe01dc4efe5d4ad34a94dcb0b97f20c3f36c6b7e6c24c14a73fbb6aeefc11e76142cdba83f9bf1dd4d0647bcd1ad2d3a6780e063c48d872caa11 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Here
| MD5 | 1e7e25167c2a8f93c2d176e935b21834 |
| SHA1 | 95b93372222ebde1bed0e0efec167bdda7ef04bc |
| SHA256 | d022378a9b3074cf3fb5ea080588846c0aaadb2112cfd5554a0068e76cdd5736 |
| SHA512 | 503f7b6797182ed5f1ef42d3b52b2815e140ebed505fc9b81ee8f920e49c36f379881c1a51afb4b398c9577a583155a0d2c66ca6cdaf303ac9538746571efdb1 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22141\Upgrades.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
memory/2744-533-0x00000000775A0000-0x0000000077676000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | ae231696f3881fbad392e099078f223f |
| SHA1 | 97d4fd4c453ff0545fb14338c122fb67686cb8de |
| SHA256 | 19464fa457d109161bc4f7dca82d33b62d2dab2894900f074e44192638e7353b |
| SHA512 | 2805db3c3a1e0af99f3efce395f9a59922a7580b5c889c92c31739d06fc5a05c76b6076f42056b0199b65299aec5930d45211a126f5a9213b7f98c2982edb1d7 |
\Windows\rss\csrss.exe
| MD5 | ec49db40704b62847fe17043f0c4d523 |
| SHA1 | 781aa33cb6352381dfef0412fcbe9610d0b668dc |
| SHA256 | 617333a54f23391c90cd5ed9ccdb254750a2002a67836f99c1c43d9739ae7c4f |
| SHA512 | f5f881faacc0aa4f27c7ecedd9d2f03908be13a54574282f3f7b10a890c7f9b2b8e75b85012edd821750a7e889a5bf4850f5c65cc320a1848c422f9210fa79a3 |
C:\Windows\rss\csrss.exe
| MD5 | 930b4cc39b36524b6ab351b7dc64d7d7 |
| SHA1 | 5fe06023c97aa952a0e68f99d826f7e91b425e1e |
| SHA256 | 2fc86747e3b006c2f3e79d73eba67c4d7349d78a14a3cf0c875256278cea418a |
| SHA512 | bffb8dd35d1adf88fe4d9534d40ebeec1d36f55337887b6960904c252d9da550cada47d372eda44961218926fc8aa530946cf1802dd0b832337359a905c3c1f1 |
memory/1808-546-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1800-550-0x0000000002A40000-0x000000000332B000-memory.dmp
memory/1800-549-0x0000000002640000-0x0000000002A38000-memory.dmp
memory/1800-551-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | f80e509cc96d8724a591774c0239a57f |
| SHA1 | 59281be9066e091e08551230cb967a5242e60ac3 |
| SHA256 | 17c24ffd867bc11c5990ac44c49ae2cc3341279bfb4f80c8a32c26184f557b88 |
| SHA512 | 9259e093bfde6a725764efdcb8aa57f9f4a0b9de89f654f8af243552ca64450ea72483f12fec9f047a90f3fefb19415d647bf3fc5304f972e6d31e60f27ec903 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
memory/1396-558-0x00000000004A0000-0x0000000000A88000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | c41c3be9c15587a82952179c1c4467e3 |
| SHA1 | 4015bd6d980e260c3bf759c37ef1463fd4d88bc2 |
| SHA256 | ab3ca69ff0282d028f4b8460e921d37553e98ebf12c6a9f8c6741875d889e9d3 |
| SHA512 | 17c69a1d66c53d82036806e82fe849570052853839eeefde1f9cb4ec5e3628ed7dc3d06d453b9f35fd7cf51abb8006c78322841ad37829d6b87638fc7060f4a5 |
memory/1396-569-0x0000000000620000-0x0000000000C08000-memory.dmp
memory/2592-588-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp
memory/2456-630-0x00000000005E0000-0x00000000006E0000-memory.dmp
memory/2456-631-0x0000000000400000-0x000000000044A000-memory.dmp
memory/2592-645-0x0000000000150000-0x00000000001D0000-memory.dmp
memory/2456-649-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1800-656-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/788-657-0x0000000000940000-0x0000000000A40000-memory.dmp
memory/1396-663-0x00000000004A0000-0x0000000000A88000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-22 15:57
Reported
2024-02-22 16:00
Platform
win10v2004-20240221-en
Max time kernel
122s
Max time network
155s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a8e0840e-b118-40a3-b971-b20f5d38d0bf\\BF98.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\BF98.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Stealc
