Analysis Overview
SHA256
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
Threat Level: Known bad
The file 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
Vidar
Windows security bypass
Detected Djvu ransomware
Glupteba payload
Glupteba
Detect Vidar Stealer
Detect ZGRat V1
Lumma Stealer
DcRat
SmokeLoader
ZGRat
UPX dump on OEP (original entry point)
Detects executables referencing many varying, potentially fake Windows User-Agents
Detects executables packed with Themida
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detects executables containing artifacts associated with disabling Widnows Defender
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
Modifies boot configuration data using bcdedit
Detects Windows executables referencing non-Windows User-Agents
Detects executables Discord URL observed in first stage droppers
Detects executables containing URLs to raw contents of a Github gist
Downloads MZ/PE file
Drops file in Drivers directory
Possible attempt to disable PatchGuard
Modifies Windows Firewall
Windows security modification
Modifies file permissions
Themida packer
Loads dropped DLL
Checks BIOS information in registry
Deletes itself
Checks computer location settings
Executes dropped EXE
UPX packed file
Manipulates WinMonFS driver.
Checks whether UAC is enabled
Manipulates WinMon driver.
Checks installed software on the system
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 04:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 04:52
Reported
2024-02-23 04:55
Platform
win10v2004-20240221-en
Max time kernel
55s
Max time network
152s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e19f04c4-8074-4828-b230-339c6deeea58\\5F81.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5F81.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
ZGRat
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with Themida
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many varying, potentially fake Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\722F.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\722F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\722F.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5F81.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5F81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5F81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\722F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5F81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5F81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AC6B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BD36.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e19f04c4-8074-4828-b230-339c6deeea58\\5F81.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5F81.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\722F.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\722F.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2680 set thread context of 2328 | N/A | C:\Users\Admin\AppData\Local\Temp\5F81.exe | C:\Users\Admin\AppData\Local\Temp\5F81.exe |
| PID 320 set thread context of 1480 | N/A | C:\Users\Admin\AppData\Local\Temp\5F81.exe | C:\Users\Admin\AppData\Local\Temp\5F81.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5F81.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe
"C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4949.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\5F81.exe
C:\Users\Admin\AppData\Local\Temp\5F81.exe
C:\Users\Admin\AppData\Local\Temp\5F81.exe
C:\Users\Admin\AppData\Local\Temp\5F81.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e19f04c4-8074-4828-b230-339c6deeea58" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\722F.exe
C:\Users\Admin\AppData\Local\Temp\722F.exe
C:\Users\Admin\AppData\Local\Temp\5F81.exe
"C:\Users\Admin\AppData\Local\Temp\5F81.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\5F81.exe
"C:\Users\Admin\AppData\Local\Temp\5F81.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 568
C:\Users\Admin\AppData\Local\Temp\AC6B.exe
C:\Users\Admin\AppData\Local\Temp\AC6B.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B0C1.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\BD36.exe
C:\Users\Admin\AppData\Local\Temp\BD36.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\D2F1.exe
C:\Users\Admin\AppData\Local\Temp\D2F1.exe
C:\Users\Admin\AppData\Local\Temp\BD36.exe
"C:\Users\Admin\AppData\Local\Temp\BD36.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4092 -ip 4092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4092 -ip 4092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 444
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 241.127.12.185.in-addr.arpa | udp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| UZ | 195.158.3.162:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 162.3.158.195.in-addr.arpa | udp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | healthproline.pro | udp |
| US | 104.21.16.186:443 | healthproline.pro | tcp |
| US | 8.8.8.8:53 | 186.16.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | theoryapparatusjuko.fun | udp |
| US | 8.8.8.8:53 | snuggleapplicationswo.fun | udp |
| US | 8.8.8.8:53 | smallrabbitcrossing.site | udp |
| US | 8.8.8.8:53 | punchtelephoneverdi.store | udp |
| US | 8.8.8.8:53 | telephoneverdictyow.site | udp |
| US | 8.8.8.8:53 | strainriskpropos.store | udp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | mahta-netwotk.click | udp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trypokemon.com | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 104.21.51.193:443 | trypokemon.com | tcp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.51.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | loftproper.com | udp |
| US | 104.21.11.77:443 | loftproper.com | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 172.67.195.126:443 | tcp | |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 172.67.202.191:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.202.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | pimpirik.com | udp |
| TR | 213.238.183.73:443 | pimpirik.com | tcp |
| US | 8.8.8.8:53 | 73.183.238.213.in-addr.arpa | udp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| DE | 185.149.146.82:80 | tcp | |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 612cadee-fa72-4b57-83d7-20a57de60877.uuid.realupdate.ru | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server16.realupdate.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| NL | 74.125.128.127:19302 | stun1.l.google.com | udp |