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BF98.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\A5C6.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF98.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8A8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A5C6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A809.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rjfavwt | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a8e0840e-b118-40a3-b971-b20f5d38d0bf\\BF98.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\BF98.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | N/A | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4568 set thread context of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\BF98.exe | C:\Users\Admin\AppData\Local\Temp\BF98.exe |
| PID 3600 set thread context of 4696 | N/A | C:\Users\Admin\AppData\Local\Temp\BF98.exe | C:\Users\Admin\AppData\Local\Temp\BF98.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\BF98.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rjfavwt | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rjfavwt | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rjfavwt | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | N/A | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\A809.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9847.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe
"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A96F.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\BF98.exe
C:\Users\Admin\AppData\Local\Temp\BF98.exe
C:\Users\Admin\AppData\Local\Temp\BF98.exe
C:\Users\Admin\AppData\Local\Temp\BF98.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a8e0840e-b118-40a3-b971-b20f5d38d0bf" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\BF98.exe
"C:\Users\Admin\AppData\Local\Temp\BF98.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\BF98.exe
"C:\Users\Admin\AppData\Local\Temp\BF98.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 568
C:\Users\Admin\AppData\Local\Temp\8A8.exe
C:\Users\Admin\AppData\Local\Temp\8A8.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCF.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\9847.exe
C:\Users\Admin\AppData\Local\Temp\9847.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\A5C6.exe
C:\Users\Admin\AppData\Local\Temp\A5C6.exe
C:\Users\Admin\AppData\Local\Temp\A809.exe
C:\Users\Admin\AppData\Local\Temp\A809.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Unlikely Unlikely.bat & Unlikely.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\cmd.exe
cmd /c md 22108
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Here + Td + Passwords + Movements + Cambodia 22108\Upgrades.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Meaning 22108\Z
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif
22108\Upgrades.pif 22108\Z
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\9847.exe
"C:\Users\Admin\AppData\Local\Temp\9847.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Roaming\rjfavwt
C:\Users\Admin\AppData\Roaming\rjfavwt
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 182.126.12.185.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 123.140.161.243:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 243.161.140.123.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.2:443 | api.2ip.ua | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | mahta-netwotk.click | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | notmalware.top | udp |
| RU | 5.188.88.181:80 | notmalware.top | tcp |
| US | 8.8.8.8:53 | 181.88.188.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 188.114.97.2:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | 118.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trypokemon.com | udp |
| US | 172.67.185.36:443 | trypokemon.com | tcp |
| US | 8.8.8.8:53 | loftproper.com | udp |