| BG | 185.82.216.96:443 | server16.realupdate.ru | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 104.21.23.184:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 127.128.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.23.21.104.in-addr.arpa | udp |
| BG | 185.82.216.96:443 | server16.realupdate.ru | tcp |
| BG | 185.82.216.96:443 | server16.realupdate.ru | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/3612-1-0x0000000000460000-0x0000000000560000-memory.dmp
memory/3612-2-0x0000000002190000-0x000000000219B000-memory.dmp
memory/3612-3-0x0000000000400000-0x000000000044A000-memory.dmp
memory/3512-4-0x00000000025F0000-0x0000000002606000-memory.dmp
memory/3612-5-0x0000000000400000-0x000000000044A000-memory.dmp
memory/3612-8-0x0000000002190000-0x000000000219B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4949.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\5F81.exe
| MD5 | 685962facc72ed816ebc86f021449044 |
| SHA1 | 06459254112ad371328b0fc66210818ad5c048c8 |
| SHA256 | 818e83a6f88f34e7dc343f267a30b651d578a9e9786c95bc2a76ab33d58f74b8 |
| SHA512 | d261caefbe9f4029733b2ff62e2dee9f993c4f6fbc794ac6fb4d9e6cec54814ff4ecd758809f79457c8665b61a1e72626e2acfe7b8312484890b274aaf48d004 |
memory/2680-21-0x00000000024D0000-0x0000000002566000-memory.dmp
memory/2680-22-0x00000000041B0000-0x00000000042CB000-memory.dmp
memory/2328-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2328-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2328-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2328-27-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\722F.exe
| MD5 | 2a8b57ff7723f9af7945c3d65ede4d00 |
| SHA1 | 67e9bae7532e8e6bd61ca054b46980fece4b927f |
| SHA256 | 786ba520e5682e9611095dadb7af1a8f6e2637a05b74722eef00016721c96ab3 |
| SHA512 | 1984e19f45f79210a5de6d1608ba6b8903da358c14d9ed2a16bff662270ee5bb2bece2c52a11b88f739de7dfa989be20d2060d92cd3bb74ec2a73cc8a17d91a1 |
C:\Users\Admin\AppData\Local\Temp\722F.exe
| MD5 | 4ed816c15ab6c50af9580e2bb1602a41 |
| SHA1 | c460b96f9e884291e556e7152b6c0574a92cbd34 |
| SHA256 | af2d6d34ca1aa8f260f2e7b9122a29f1df5f2df705c7e39bb3620a25deaa7de7 |
| SHA512 | e6002f9ce50079becc7b4f918077dd08486486dab937af0ddd6f280d34a49e09087d15273f4b3c20b092fbb8d4710d2df1f3ea32b53dfb35d459d9b176db2f0b |
memory/1928-40-0x00000000003E0000-0x00000000009F2000-memory.dmp
memory/1928-41-0x0000000077274000-0x0000000077276000-memory.dmp
memory/2328-43-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1928-45-0x00000000003E0000-0x00000000009F2000-memory.dmp
memory/1928-46-0x00000000003E0000-0x00000000009F2000-memory.dmp
memory/1928-47-0x00000000003E0000-0x00000000009F2000-memory.dmp
memory/320-49-0x0000000003F50000-0x0000000003FE3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5F81.exe
| MD5 | 9e696d5c2cac05fc9598b5d20f12946a |
| SHA1 | 0f36d84930da5d09e444d36c2654070ec29c93e8 |
| SHA256 | 7d291234921d625c00978e4d3599ae8f1803ca73ffbd213dce28b2aaf7e420fb |
| SHA512 | 14cb572db7aa19833543f522b7676fdf87e40103fc58a2b35a6fb288e384849c944bf7232b10786c67cc1388cc42f4369a1fbb5bddd29c6d9b7be45cde98ac71 |
memory/1928-51-0x00000000003E0000-0x00000000009F2000-memory.dmp
memory/1480-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1480-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1480-57-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1928-54-0x00000000003E0000-0x00000000009F2000-memory.dmp
memory/1928-58-0x00000000003E0000-0x00000000009F2000-memory.dmp
memory/1928-60-0x0000000004120000-0x000000000423B000-memory.dmp
memory/1928-59-0x0000000004120000-0x000000000423B000-memory.dmp
memory/1928-61-0x0000000001270000-0x0000000001271000-memory.dmp
memory/1928-62-0x00000000003E0000-0x00000000009F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AC6B.exe
| MD5 | fc4c75945e494627f9e5528298ea0c41 |
| SHA1 | cd2710c29c054d886d7a8b90cd648738b3a5aa4e |
| SHA256 | 96e63df07b83c1978c424c00fcec3adbe0077dfedfe613874700b69e151fc9c2 |
| SHA512 | 252d14d44424df9a7d89ccda22be5c57b15fb843dbb8a9c8e0e5c7e1756ce98cdfb8d96226bef27858f2a3f323c7e9b012c0af3e9a1af3d4962a1c064e83da0c |
memory/776-71-0x0000000000680000-0x0000000001157000-memory.dmp
memory/776-78-0x0000000000680000-0x0000000001157000-memory.dmp
memory/776-77-0x00000000017D0000-0x00000000017D1000-memory.dmp
memory/776-80-0x00000000017F0000-0x00000000017F1000-memory.dmp
memory/776-85-0x00000000032E0000-0x00000000032E1000-memory.dmp
memory/776-87-0x0000000003300000-0x0000000003301000-memory.dmp
memory/776-86-0x00000000032F0000-0x00000000032F1000-memory.dmp
memory/776-90-0x0000000003330000-0x0000000003331000-memory.dmp
memory/776-89-0x0000000003320000-0x0000000003321000-memory.dmp
memory/776-94-0x0000000003380000-0x0000000003381000-memory.dmp
memory/776-95-0x0000000003390000-0x0000000003391000-memory.dmp
memory/776-96-0x00000000033A0000-0x00000000033A1000-memory.dmp
memory/776-97-0x0000000000680000-0x0000000001157000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AC6B.exe
| MD5 | 021a2b6cf85105bae6d86abac87a8c91 |
| SHA1 | 5b6fb2f61ac37873633d4d516a5228ff8869356d |
| SHA256 | 8cf914a429df91ac9b1a165599dc457ba5fdacc94c207559c6fa41fc2121c9e7 |
| SHA512 | 0d8c7dc5b35a02bdbdb2668b58e261463802ed105f62394d8d99b20a597a38262a8d8a8c5474de5b71eba9a5a59aa883537b11a7d6448149e666ce43dfe44b83 |
memory/776-93-0x0000000003360000-0x0000000003361000-memory.dmp
memory/776-92-0x0000000003350000-0x0000000003351000-memory.dmp
memory/776-91-0x0000000003340000-0x0000000003341000-memory.dmp
memory/776-99-0x0000000000680000-0x0000000001157000-memory.dmp
memory/776-100-0x00000000033B0000-0x00000000033E2000-memory.dmp
memory/776-101-0x00000000033B0000-0x00000000033E2000-memory.dmp
memory/776-88-0x0000000003310000-0x0000000003311000-memory.dmp
memory/776-84-0x0000000001830000-0x0000000001831000-memory.dmp
memory/776-83-0x0000000001820000-0x0000000001821000-memory.dmp
memory/776-82-0x0000000001810000-0x0000000001811000-memory.dmp
memory/776-81-0x0000000001800000-0x0000000001801000-memory.dmp
memory/776-79-0x00000000017E0000-0x00000000017E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BD36.exe
| MD5 | 11ad73d63e7227ae416fa41ed40aa6ec |
| SHA1 | e4fc49bd4ef404498fba4d084de75b2ca9017849 |
| SHA256 | d4f331cd81caea97f57f9d7c30d42814c587ba09423337c5e6253e8f9cd94c55 |
| SHA512 | d8cf006e6d394bfbf99b69f737e1f548a2734d29cd139c7c5c0faca27ba0ece625e27b38ba8e8934cbab6bde463d1023525ca19d5605a4499b9e7a2e8c680a18 |
C:\Users\Admin\AppData\Local\Temp\BD36.exe
| MD5 | 6c19d1f202f048fd5bbf9e40ccb4e731 |
| SHA1 | 1ca3c76d211a374ac55104b637db07381b050f56 |
| SHA256 | e2dadf329c79a78170941505127221d6fdf5ecb4f3c1c068c140b647a0e58453 |
| SHA512 | 3480bdf3ff60ab29e89f55a56d1f4e782c83a0412be752c90dadaec08181eb776ca43d38c6df3ba09605f5d107bf378fd42c4da948d5636a1d70df39fed04fc5 |
memory/776-106-0x0000000000680000-0x0000000001157000-memory.dmp
memory/3760-108-0x0000000004430000-0x0000000004832000-memory.dmp
memory/3760-109-0x0000000004840000-0x000000000512B000-memory.dmp
memory/3760-110-0x0000000000400000-0x00000000026B5000-memory.dmp
memory/4540-111-0x0000000074370000-0x0000000074B20000-memory.dmp
memory/4540-113-0x0000000005290000-0x00000000052C6000-memory.dmp
memory/4540-112-0x0000000003240000-0x0000000003250000-memory.dmp
memory/4540-114-0x0000000005900000-0x0000000005F28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D2F1.exe
| MD5 | 03f46b0af9bc8e856b2ac3f84d66b14b |
| SHA1 | f60a5771ecdecde0f8fa3cef74c3a6bf268b776f |
| SHA256 | 192d4839f1d038a17881073a15a87f983c42b8e504e5140f2b2e2ec47648b974 |
| SHA512 | cb5d2f625299be005307d0ffbb2ee6eb4966ca008acb2d078aa64a9782b0460f12b1cfea04bfebe54fbc5a4951c6db9f9732502a480d107b2fcb72e0fdcf6828 |
C:\Users\Admin\AppData\Local\Temp\D2F1.exe
| MD5 | de61c01a0b08b4acf7f418f7ecf691d5 |
| SHA1 | 6cbc7f9e4687a589a87109c4c53c6c7f7987b555 |
| SHA256 | 03a4270b4431b7a7fa808bd8633029ef6556065523aafc7b13063c4a8b5758b2 |
| SHA512 | f72a47b2f2020bbbc8b27c3e373256bc3e92568119c363438dbec5b348b9a9d1668cc688bd6a8ce0b1efbb92dada6e676c31b1079c03cab295385c58936e3292 |
memory/4540-116-0x0000000005840000-0x0000000005862000-memory.dmp
memory/4540-120-0x0000000006150000-0x00000000061B6000-memory.dmp
memory/4540-121-0x00000000061C0000-0x0000000006226000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ajgicfn5.tsj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/728-123-0x0000000074370000-0x0000000074B20000-memory.dmp
memory/4540-128-0x0000000006230000-0x0000000006584000-memory.dmp
memory/728-130-0x00000000002E0000-0x0000000000960000-memory.dmp
memory/728-134-0x00000000051F0000-0x000000000528C000-memory.dmp
memory/728-135-0x0000000005410000-0x0000000005420000-memory.dmp
memory/4540-136-0x0000000006830000-0x000000000684E000-memory.dmp
memory/4540-137-0x00000000068C0000-0x000000000690C000-memory.dmp
memory/4540-138-0x0000000007790000-0x00000000077D4000-memory.dmp
memory/3760-139-0x0000000004430000-0x0000000004832000-memory.dmp
memory/4540-140-0x0000000003240000-0x0000000003250000-memory.dmp
memory/4540-141-0x0000000007B50000-0x0000000007BC6000-memory.dmp
memory/4540-142-0x0000000008250000-0x00000000088CA000-memory.dmp
memory/4540-143-0x0000000007BF0000-0x0000000007C0A000-memory.dmp
memory/3760-144-0x0000000000400000-0x00000000026B5000-memory.dmp
memory/3760-145-0x0000000004840000-0x000000000512B000-memory.dmp
memory/4540-146-0x000000007F150000-0x000000007F160000-memory.dmp
memory/4540-147-0x0000000007DA0000-0x0000000007DD2000-memory.dmp
memory/4540-148-0x0000000070230000-0x000000007027C000-memory.dmp
memory/4540-149-0x0000000070970000-0x0000000070CC4000-memory.dmp
memory/4540-159-0x0000000007D80000-0x0000000007D9E000-memory.dmp
memory/4540-160-0x0000000007DE0000-0x0000000007E83000-memory.dmp
memory/4540-161-0x0000000007ED0000-0x0000000007EDA000-memory.dmp
memory/4540-162-0x0000000007F90000-0x0000000008026000-memory.dmp
memory/4540-163-0x0000000007EF0000-0x0000000007F01000-memory.dmp
memory/4540-164-0x0000000007F30000-0x0000000007F3E000-memory.dmp
memory/4540-165-0x0000000007F40000-0x0000000007F54000-memory.dmp
memory/4540-166-0x0000000008030000-0x000000000804A000-memory.dmp
memory/4540-167-0x0000000007F70000-0x0000000007F78000-memory.dmp
memory/3760-168-0x0000000000400000-0x00000000026B5000-memory.dmp
memory/4540-171-0x0000000074370000-0x0000000074B20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BD36.exe
| MD5 | 8087bd40225e2762f94848400c089345 |
| SHA1 | 88543aca50abb65925d574b0ff5f9726cf215799 |
| SHA256 | 06b753a45dcf8b194fcbb050c02e51c15240e1a43f64256a993cf41f12284655 |
| SHA512 | a023b743eb23d1ce420b0a940ff742489a67869dc9ad03141865b1500d0a517b493b4f381e65db9ccdefec8c12dfa76a935a864e45e336f845e07f260c57754a |
memory/3760-173-0x0000000000400000-0x00000000026B5000-memory.dmp
memory/4892-175-0x00000000043C0000-0x00000000047BC000-memory.dmp
memory/4892-176-0x0000000000400000-0x00000000026B5000-memory.dmp
memory/728-177-0x0000000074370000-0x0000000074B20000-memory.dmp
memory/8-179-0x0000000004560000-0x0000000004570000-memory.dmp
memory/8-180-0x0000000004560000-0x0000000004570000-memory.dmp
memory/728-181-0x0000000005410000-0x0000000005420000-memory.dmp
memory/8-178-0x0000000074370000-0x0000000074B20000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3482b977d4a441e97aefd93eb2529029 |
| SHA1 | 7775b52c5b1515f90b38fa21671f42562589b06f |
| SHA256 | dbc8a07ede596b7b012f181ddb44b8630dd4c39c3da9649f73b2d263a980362f |
| SHA512 | 6a3597adfaefb81070f2e8ce66bdc4c01b1ba6047e7e67cb9c92ff41c76f92faaf9b8931ab278b3bc058882bce0f8900d663195c1a98e41e7bff9328b576ef3c |
memory/4892-241-0x0000000000400000-0x00000000026B5000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7b9e660c8584b01c7fb1498aecd2ab45 |
| SHA1 | 958d74e31f1cdbba022437fade9d2f889ef0da3a |
| SHA256 | b2b43de8bdf6e6035a47becaaddb9178be87fc7945d1c555da82b694c14074b3 |
| SHA512 | 7852a2760cd1bdc7e544293fd64fcec030b49e4c84588367dd74ad85cad7a13e5e33b0c2fe93f7abb5dc59012ba75f9f472f3a004119b6f5b59b66a761b4ec18 |
C:\Windows\rss\csrss.exe
| MD5 | b826e65ea12cba211f3f95024b6c0362 |
| SHA1 | 98f88940e219a51ecd82bab1260589de862ba70b |
| SHA256 | d872db938a92a51863ba12b2eab60132549c64427d2ab67e2ae7cf4d4f6f2cca |
| SHA512 | d7d1f89525414e7ea6b5d953f3a69b22bae0698f0f5f8b3187e124989e39aaf3ade0a84a914c27407613adf2eab576162771d4ef8c358b184d78c81886bc0a06 |
C:\Windows\rss\csrss.exe
| MD5 | 0612a6bb97216f5764ce118550d89cf3 |
| SHA1 | a4f96ad91852e235f97a5acfa074b5d05d628bd5 |
| SHA256 | c511c98687c5ba5ff398d8aa663c9021a74c69b63d956c1136b29fe727963261 |
| SHA512 | 67cbfe43e825bf66fb43d68feaea50d7334782d9482724d2c547e19b592b42a24a87b6e58f0c9897780b146c59a632809398c4933d5a4447091f192b2060aec5 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b298a8f50113f6b99e1f7a8fe40a9426 |
| SHA1 | d276a162998c37005075e94955dbdc92d552bfed |
| SHA256 | 7ad2c7a203293845d50de708f5d91bcd757e2709f6f6e8ca1b2782c533302218 |
| SHA512 | d1e6d1ec9c13aec32f4aa7b2a3dd4754514ae9f4aa93d894b0e23a485dcfeb14a1e580a1cf5d7c00a8aabcd875d107e89f5762cbf872b94a4c99b4dcd05201c5 |
memory/4892-305-0x0000000000400000-0x00000000026B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 82c4219f640000157e5fc4337e44d7cd |
| SHA1 | 0ef69e21826deecb2c4560bc9fadf1f96a8c1af3 |
| SHA256 | 11787f554123a7601d7e09307d9732137c73bf91292f91722d5b0bdcc21dc458 |