| US | 104.21.11.77:443 | loftproper.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 36.185.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| DE | 185.149.146.82:80 | 185.149.146.82 | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| RU | 185.12.126.182:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 82.146.149.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r.l1nc0in.ru | udp |
| US | 172.67.201.20:80 | r.l1nc0in.ru | tcp |
| US | 8.8.8.8:53 | 20.201.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 8.8.8.8:53 | AKDHTrZGmMfGSiQC.AKDHTrZGmMfGSiQC | udp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 8.8.8.8:53 | 9cc8562d-cb5d-409f-b442-48ae4fc108f6.uuid.localstats.org | udp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 8.8.8.8:53 | server8.localstats.org | udp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| BG | 185.82.216.111:443 | server8.localstats.org | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| IT | 142.251.27.127:19302 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.2:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 127.27.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.216.82.185.in-addr.arpa | udp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| TR | 94.156.8.100:80 | tcp | |
| BG | 185.82.216.111:443 | server8.localstats.org | tcp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp | |
| US | 129.153.86.0:8778 | tcp |
Files
memory/764-1-0x00000000007B0000-0x00000000008B0000-memory.dmp
memory/764-2-0x00000000006F0000-0x00000000006FB000-memory.dmp
memory/764-3-0x0000000000400000-0x000000000044A000-memory.dmp
memory/3256-4-0x00000000026A0000-0x00000000026B6000-memory.dmp
memory/764-5-0x0000000000400000-0x000000000044A000-memory.dmp
memory/764-8-0x00000000006F0000-0x00000000006FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A96F.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\BF98.exe
| MD5 | 5648348e81a70ef7ab40f963b44713f6 |
| SHA1 | 3e2d708a95de8e53ba4a6b9359cc0cc6dfcddea7 |
| SHA256 | 4bf966f6dd9cb739b073a8bc48f521eb9c35b4f050e799be6eac795fe615263d |
| SHA512 | 899d833a1a43ca6160bfb89775c83a049afaa0e3e8cf48dde112f7de351d307fd194c97ffe3ab0c2e86fc7bb75ed3b3d53b0d95ea1fa80252020153ca4813a8f |
memory/4568-21-0x0000000002560000-0x00000000025FA000-memory.dmp
memory/4568-22-0x0000000002600000-0x000000000271B000-memory.dmp
memory/2484-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2484-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2484-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2484-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2484-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3600-40-0x0000000002420000-0x00000000024B8000-memory.dmp
memory/4696-43-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4696-44-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4696-46-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8A8.exe
| MD5 | 479342d62078aaf31881972c7574f6f2 |
| SHA1 | 382fa9a95746ca6199e7dfb9ae2bd035f4000fb4 |
| SHA256 | a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d |
| SHA512 | 0e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da |
memory/2220-52-0x0000000000620000-0x00000000010F7000-memory.dmp
memory/2220-61-0x0000000000620000-0x00000000010F7000-memory.dmp
memory/2220-60-0x00000000011D0000-0x00000000011D1000-memory.dmp
memory/2220-62-0x00000000011E0000-0x00000000011E1000-memory.dmp
memory/2220-63-0x0000000002D60000-0x0000000002D61000-memory.dmp
memory/2220-65-0x0000000002D80000-0x0000000002D81000-memory.dmp
memory/2220-67-0x0000000002EB0000-0x0000000002EB1000-memory.dmp
memory/2220-66-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/2220-69-0x0000000002ED0000-0x0000000002ED1000-memory.dmp
memory/2220-68-0x0000000002EC0000-0x0000000002EC1000-memory.dmp
memory/2220-64-0x0000000002D70000-0x0000000002D71000-memory.dmp