| SHA512 | 1504daae1888fb006126529513a999332777f59d68029cda4e61daaeeaa96ddfe42e7c3bfaf2ecdeb1da587a7dbbc08c51076d928935cad3902a59d05a492b0b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 35f48b37b779b9a24bdf8d4e7aee7d66 |
| SHA1 | 7eeac539ba3c28cb8404bec279ba043be9f48b37 |
| SHA256 | 046be9561c2a0ad4a83af802e9978bbbb1421aabcf4cc19f5ed026d913e08c10 |
| SHA512 | 8e1f24c76e1a8452c3d43b08a789a9b790418d22ddb1db5f790fecd208341d128b02ebfaca26e74fc9f1e12abc1bd49486cbf74370e38c3d8af0e913941f3ee9 |
memory/4092-333-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4092-337-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4092-343-0x0000000003E20000-0x0000000004220000-memory.dmp
memory/4092-347-0x0000000003E20000-0x0000000004220000-memory.dmp
memory/4092-359-0x00007FF9C93F0000-0x00007FF9C95E5000-memory.dmp
memory/4092-362-0x00000000757B0000-0x00000000759C5000-memory.dmp
memory/1292-363-0x0000000000B10000-0x0000000000B19000-memory.dmp
memory/1292-367-0x0000000002990000-0x0000000002D90000-memory.dmp
memory/1292-368-0x00007FF9C93F0000-0x00007FF9C95E5000-memory.dmp
memory/1292-371-0x00000000757B0000-0x00000000759C5000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7b9a6cb1311ee36fbdb19cc4e58136d7 |
| SHA1 | 3c3732dd7c9cc9006d18357b17eaf7d8f2702344 |
| SHA256 | eed8adfa333c6cb10a08f11de650c9ffc6524a3f93740fc6ef66a439bd8cf0a5 |
| SHA512 | 42cf295708826d3fc16440265abad3160cae3b32f3a94cbede0575e3bfab29e9a64e09042d44334a7659a00969f3cb45733b6c17af799777de61f8ca1ecc012a |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Windows\windefender.exe
| MD5 | 4a5a6a87a19b5d2294ebf7273ab45573 |
| SHA1 | ba14af46d8a6c5f8f34cfa2449b04b110f5407b0 |
| SHA256 | e6344e3e4b21bd3019c32be8ff7126f6d07c8b1e9c5d40598c9a980f4f600366 |
| SHA512 | 42f407e684d42b29a2161bcf7c819612a2d1f6ee235b91016b44e8ee9e896904cf646db4a1b2f76ee75f6cf7fc8059fb68732a527d6e44f47cf9a94586060e27 |
C:\Windows\windefender.exe
| MD5 | 9c3b3a98fd870363f69e11b66a6f90b8 |
| SHA1 | 6a12b5a19bdcc480cbfc83e55668cb398b965937 |
| SHA256 | 72d76d5afd7719696b1f96002ef6ca20e0b43b2cdfe42d87162d9901675ade15 |
| SHA512 | 2b400d8d38ef3e0d7690134b9289ebdc912cf4f5205c2895d97b115e41cb029765d24676a809e389a1ced93e2574c8e69b462e5f1595e58dcbc0e45e4706a949 |
C:\Windows\windefender.exe
| MD5 | eddc6f06b5ef409767af4e0a130b87b9 |
| SHA1 | 04ddc8d8306d2408fd2c0ffffe78c2e47e56ee44 |
| SHA256 | 1cbd4330ebae855534fb2914b19a639d709b555c4cdd8789752d2e8265ddba23 |
| SHA512 | 271cc91edea6e64638c696a85c88bba6fc5a76b50a31e399be81a8e329588d90cc4cbb068cf43427284576d27bcdf37f0faa98d3d48fc33879fcd66f88fd1950 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 04:52
Reported
2024-02-23 04:55
Platform
win7-20240221-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C5D6.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with Themida
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many varying, potentially fake Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2D96.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2D96.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2D96.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C5D6.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\68841b03-089d-42ba-93dc-578fb8c6266d\\146C.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\146C.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\2D96.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2D96.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2636 set thread context of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\146C.exe | C:\Users\Admin\AppData\Local\Temp\146C.exe |
| PID 2368 set thread context of 948 | N/A | C:\Users\Admin\AppData\Local\Temp\146C.exe | C:\Users\Admin\AppData\Local\Temp\146C.exe |
| PID 1840 set thread context of 1048 | N/A | C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe | C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe |
| PID 1168 set thread context of 2144 | N/A | C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe | C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe |
| PID 2692 set thread context of 2968 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240223045346.cab | C:\Windows\system32\makecab.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ACF3.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C5D6.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe
"C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\FDCF.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\146C.exe
C:\Users\Admin\AppData\Local\Temp\146C.exe
C:\Users\Admin\AppData\Local\Temp\146C.exe
C:\Users\Admin\AppData\Local\Temp\146C.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\68841b03-089d-42ba-93dc-578fb8c6266d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\146C.exe
"C:\Users\Admin\AppData\Local\Temp\146C.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 164
C:\Users\Admin\AppData\Local\Temp\2D96.exe
C:\Users\Admin\AppData\Local\Temp\2D96.exe
C:\Users\Admin\AppData\Local\Temp\146C.exe
"C:\Users\Admin\AppData\Local\Temp\146C.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
"C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe"
C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
"C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe"
C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe
"C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe"
C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe
"C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1472
C:\Users\Admin\AppData\Local\Temp\ACF3.exe
C:\Users\Admin\AppData\Local\Temp\ACF3.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\B186.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 128
C:\Users\Admin\AppData\Local\Temp\C5D6.exe
C:\Users\Admin\AppData\Local\Temp\C5D6.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240223045346.log C:\Windows\Logs\CBS\CbsPersist_20240223045346.cab
C:\Users\Admin\AppData\Local\Temp\C5D6.exe
"C:\Users\Admin\AppData\Local\Temp\C5D6.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\taskeng.exe
taskeng.exe {424923DB-C27D-4073-87C4-CCF75E9CE67C} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 183.100.39.16:80 | brusuax.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| KR | 183.100.39.16:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| MX | 187.211.34.223:80 | habrafa.com | tcp |
| MX | 187.211.34.223:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| FI | 95.217.29.171:443 | 95.217.29.171 | tcp |
| FI | 95.217.29.171:443 | 95.217.29.171 | tcp |
| FI | 95.217.29.171:443 | 95.217.29.171 | tcp |
| FI | 95.217.29.171:443 | 95.217.29.171 | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | mahta-netwotk.click | udp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trypokemon.com | udp |
| US | 104.21.51.193:443 | trypokemon.com | tcp |
| US | 8.8.8.8:53 | loftproper.com | udp |
| US | 104.21.11.77:443 | loftproper.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | pimpirik.com | udp |
| TR | 213.238.183.73:443 | pimpirik.com | tcp |
| TR | 213.238.183.73:443 | pimpirik.com | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| DE | 185.149.146.82:80 | tcp | |
| US | 8.8.8.8:53 | c1fdc400-9f9e-4801-9487-26196984c7c0.uuid.realupdate.ru | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| RU | 185.12.127.241:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.sipgate.net | udp |
| US | 8.8.8.8:53 | server10.realupdate.ru | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 15.197.250.192:3478 | stun.sipgate.net | udp |
| BG | 185.82.216.96:443 | server10.realupdate.ru | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 104.21.23.184:443 | walkinglate.com | tcp |
| BG | 185.82.216.96:443 | server10.realupdate.ru | tcp |
| BG | 185.82.216.96:443 | server10.realupdate.ru | tcp |
Files
memory/1412-1-0x00000000005E0000-0x00000000006E0000-memory.dmp
memory/1412-2-0x0000000000230000-0x000000000023B000-memory.dmp
memory/1412-3-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1412-5-0x0000000000400000-0x000000000044A000-memory.dmp
memory/1200-4-0x0000000002A80000-0x0000000002A96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FDCF.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\146C.exe
| MD5 | 685962facc72ed816ebc86f021449044 |
| SHA1 | 06459254112ad371328b0fc66210818ad5c048c8 |
| SHA256 | 818e83a6f88f34e7dc343f267a30b651d578a9e9786c95bc2a76ab33d58f74b8 |
| SHA512 | d261caefbe9f4029733b2ff62e2dee9f993c4f6fbc794ac6fb4d9e6cec54814ff4ecd758809f79457c8665b61a1e72626e2acfe7b8312484890b274aaf48d004 |
memory/2636-26-0x0000000000310000-0x00000000003A2000-memory.dmp
memory/2636-27-0x0000000000310000-0x00000000003A2000-memory.dmp
memory/2636-28-0x0000000002530000-0x000000000264B000-memory.dmp
memory/2028-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2028-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2028-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2028-37-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2791.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar284F.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f5e1c574131446374777ed8f372eba5b |
| SHA1 | 787a8e1d3fbbc03136bb6fb4ea7b3b9953852285 |
| SHA256 | 8b77fca2ad5bab4058a1a8783148e1c8d2eeba44dd7f8976369d74d7cf279c2a |
| SHA512 | fa3e1eecb9dd5a3b797298275530ee884e774d7f6fb8da6dd985b91e05a3bf2d2447d8d9a4b2a887711d6128ad513314cc5da2d7739e9d28045accc7db4535d0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18d78e60216de7573643278925520682 |
| SHA1 | 4afd8fc3cd5289d85f2dda1fe0fec8561d1fd68e |
| SHA256 | 1fa3744bfb59d21248bb07b69692e923cc0471fe5cb70c0736146bba93142d0a |
| SHA512 | 87ea527fc2a9adf6a06f28e0715e521b50d2df273e620f9ed24e9c30ce8f8f9c750916d0167e6db3218a21489001a3aa01837879a6e0a9ad3d8e6c4201da47f0 |
\Users\Admin\AppData\Local\Temp\146C.exe
| MD5 | a4b0e8e15ccfa15e6271f2ccb0082a41 |
| SHA1 | cb345c8adb7fbe736aa6880c8fe081f5fc879845 |
| SHA256 | 66e284bb40e54b6be4cb9a73f3c3e83e8f078aeeb68a251816b8c6aa4bcde2e1 |
| SHA512 | 7bcd0bfe5943de9312d44c52277444f089a820d4b2a736dead3237687163bbeac71d7c34db5afd8594fe6b7e85216551d4f4dc52af174554cb10d483a1d5388b |
memory/2028-120-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2D96.exe
| MD5 | 5fe084e9aebe1edeecd06b950537ad93 |
| SHA1 | 3f3a3c258c1a6a059ab593386c298528df513b23 |
| SHA256 | ae22d7cd31d2b260b18fd4b021442a65adc726d0cf3803206f175c5ade8cdb90 |
| SHA512 | bbcb8add857ddb48b19fb66f8c6ac31e2ffe65d406c952dad87ea31485023a484eb4b40a520756c0871d3cc4f9cb6cf31bc2f28344bed818d9717aa434c588eb |
memory/336-132-0x0000000000C90000-0x00000000012A2000-memory.dmp
memory/336-131-0x0000000000C90000-0x00000000012A2000-memory.dmp
memory/336-130-0x0000000000C90000-0x00000000012A2000-memory.dmp
memory/336-129-0x0000000000C90000-0x00000000012A2000-memory.dmp
memory/336-128-0x0000000000C90000-0x00000000012A2000-memory.dmp
memory/336-127-0x0000000000C90000-0x00000000012A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2D96.exe
| MD5 | 768351e7fb4e73a68d6128a4ab7ccc4e |
| SHA1 | b2e42ae8d8f154800c6ade37ad6ce4e903da79de |
| SHA256 | e1af5fed9e816a4f21c4f25e8d1388d8e8deac07c9cacd2889b749f2ec28a396 |
| SHA512 | 76f96b1e6d962937822c05814c77ac8903ac612db07d8daa7ddb2fb7443e6151afc880daf5a8a3e42b4f3e8dc081f391cab3e8098fb4af8ac31ef81a66d20941 |
memory/336-139-0x00000000770E0000-0x00000000770E2000-memory.dmp
memory/336-140-0x0000000000130000-0x0000000000131000-memory.dmp
\Users\Admin\AppData\Local\Temp\2D96.exe
| MD5 | 6d1b276f441f11b947447a88b7baf679 |
| SHA1 | 8a398c876f5ba5cc5e790c11f7cd94eedc752405 |
| SHA256 | 9122781445f758d5d9fcc9cac17083dca4a3c4264fe75a00fab37c9fdac0a5c0 |
| SHA512 | ef41356a99717337231fbe2f68a0e156ee03614ea9ac98420edc9875c72c65604772665bd8541e855a975444b7d9964c4b907c9f6ce10920c6a9cf48f1fddbaf |
\Users\Admin\AppData\Local\Temp\2D96.exe
| MD5 | b63a27c8b67238f13e86df097bafd70f |
| SHA1 | 06d63899ea4b9d4aa573ef35f2e30f520977757d |
| SHA256 | 18b04ee8cccc1d5055fea2dbe652451404ea52e2c14a4fb6aa3f74421a87a9db |
| SHA512 | 63a16858839f5bb33328c2eea33e0ceba24ef05e7e6e16d361fc84082fd7dbd57b645a8b73c130a35d3644f50e5b1c62a29624c5695c8c92fffb5eef147f8253 |
\Users\Admin\AppData\Local\Temp\2D96.exe
| MD5 | ecb1ebf2aa233264950362c72e82843f |
| SHA1 | 9d1325b56bedfdb307888af9e242ea1092d96f6d |
| SHA256 | c098d1f615c0ea0bd257065800b2c93113938fc190eabb1ca115f2a6f90c4eaa |
| SHA512 | 34da04b40e38718fd4554992b3941198f39328cbdefea057d75d7ae6c7866e373c0e7d08fb8f7a12665cda48d9c93f22ad9482a5b21aad767604af7720e4360c |
\Users\Admin\AppData\Local\Temp\2D96.exe
| MD5 | 323515279d10ba671b07b633c9de1ea8 |
| SHA1 | 650333af968f413c8ec77716e3910ed0ddc44d45 |
| SHA256 | c167958e1422de7f195482177979283cc65e19ec406b5fe9085750b203bde3e6 |
| SHA512 | a8bc237f21a06e38989c1d21ebbe2ddd003e883408ba9e9b57c0ec425ca335e3b5314de248c2194c7350d693e1d9c0c003194bc455a5980351d027ed7c39aa47 |
memory/336-134-0x0000000000C90000-0x00000000012A2000-memory.dmp
\Users\Admin\AppData\Local\Temp\2D96.exe
| MD5 | 2ad934fd537212cffab60e3b647812c9 |
| SHA1 | da68f5790326b7de32f7c7e592a263a400fc96b1 |
| SHA256 | 3d2e675ef4985396cace0c5ddf5592091730e561a367af9c72ed206084b7007c |
| SHA512 | 68cdd4374f5ab6c13a802aec335e9eec998aadcdfc450d05520df2666063cb8be6f12d492f7757026a0216a7bb56756557cfc63801afed4b3faeb0d0a96acc66 |