memory/2220-71-0x0000000002EE0000-0x0000000002EE1000-memory.dmp
memory/2220-72-0x0000000002EF0000-0x0000000002EF1000-memory.dmp
memory/2220-73-0x0000000002F00000-0x0000000002F01000-memory.dmp
memory/2220-74-0x0000000002F10000-0x0000000002F11000-memory.dmp
memory/2220-76-0x0000000002F30000-0x0000000002F31000-memory.dmp
memory/2220-75-0x0000000002F20000-0x0000000002F21000-memory.dmp
memory/2220-77-0x0000000002F40000-0x0000000002F41000-memory.dmp
memory/2220-78-0x0000000002F50000-0x0000000002F51000-memory.dmp
memory/2220-79-0x0000000002F60000-0x0000000002F61000-memory.dmp
memory/2220-80-0x0000000002F70000-0x0000000002F71000-memory.dmp
memory/2220-81-0x0000000000620000-0x00000000010F7000-memory.dmp
memory/2220-83-0x0000000003070000-0x000000000360C000-memory.dmp
memory/2220-85-0x0000000002F80000-0x0000000002FB2000-memory.dmp
memory/2220-87-0x0000000002F80000-0x0000000002FB2000-memory.dmp
memory/2220-86-0x0000000002F80000-0x0000000002FB2000-memory.dmp
memory/2220-84-0x0000000002F80000-0x0000000002FB2000-memory.dmp
memory/2220-88-0x0000000000620000-0x00000000010F7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9847.exe
| MD5 | c9e01ab6208b39a9f1a1253dca7e89bc |
| SHA1 | 5bcba5cc0dc560772f8026cb6dd4f236acbfd8bb |
| SHA256 | 0e1ccfee9b80ca2c36a53cc104ef5e8d3a702dabbcc1daafecca2a7f7db043b8 |
| SHA512 | 4cacf3f7794a8e06ca2da7aaa0bef37009206fde58a5d5ce4326ef84addd7bdbfd7477b437ac6a72fa31023c17e9a7f7079bb0e97ff772d880d090bbb96d1da1 |
memory/5080-94-0x0000000002A10000-0x0000000002E18000-memory.dmp
memory/5080-95-0x0000000002E20000-0x000000000370B000-memory.dmp
memory/5080-96-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A5C6.exe
| MD5 | 50be07c44e47d88cd9d5b8462d4bc011 |
| SHA1 | fdb3e7e5f46b7660cf0c2282fa941009781df627 |
| SHA256 | 5421065755f7a312ade0466963918c685f8de366c13247b2867a7fd3917d696d |
| SHA512 | f40b6563c3efa7652cafabaeb93bea4c2338afb03dacf655a0105d2e8b96910a47d1cb756bff410389703ecce464cd55d3bd9884365edf5bd6fa561ef9e0af25 |
C:\Users\Admin\AppData\Local\Temp\A5C6.exe
| MD5 | ece62c9a4225735bbd34f8b0bc797acf |
| SHA1 | e354f308248dd81939ffc0b1bd756cbc758eae13 |
| SHA256 | 19ff68076a9879f0b78ed86818b6a4886527e71f8c5dcd1a6bfd9a6b394ffe6a |
| SHA512 | 8113f871fab27614b9f9ed5f32c31312b34754c4e047e74eed958edd9d0e917c7f685d9b9c37379e3f273ce7fa98f660e3c655ee301a9ccbca34b372b96c6b0d |
memory/3480-101-0x0000000074020000-0x00000000747D0000-memory.dmp
memory/3480-104-0x0000000005470000-0x0000000005480000-memory.dmp
memory/3480-103-0x00000000032F0000-0x0000000003326000-memory.dmp
memory/3480-106-0x0000000005AB0000-0x00000000060D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A809.exe
| MD5 | 3d3ae7c2eddea19c3146543b95cdda7e |
| SHA1 | ea36133e7bfc1b57cd8e78a6daf24f59526ceba0 |
| SHA256 | 1f2a148765b1ef3247ca4312ea8d1460673744448ebd4559377eabd1ca1702f2 |
| SHA512 | 2ee471f0e0423610dbac9f9d472d529d0b9da22f7ca45ae973a80080920f9ac04342051ad16858918ac4bbab48068b16d78d4d177b8a029c21dde509e333c775 |
memory/1040-110-0x0000000000440000-0x000000000044A000-memory.dmp
memory/1040-125-0x00007FF9A2590000-0x00007FF9A3051000-memory.dmp
memory/3480-126-0x0000000005910000-0x0000000005932000-memory.dmp
memory/1040-127-0x000000001B070000-0x000000001B080000-memory.dmp
memory/3480-128-0x00000000061E0000-0x0000000006246000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ymgg1wq.hjs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3480-129-0x00000000062C0000-0x0000000006326000-memory.dmp
memory/3480-139-0x0000000006430000-0x0000000006784000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Unlikely
| MD5 | 19bc1bbe515dee767f02d503fa9d2cff |
| SHA1 | acc900deea8e8eff4e1bda1ac2c89aa70ef0e7f9 |
| SHA256 | 51ad4dc19fa436ac00a8b019da9ca49f30dcfe31d9aee0aabbb037fd10bca367 |