memory/2368-142-0x0000000000220000-0x00000000002B2000-memory.dmp
\Users\Admin\AppData\Local\Temp\146C.exe
| MD5 | 7029a924a18dc87f591798819a178d47 |
| SHA1 | 80b78f4f422b1dda5a89f9ab3928a8718edd8f5a |
| SHA256 | 5e8845da8cb36aecc3b0e49fa46c5091f586429e12e3ecb24a048855ac6b09d4 |
| SHA512 | 98a25d005b17c5334c5bcd0a1bdc2ed214817bb3dc1addc14ae8154370e50e3fa13400ce9baa738737b94be9f1d1b8d195302d142a7d843c4649d5228c4c9737 |
C:\Users\Admin\AppData\Local\Temp\146C.exe
| MD5 | bf03961a2f014eab5b4125588acc7201 |
| SHA1 | 921571abf2f5ae7fd824c8d9de76dc1f3ef7a3e5 |
| SHA256 | 3232d9774d10ddd4ce343344a6c04cdfaf11544547dac4e2dd173915ae47db03 |
| SHA512 | 119b11ed89eca9184b6167213811a23d7506785bc98b83fe3728566be6b31c3813cafc7a7d12e713085784d284271088cd994a770272615234c163154485cd4d |
memory/2368-143-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/948-150-0x0000000000400000-0x0000000000537000-memory.dmp
memory/948-151-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | c1a837e7fe0cd4bf1d70c7b4d8844d55 |
| SHA1 | b9b2d408095400ff0be067d8c6eed6ba0312ef3c |
| SHA256 | 0e3dcc979a1e43003bdc7253cb4094c0385d2099c14dc12a4e85fded6f76dc97 |
| SHA512 | 720c2aded6054feee530553c84ce238ef4952ce2b622917c840ffa2a937f77cfe2ba55a6212af0a650f7f8286d30088ec385de584e3fe1f4b2ca7901136d16a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 671d7267e8c1804a283ef61ef220a76d |
| SHA1 | c060d6f2b28471a174a0f18b0af1c99e67482fba |
| SHA256 | c9e6ef03b138b1a84f68646fbc6c3da88e709948237a520b3d0e74ffba860ecf |
| SHA512 | 838c46a3d88f2c27a7ba1538326a38ab06ec82ef2516ac7f671c74ca93cf69255971e5e8ef3e3e6c97a14da816d96ee52b017c4d17dcfcfc91a8386ad8b79eca |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 3dd301a32f61f394f0299a96eeb2ba87 |
| SHA1 | 1c4b8ece5245ca559cff6fb243460b5cd3765f8b |
| SHA256 | aa980a54e95976dc754096ef1440f06800806eadf00e8b01be16592015549e02 |
| SHA512 | ee08f864abad6b45d8af4c5da22917b4c73193a4da21604f2a6d9db23ab96c511d88e35713a863caf49c588646673919aad35eefc2dc3383e0bc4973e4229986 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 15ff235a1a75433357ce4e6a69f41451 |
| SHA1 | 07d005bdc6a763572be78ab3945453ae3a81be30 |
| SHA256 | 1f0b8f9be9c3dd13c249758f6b6fc374ddbb4df367fdf92256f91e32db9ace25 |
| SHA512 | 7191306ccdd0f700d4052f54f9aaa9f20257ae0ab2cd41c090d3c73479e565c679d9a7ae2c9146105cdeaf48c885e01445fa63a4180c16195a5c774a59d55f71 |
memory/948-165-0x0000000000400000-0x0000000000537000-memory.dmp
memory/948-164-0x0000000000400000-0x0000000000537000-memory.dmp
memory/948-169-0x0000000000400000-0x0000000000537000-memory.dmp
memory/948-171-0x0000000000400000-0x0000000000537000-memory.dmp
memory/948-172-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
| MD5 | 81832c48cffd651f25f5db44d5178382 |
| SHA1 | e7204724086330ff089257879412b3381d27a5d5 |
| SHA256 | 3d55e3daf8f69d99c43235832c82e954a089e59fb2600f073e338c2bc9ec4282 |
| SHA512 | b3f93e58f83d0b86eb078c85512b6735dce96d7f555eb184754085813e2d4d56bb37727566bfda576ac274aae2008746e0ad07d49643cff4d454845a28dfcb5d |
C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
| MD5 | 3e727bfadc020722402f68c2bfa97978 |
| SHA1 | bbd3db258ecc2a0bae7afa9e7b0568173783fc3c |
| SHA256 | 3de9537bcc3cb6fdf65f77688065b26a82d5ea0fc2bfe32e7f5b8b829c99a96b |
| SHA512 | 433244f005c0306e31788d185c8a3f58da9cdef608b516d1f85914a862fa57d99bd7e55fb2ae86ddfba4e967c01967ebf3504ef841e265c4b97acb35382d234f |
C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
| MD5 | 3077b6d44753596f1939e0a21265119d |
| SHA1 | f2aa2b6e24bec0d31a233fc3987159ae4b3fca51 |
| SHA256 | befddbe7f94efe48ecdf3e7e31197809e186fba5525b966af5f4a4cf656a5be9 |
| SHA512 | 8a57a69c3db4727f6d0527b46ac262ad6f1ae72e6db2950b8823bb1c0e7275e4ea6e064aa6497b21e7f26925d8ea09eb9774fc12eca837247206634eb4ff2874 |
\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
| MD5 | 6d29149d87dde5efea55b229a8a41d7f |
| SHA1 | 2a7c929a307616a4b87b619b602e37af13cd4b7d |
| SHA256 | 403caf708b69e5ecbc5a1c2d699769e920ca1d27d43ea8ecda13484435d9c934 |
| SHA512 | 025ed684275c983ea88911884016fc5b77d54fb4457eb9e14ccc1649870e7f468071f9c71222ba16cbed2cb7ac21e776a1331d7d978a61023be8aa9181ea5720 |
memory/948-185-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
| MD5 | c4dcf6d8d3b83e4a348fb34486d1d0e0 |
| SHA1 | e8ddb2c0def03638886b191bd6f0565c50f9a148 |
| SHA256 | e6a9f7cf4bd6578f3dac33d091e535c37bfaf6c6a61e871f67f08994c32fc66b |
| SHA512 | 4e8f4841a479c21a1889cf4445281727a061bd0b8a8b7f8d23dac8ec5ee3ac999199efddb25cc58c1f2a1ce1b62ab779f245c6fd357cf45fb6e84ca5cda5e6d4 |
memory/1048-188-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1840-189-0x0000000000530000-0x0000000000630000-memory.dmp
C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
| MD5 | c6d3d647baad8a5b93b81d2487f4f072 |
| SHA1 | e9c1105dc41f85d4f7e94d4e004f8427787c8802 |
| SHA256 | 7754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a |
| SHA512 | 55425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049 |
memory/1048-192-0x0000000000400000-0x0000000000649000-memory.dmp
memory/1048-195-0x0000000000400000-0x0000000000649000-memory.dmp
memory/1048-196-0x0000000000400000-0x0000000000649000-memory.dmp
memory/1840-190-0x0000000000300000-0x0000000000336000-memory.dmp
C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe
| MD5 | 7ae8a1741cb1703131a0a3707e9440d7 |
| SHA1 | fb88a37fb6f2f9723fc56e04fd0a0e18498fddf8 |
| SHA256 | e6084f13e5225b3aa54fe56a6597af7538db0f6f466b0050c3977d49ceb2520e |
| SHA512 | f7cf3a5a6ad7e95518e5c7fc8e1dd2643722199d0af2ef8e89824ba40d63598262e86cf6825d55d0d283f444abb6c8204e51f052c868507a6141a8aafd36ecc4 |
C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe
| MD5 | f96042a0bc1e250c882d4ffb90e4195a |
| SHA1 | 394e98400d4ae2ac4082fbc04e43326a22310c18 |
| SHA256 | cb70a4cc740556517bddc67b1d48e058b447e505bfddc329bc4e3f0d87595b32 |
| SHA512 | 0b4fb325080715ba3919a914f7fc0aaa97eecc150d2bb55613c519bdea34130fde0ef6185909bd85da32be3d4e8596d9bb5f63c129e74509a537170f02513796 |
memory/948-207-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1168-333-0x00000000008A0000-0x00000000009A0000-memory.dmp
memory/2144-332-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1168-334-0x0000000000230000-0x0000000000234000-memory.dmp
memory/2144-339-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2144-336-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2144-341-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2144-342-0x0000000000410000-0x0000000000477000-memory.dmp
\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
| MD5 | 87342935b3fbca51d78a7f633a12adbb |