| SHA512 | fd0b3d6a867d8c7923d1166f546d4e14db0209df8d13dc46e9d08578ee78d4fc8739638e01f456f542cc383a2d086ed600931a8e889dcb1c4eb93d3cfe3a3dac |
memory/3480-141-0x0000000005630000-0x000000000564E000-memory.dmp
memory/3480-142-0x0000000006940000-0x000000000698C000-memory.dmp
memory/3480-143-0x0000000006E60000-0x0000000006EA4000-memory.dmp
memory/3480-144-0x0000000005470000-0x0000000005480000-memory.dmp
memory/3480-145-0x0000000007A20000-0x0000000007A96000-memory.dmp
memory/3480-146-0x0000000008120000-0x000000000879A000-memory.dmp
memory/3480-147-0x0000000007AC0000-0x0000000007ADA000-memory.dmp
memory/3480-148-0x000000007F500000-0x000000007F510000-memory.dmp
memory/3480-149-0x0000000007E80000-0x0000000007EB2000-memory.dmp
memory/3480-150-0x000000006F4D0000-0x000000006F51C000-memory.dmp
memory/3480-151-0x000000006F640000-0x000000006F994000-memory.dmp
memory/3480-161-0x0000000007E60000-0x0000000007E7E000-memory.dmp
memory/3480-162-0x0000000007EC0000-0x0000000007F63000-memory.dmp
memory/3480-163-0x0000000007FB0000-0x0000000007FBA000-memory.dmp
memory/1040-165-0x000000001C500000-0x000000001C53C000-memory.dmp
memory/1040-164-0x0000000002550000-0x0000000002562000-memory.dmp
memory/3480-166-0x0000000008070000-0x0000000008106000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Here
| MD5 | 1e7e25167c2a8f93c2d176e935b21834 |
| SHA1 | 95b93372222ebde1bed0e0efec167bdda7ef04bc |
| SHA256 | d022378a9b3074cf3fb5ea080588846c0aaadb2112cfd5554a0068e76cdd5736 |
| SHA512 | 503f7b6797182ed5f1ef42d3b52b2815e140ebed505fc9b81ee8f920e49c36f379881c1a51afb4b398c9577a583155a0d2c66ca6cdaf303ac9538746571efdb1 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cambodia
| MD5 | 4e9db9155039f5a6a04e16a6a6bfe3b0 |
| SHA1 | b293c7fe05d7e92ce7d9cc6f36940eba14f5d460 |
| SHA256 | bd3cd1801a2c226c63186f6fe3182fff1847609c5d99ca22209c7e9dbdd3db2d |
| SHA512 | 8692e29ec7717ddad30ea365bd4408a178f1d3ff7f7c3535f8ba1545ffdcfe78ae108259d4feb81b1ca819eedf4ef79531103512d29f7fd0fd8146beb14e854a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Movements
| MD5 | d7563558933a24bd74f0254272cf7830 |
| SHA1 | 6982d08318ff2204d3714ce12d68a99b4f726fe7 |
| SHA256 | 1b11dc628b44a4982b7b13891fae62471a380eb2973af359655cf65254ac5a7e |
| SHA512 | fccdc060fd5ddd9b3892f82c343dcd80fdbc1bc24a24c50e9f86a1d917867c2b4189a3d4d6762daf8e9c719b999988a0d568f481c09802c5168010c490fdfcb5 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Passwords
| MD5 | 334f84837c9bcece9220e2c979503f68 |
| SHA1 | bdbdc63f1b85f72f8cf487dec6aaeb98e352c283 |
| SHA256 | 10dfb698a8c05eff79092b546608c15e7df803d4aa759090509da6d5d96373d7 |
| SHA512 | 37c3315a16d9f0e8ab044415a61220e2fa180e6f70f85435de7ccd7d1dcde84a0c13d48f670204e02ba7cfbe892a76f2efa979717b6b2b844a15aea0a845dcbb |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Td
| MD5 | e32d058720e98d0fab73018ce1753b55 |
| SHA1 | f6b431cf3f225c3563591fbec4af922f6bff05d9 |
| SHA256 | 1cf7bcef592ee857c079e82d39a1c371868597ee1c33e692556d780b5040b83b |
| SHA512 | 8f259f0f2eccbe01dc4efe5d4ad34a94dcb0b97f20c3f36c6b7e6c24c14a73fbb6aeefc11e76142cdba83f9bf1dd4d0647bcd1ad2d3a6780e063c48d872caa11 |
memory/3480-173-0x0000000007FD0000-0x0000000007FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Meaning
| MD5 | a6c58504594ab91fc0ca6102abd10e80 |
| SHA1 | 03edc02d3806aa46d5e4c3c1aa8b6cff1b5c80f6 |
| SHA256 | b07a3cb7f4af841db56d43b6d8d35aea563993b8e0ec6d921eab372f637260f7 |
| SHA512 | 07d68c06afc66c71b04da74d387536cd800f7dcda422f4b67dbff60ba2b883fa360e9292190655448fc130d1ebbeb31af828ee1ba279f904b2a7e556dbb8f1ea |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
memory/5080-181-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/5080-182-0x0000000002A10000-0x0000000002E18000-memory.dmp
memory/5080-183-0x0000000002E20000-0x000000000370B000-memory.dmp
memory/4040-184-0x0000000076E91000-0x0000000076FB1000-memory.dmp