| SHA1 | c8381e314e0babfa2310da0f3d49cf5894e415d6 |
| SHA256 | 5a92e92544d124e744245fb596c107b16a6602224c5685446ac0568787787673 |
| SHA512 | d87d3eb542630cca309c7b1eaaf519938df42c981a766c22f5328f57181b0ed945b3884bbdf745da32431536162f5e214dcf549cdd038f081f324cc91230384e |
\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
| MD5 | 30ebdc3ef63e5216dc2c6a00ac8d66cf |
| SHA1 | 48d251671952c409d8517888d7e2efa0f921cbbb |
| SHA256 | 920e9a422399428b5b507861dec8f5bb59fa3a99ee5257406d0f198e36f6eccf |
| SHA512 | 3c20edfc423d0a048234393addf7ae6e31a3a546d0096336111f25068d5a8a271c9789d6d07785045007464e545a97fc696a005334c5e4126fac6bbed33a7b25 |
memory/1048-349-0x0000000000400000-0x0000000000649000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ACF3.exe
| MD5 | 8c2a7885ff8fb497443bb0cedf6c934d |
| SHA1 | be64cdb1876f4aad155b8d79cb3222df126aef62 |
| SHA256 | 576a632aef27ef960bbf4250a24d0cc91c94c2e4d0e27cb305015245dbe56d4c |
| SHA512 | aa02e6f8cf327677d25c36d43f788c8d4fe6b63cbfa642ba50261923ed476e06e661f0905bcf92460da9b5cedcab1bd3c732008032e5c3cdbda140201578a8ac |
memory/2232-365-0x0000000000F10000-0x00000000019E7000-memory.dmp
memory/2232-371-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2232-374-0x0000000000F10000-0x00000000019E7000-memory.dmp
memory/2232-373-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2232-376-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2232-378-0x00000000770EF000-0x00000000770F0000-memory.dmp
memory/2232-377-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2232-380-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2232-394-0x00000000770F0000-0x00000000770F1000-memory.dmp
memory/2232-396-0x00000000770EF000-0x00000000770F0000-memory.dmp
memory/2232-401-0x00000000770EF000-0x00000000770F0000-memory.dmp
memory/2232-407-0x00000000770EF000-0x00000000770F0000-memory.dmp
memory/2232-418-0x00000000770EF000-0x00000000770F0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d5e898ecb9c044c557bc3a728e08eb7 |
| SHA1 | 4883456135f23c07be1ecf8c255f6aa203d6ff44 |
| SHA256 | 44cec56c423a5beb2b1e234890826587ee7009c2c75e039038860161e74a49b7 |
| SHA512 | 9326276afa675adaa8039f08fe5de0c3c67c84434a130bb2269be6288b8fe77707c07858b6c8e37ca16518fb926ed1b97d67809a300f1548484f6908a3082bde |
memory/2232-434-0x00000000770EF000-0x00000000770F0000-memory.dmp
memory/2232-439-0x00000000770EF000-0x00000000770F0000-memory.dmp
memory/2232-453-0x00000000770F0000-0x00000000770F1000-memory.dmp
memory/2232-459-0x00000000770EF000-0x00000000770F0000-memory.dmp
memory/2232-467-0x0000000000F10000-0x00000000019E7000-memory.dmp
memory/2232-468-0x00000000770EF000-0x00000000770F0000-memory.dmp
memory/2232-475-0x00000000770EF000-0x00000000770F0000-memory.dmp
memory/2232-484-0x00000000770EF000-0x00000000770F0000-memory.dmp
memory/2232-485-0x0000000000330000-0x0000000000331000-memory.dmp
\Users\Admin\AppData\Local\Temp\ACF3.exe
| MD5 | 745808f10225d6c87d79af17ba18841a |
| SHA1 | 271cbe01cdd21a82927eda3abbf0312986bb533c |
| SHA256 | dc9758dbe01c3c60c9d18205db786101dd2e850300f7b2e699f9c6115040d9eb |
| SHA512 | 5c2e4b9b5b2dbc26e2ca9961331aacd269ebccbed3cd1cf83502022984abc436c9e06dc32d145c97346cc7c3bbc54894738bd8f70694e24b668bbd69307efe6b |
\Users\Admin\AppData\Local\Temp\ACF3.exe
| MD5 | 0af59241e3a21cb37e3fe3ea4f6dcce0 |
| SHA1 | 5fef29f67c168103abeb576eca5c426f28450619 |
| SHA256 | 9ae86776749568c316a993982774fc9aaefd816825bc39dcb568215b22c99e88 |
| SHA512 | d283be11d08836ebdfd6633a0620a92a361d68f8a509d1857ccf72021595fc332d66d62e1916eea12d8f8d1025e3d758aaefbf54864ed10554fc1b3dbb68a690 |
\Users\Admin\AppData\Local\Temp\ACF3.exe
| MD5 | 2b2210c0ed5d25afb95b264f9fc93151 |
| SHA1 | c5e95196128b3a7095092cd439a5cd23cde2773a |
| SHA256 | 3107ce443a585cc4c6cb41ea600b2d44979fdf8cfc9a4aa4475ccf619da74aca |
| SHA512 | e821e6aaa656c36bb7843af8b7cb78ebd910c10de08d5ad0c366baa2cfc275602e92dc4cf44f4ed53e74a1c9f5ff87ca7dafd10f0b279fdd84acdbcb281e3c46 |
\Users\Admin\AppData\Local\Temp\ACF3.exe
| MD5 | ee8925b7435e3bb704aad370d5863ef6 |
| SHA1 | d35617751583b1b339e08e52436ecb38b3bff43a |
| SHA256 | 394411b715f701667eb7c49fdffe663a970659591617f65196fae79d2f2c1ca4 |
| SHA512 | c21acddf4932557989d65d7be220185555b4dfadf46d0b6c5c0a9237eda72d52610ff16702fa5c0c49d29e8dc2c764a6a224e06f47e4e710f06ac23b0b13fd96 |
\Users\Admin\AppData\Local\Temp\ACF3.exe
| MD5 | 0f61e8424b77cc8352039fab64ec4fe5 |
| SHA1 | f8f9f32186e3cb11af983859e5c66d5d0d057fda |
| SHA256 | bbe7e825f71ca71fba5acd71d9e329e4829ad95a1aa729b64fd7e11ddc670e9c |
| SHA512 | 0aae521d1f35fc574634b76cecfe427d0e3c1ceca0134c5c583f214a6d550e84cc342eaa21a799b8c39cc3a81f4e5ceb44913a16d80c86d7ecb20f35ca472daf |
C:\Users\Admin\AppData\Local\Temp\C5D6.exe
| MD5 | fd29754d9a9328b0b882cbec16f4b95d |
| SHA1 | 14ed33fa9c1b37cb57d1f27988ce1d594ac719bf |
| SHA256 | be70ebde67cfd2481d1a6e7575982d550ceccd8b5f08ccf06a3e9bca60830407 |
| SHA512 | d44c57eeca9026e062132bbe609a21e3ebb6a039e854f1176c178a0bec03b94c0e78fceaf16f9f437c450308a3dd01c5ef3f390a9a30ced358fbddcfc9499f88 |
C:\Users\Admin\AppData\Local\Temp\C5D6.exe
| MD5 | 0cdbb24a52a373c0ee1a04f4e069ba2c |
| SHA1 | b6d1e9d8e9a97236d94d5d815741944d9b00f4d6 |
| SHA256 | 8a099fca8c250898ea43dece3be0e90500c0ac002a855c31b140ec64ed8bc81e |
| SHA512 | 8536295a22a4f7662e81d4f7bc0cef25b7ee3391d58e16496a8c1ad075c9a1fb77e18a78b5c4e924baa20c218f365fccede9611ddcb782c9236dc3918ff82bab |
memory/2948-499-0x0000000004100000-0x00000000044F8000-memory.dmp
memory/2948-500-0x0000000004500000-0x0000000004DEB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C5D6.exe
| MD5 | 65ed47d6dddd3d99c635de822c03ddd5 |
| SHA1 | 82eb91eae28faf7c5c072c5ca387dc2d395dfb3c |
| SHA256 | a51b05ed4bf6d64fd4c843cfac7df119712f1e1771113c7885811470d24f63fc |
| SHA512 | 664b8d136902d88c8cfac377e99862c7f74f13bfaa6a3700410c0548710f37fbd8d39b9e492d561483f176e53707403c7983f212549c3af0fa19684b1de7ed85 |
memory/2948-502-0x0000000000400000-0x00000000026B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C5D6.exe
| MD5 | 7858a395575e96624c6c48744938ffc4 |
| SHA1 | 885ab0414cabbbe30921daf9a75de436e13ba62e |
| SHA256 | 7f74673a027de5036e37947711604edab9c612d85ebd8c17557d8de55fcfafc4 |
| SHA512 | c40b4e05402c75742352dff510cd27fce3d6ec89fb820c93a1514506545afb77246210733a11faa3035d57fa5ea7adcb8b1043e9cae3090b171871d9480e8f98 |
memory/2948-506-0x0000000000400000-0x00000000026B5000-memory.dmp
memory/2364-509-0x0000000004120000-0x0000000004518000-memory.dmp
memory/2364-510-0x0000000000400000-0x00000000026B5000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | adad436121c7328c1f8e309815eda05c |
| SHA1 | 28da21e65f61fe409b3c3dc6b8c581967f12c1e8 |
| SHA256 | acefc7b907a45be431902f82a41c0260a4fed5376e40e2690a4f6e3f071efce6 |
| SHA512 | e91e64bd3d29010dad950e3196380436f6887fae6bd09a0db65987e139514f92ebc1f494aff54582aabab55dcf84fa6873df2e0d0d2fc348868fa694155c9084 |
\Windows\rss\csrss.exe
| MD5 | 627d759908fd5263616970d2e95e8c5c |
| SHA1 | 652b8997001bc66be3f131c4f69d396d4b98e41a |
| SHA256 | 85a6ca2c2388112de17fa743a240346c6dfa745e4032602da5b8d4cf927fc88f |
| SHA512 | 190042d4678687cf97ee8dd11f867ee83a44ccf0c160838c7949b8b636a32e480b6e50b18106f33e24d8d78f9bdcb9fa634c9d5e4d90e50a23fb42b7cc0d22be |
C:\Windows\rss\csrss.exe
| MD5 | a65d7fecc1b165ad67d278e6ff06d887 |
| SHA1 | 7b4ac520b37c139d7cd97f8a099ccf4491333b3f |
| SHA256 | 2aaa8c410945b70628d4a9cfd5c8d60321ce4030a83fecc8d0a48139b252af5e |
| SHA512 | c20700147697b19f458f1533b21927fd8045d720510f0cae6faddf268bd4ee05a0a10d4a02d4b60ef1c8cc6a6040603357de9dac8b7e1dd7deb02159395f0d55 |
memory/2364-520-0x0000000000400000-0x00000000026B5000-memory.dmp
memory/1168-523-0x0000000003F50000-0x0000000004348000-memory.dmp
memory/1168-525-0x0000000004350000-0x0000000004C3B000-memory.dmp
memory/1168-526-0x0000000000400000-0x00000000026B5000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | ef7f5ac76ba5b88cb6ecbd0991fe9aac |
| SHA1 | 2f975baba9998b60323e36a7815bc4d1be17ef85 |
| SHA256 | c4ea7c431ae90ec1ed3cfa4c5d3c7e21f0e1219a63edc56817650f34d4a9b8c7 |
| SHA512 | 0023000d855fd10b2303ea88b7f4b4611ebbf7c23f60b7ce7afb110ff7364992e6608246d33bfde4aefb1d68ded8986c12f62d0fd34da1c4fdc84cadf6a613e9 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | a6297d6dbfa1876cff15c8d4bc38ab9f |
| SHA1 | d6f2cf946e27dc65f0c08d19b09989a8c847f9a1 |
| SHA256 | 544107147b01bbeb8fa7406499c077740f90dc655da169e8de67eb04cb81f987 |
| SHA512 | 86acfbf22f60d4b55ce289547750af0b92178d082dc60672d0a6c49b042631362a7df6cf615a10991cfe8fbf5c35be27554048feccb1bd590039f0291b50936d |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | ea8ee5be5eebfefd45375ccd0c9e5a2d |
| SHA1 | 4ec4210c6c423ec4aa061bf240d4fd4f55aec19d |
| SHA256 | d37239b4e83561f2d54de3d9b7bfce16b5bcf25a2091be4622db6c54a96770f1 |
| SHA512 | b9cf1c074ae591034b7a9e6fe3d2e716bcd0cd2a2d04aacdf4bde8da9b0702ede9b4e5e6edfa6de1d249e29b870e9fbd4cc047605691df86e6c9129d1ca1221a |
memory/1948-533-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | c5d198ce3ab65b5f188687d6a1f1fd24 |
| SHA1 | 55f4eb28e98d1bea7a768e9988c98db45b7fcb84 |
| SHA256 | d2db0dc8bce5462d410f8c3389350baa260a65c094314150e8615a2c9206b4da |
| SHA512 | ac9f8d380015fdc759f7652c23d65eedcbcdf246ed6e86f008b5d50a0cdb4c54a8bd7815d783e5de19601feaba904b4c2caa63542ca520b32ad792ee62514dbd |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 2cbdce5765067678d021ce0afc6a71ab |
| SHA1 | 565813cc7ea4a249d6cb35d25f848d88b2c066f2 |
| SHA256 | e37a63a4b98fb858b17a25b6e48c3f7104bd18ccf8a59ec98599e706e2488d8c |
| SHA512 | 6a3ddeca230ca8f7cc64c4c5f66b901d6c3e9f9ff7dac15f9794152237c68d3a75b80024e5e95e09e703d64620e9dc0135e1c68cdc2af940fe5a509fe4fd23de |
memory/1948-547-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 0f1cac438a8525e7dd70c994b048c81a |
| SHA1 | 0e4e0b3f6746efb6fa2bf82894362f32950760c5 |
| SHA256 | 12075d8061ee8918ad01ccad4e7af97cb45883355bc3cabc9e389e70908c1161 |
| SHA512 | 8c0a5b5beec9aa2a54c3dfa8d5d3965814f3adef9d3f8ce21800bb378f90bd54070d6cdc0c3c20311cdcec808d1e1d91f6bc096c093d0932ebc8269ebb6ae35c |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | e26bcd07419d0714c00994a6cdbd573d |
| SHA1 | 1690bb05f9c5b1424fb2155c2a2ae09ece8aacc5 |
| SHA256 | 7b5c83e777497bdd72340946b415d195ea831346e826a44a2d9ed13f79b7b36a |
| SHA512 | 22f6d8eb16238233b97bf7066fc5cc83fb1d2d275d5826873e1d270ac3e5e10e5b1c0e2f3c458315374c8142f60710084e4ecebc6a792bdb96b4dabc0e77c9db |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 713eddd573ba9e0f1506f8222dd95b3a |
| SHA1 | 19ef572d6c39f34b472832665d9279a291629856 |
| SHA256 | 5fa0e0bfa5f92666832c4faaa248b594ad5f4f756993bc09322383d4745a8c8e |
| SHA512 | f026658651aa02a4fe1e17894bbbc6ac44336ab0bc804e0ef2f44e3e0f393436434b32ccb0bb7e58fc8ea311e140f7172722e3f9cdaf6326cf39033f6a2c45dc |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d9ff574edddf89e14444ea7d500600d0 |
| SHA1 | f793492d151b71c3ad33e83602ebc9c686467b6c |
| SHA256 | 8c95d9720b718e4ac96626c8e9324010ac3fcc32463313a376f098125675290d |
| SHA512 | 7d5331f539ebdd96d2786065d40f0c6269ca303f2f3cb8c751f5e397694de8d946030bcd1fa59da8b73717b7c32282ab21cd0a4090145aee0214d2e4f7a8c968 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | da3d4d0e85e9570a6e6c9d917e32b2f8 |
| SHA1 | 8f291c99c58d3d3fe3cccd0d6a174a17fefcb7f3 |
| SHA256 | 8065a40e668c2b0f9fffdcb508f3381aa7766658e7c2210a4bc3d617e9ddf4dc |
| SHA512 | dac4c8b23e3060af9dfb0fc697a5c695fdc470f065ce3224b569baaa6a40b0e5a905395a28785fdb74816e56c827768930f7ac055527021693b11b281fc7efe2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | aa25008004208fefaa652eaa6f9a165d |
| SHA1 | 749ee4b10989d2fc566c80b696d31bd15473dfee |
| SHA256 | 5cb873b11f4a5057fc783efd349094217c78b132e3d194eeea1bf54e0724d3bb |
| SHA512 | ca495f1b37f5caa0149a99ac234a94461361ed8ecc82ff15f359f5713070dcc5579bcc1b65528e71343cebb064e7e28686a3cbc6cff9e992670ddf7fe5e49891 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 61350605145dd6149d79e76ebd1b0b58 |
| SHA1 | 09f00ea3c06247143eb128f5bc6df2745a374c56 |
| SHA256 | 4c5532c75e2dcd198ca6607cfe6a3bafb74b808a48eadbbd6170b2c271e00d1f |
| SHA512 | 7f25782d415093b0fe6f089423d413e6c6c1fa855a3dac6c28c4819b11444c81317d61eba6654b1e6f7bb6108273bfdca0026ded938a8b253082dc15945b981c |
memory/2692-615-0x00000000008D0000-0x00000000009D0000-memory.dmp
memory/1168-625-0x0000000003F50000-0x0000000004348000-memory.dmp
memory/1168-641-0x0000000000400000-0x00000000026B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | b7ad43fc346ac188b1fc56be63d47722 |
| SHA1 | c8b6dac95874b07cae3aee361eb58a3af2b69279 |
| SHA256 | 32246c650067181ae93b351b1aa6904ada6b309ebb8da61a894d597efed12f63 |
| SHA512 | c199d6931ba59a7d4e2acbd650619acf79333cbd2efbe0aa06e456859ef12317e20d4e06de2026d41cbb5fa99f0ffa6396d07ba96d87cb0ce9f55d4a0c48b736 |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | 1b493fc8c98c60a24b18fe1a3b815ee1 |
| SHA1 | 5640115aeaf11f6b3791da6402894ad632825add |
| SHA256 | 80330ce08130ce9a46304724ce9d9f8080daae727252db18d9443a0511d3a017 |
| SHA512 | 37693076051cd3e07d29d06d0c015afe472038c6e1663162a4bcf401fbe4687b91671dc202388433b2e27e45f4bb0a87d206ff6a80e5d2ccbdf6a4b6d445c9d9 |
memory/1800-685-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1636-687-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1800-688-0x0000000000400000-0x00000000008DF000-memory.dmp