memory/3480-185-0x0000000008030000-0x000000000803E000-memory.dmp
memory/3480-186-0x0000000008040000-0x0000000008054000-memory.dmp
memory/3480-187-0x00000000087C0000-0x00000000087DA000-memory.dmp
memory/3480-188-0x00000000087A0000-0x00000000087A8000-memory.dmp
memory/3480-191-0x0000000074020000-0x00000000747D0000-memory.dmp
memory/5080-193-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3340-195-0x0000000002B30000-0x0000000002F2E000-memory.dmp
memory/3340-196-0x0000000002F30000-0x000000000381B000-memory.dmp
memory/3340-197-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1040-198-0x00007FF9A2590000-0x00007FF9A3051000-memory.dmp
memory/4084-199-0x00000000740E0000-0x0000000074890000-memory.dmp
memory/4084-200-0x00000000047B0000-0x00000000047C0000-memory.dmp
memory/4084-201-0x00000000047B0000-0x00000000047C0000-memory.dmp
memory/4084-207-0x0000000005550000-0x00000000058A4000-memory.dmp
memory/4084-212-0x0000000006150000-0x000000000619C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | da81748d347711407a31e7ea5fef66dc |
| SHA1 | 1f0a4a7b9d8892fa34a7569ce323183d564fbea3 |
| SHA256 | cd1f7873de189b7c34e7b2e407d8b268ed0ead2a6a65ce5a145413a1f8804111 |
| SHA512 | 985d2b955a2e2021af859b71610f9edd5e3928775b7d23414168bde45690e16d4890b1dde0691b46e2a9cc57a4014dab790098926e1c3ef16ca1eb8b0c0d1516 |
memory/3340-245-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d8d1797059f662603821d6a51032a0b4 |
| SHA1 | da78a56bfd5c5b5a8dbeb70035c8dcd72f973779 |
| SHA256 | bff9fa28def49691f88fb266a22a78aec9b843ddc71fbf11717a5738b4cdb86d |
| SHA512 | 5bbae5d8bbbc0c59ca117c498f127eb5df7c40872938471adabfdc54cecc9c3d5096f63c79ca7caf1318a401bd0d4bf80fbc84fcc5af7733fa65269f52668822 |
memory/3340-293-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8a783818152b8ca1b50a7ffe53c1a906 |
| SHA1 | 79fa580d6e772f76c856e07e8c748314c1e27926 |
| SHA256 | 26d3adf7093d808ba85a9a26182488fcb11e721594a159ad26be1b2790df55e5 |
| SHA512 | f821b31dd01c66e24229885783e20b1c74a167a261baaadf9a85c3f83ec1bd187019bee97a8d63063e67a17a92d145a5126fccc39548a2d4144d8f75d232da85 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9d25225958b4aa7dee7fd90644821309 |
| SHA1 | 588edfafac9e69757867d4c37749c1cb8ce8a5a8 |
| SHA256 | 36f08cb16f7cbcb6ddfdd049983c54e195756c32717c641cf3ea1faa339dcb15 |
| SHA512 | 1ba68a164746d83b830c94fa133f4074a3e0b7f3e841beede380ec8a0f3f3cba678fad080e8c28d4a1324798f8191d84f4565ca58b6b2b41d4b5f57d4eca401a |
C:\Users\Admin\AppData\Roaming\rjfavwt
| MD5 | 6958acc382e71103a0b83d20bbbb37d2 |
| SHA1 | 65bf64dfcabf7bc83e47ffc4360cda022d4dab34 |
| SHA256 | 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164 |
| SHA512 | ebfa8b6986630b3502409d38cdff54881e4bce48511c7ba4f027345296c29708112c19ec6c9181c4b0188fa1f5cbe17b3c5d44dc07f33858323c677ef9caaeae |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b4901204e06572a0563ed0a8893c1dc5 |
| SHA1 | d488d30d7fb96b4b9a96cdf2f5b5d6599a6eb50a |
| SHA256 | bae5e8b8ee49f6557570ff871d5d1cd4ca26629ba2efca4fd9f3960d74789159 |
| SHA512 | 7cd07b3db4741689889508cfe855c2a1107e39567822712001cbe69c6db719b3b427641cbf80568e835b8b6b2d9f2290435e077537700ef8c068981a7e3f7694 |
memory/3256-393-0x00000000007A0000-0x00000000007B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/2880-398-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4092-400-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4092-401-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4040-403-0x0000000004F20000-0x0000000005167000-memory.dmp
memory/4040-404-0x0000000004F20000-0x0000000005167000-memory.dmp
memory/4040-405-0x0000000004F20000-0x0000000005167000-memory.dmp
memory/4040-406-0x0000000004F20000-0x0000000005167000-memory.dmp
memory/4040-407-0x0000000004F20000-0x0000000005167000-memory.dmp
memory/4092-410-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |