Analysis Overview
SHA256
a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669
Threat Level: Known bad
The file a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669 was found to be: Known bad.
Malicious Activity Summary
Glupteba
Lumma Stealer
Stealc
Detect ZGRat V1
Detect Vidar Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
DcRat
Detected Djvu ransomware
Glupteba payload
Windows security bypass
ZGRat
Vidar
Djvu Ransomware
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
Modifies Installed Components in the registry
Reads data files stored by FTP clients
Windows security modification
Executes dropped EXE
Deletes itself
Reads user/profile data of web browsers
Modifies file permissions
Loads dropped DLL
Drops startup file
Enumerates connected drives
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Checks installed software on the system
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies system certificate store
Modifies data under HKEY_USERS
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Runs ping.exe
Delays execution with timeout.exe
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Checks processor information in registry
Checks SCSI registry key(s)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-18 05:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-18 05:00
Reported
2024-03-18 05:06
Platform
win7-20240221-en
Max time kernel
302s
Max time network
307s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\94aa767c-f57b-4fc6-8a4d-55f687a3c830\\FAB.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\FAB.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\BF.exe = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
Downloads MZ/PE file
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FAB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FAB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FAB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FAB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\35E1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7C55.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\BF.exe = "0" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\94aa767c-f57b-4fc6-8a4d-55f687a3c830\\FAB.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\FAB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2844 set thread context of 1780 | N/A | C:\Users\Admin\AppData\Local\Temp\FAB.exe | C:\Users\Admin\AppData\Local\Temp\FAB.exe |
| PID 1788 set thread context of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\FAB.exe | C:\Users\Admin\AppData\Local\Temp\FAB.exe |
| PID 2928 set thread context of 944 | N/A | C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe | C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe |
| PID 1776 set thread context of 1600 | N/A | C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe | C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico | C:\Windows\explorer.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240318050408.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\35E1.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BF.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe
"C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AC46.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\FAB.exe
C:\Users\Admin\AppData\Local\Temp\FAB.exe
C:\Users\Admin\AppData\Local\Temp\FAB.exe
C:\Users\Admin\AppData\Local\Temp\FAB.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\94aa767c-f57b-4fc6-8a4d-55f687a3c830" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\FAB.exe
"C:\Users\Admin\AppData\Local\Temp\FAB.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\FAB.exe
"C:\Users\Admin\AppData\Local\Temp\FAB.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
"C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe"
C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
"C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe"
C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe
"C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 1424
C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe
"C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe"
C:\Users\Admin\AppData\Local\Temp\35E1.exe
C:\Users\Admin\AppData\Local\Temp\35E1.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\3CC5.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\7C55.exe
C:\Users\Admin\AppData\Local\Temp\7C55.exe
C:\Users\Admin\AppData\Local\Temp\BF.exe
C:\Users\Admin\AppData\Local\Temp\BF.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 124
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240318050408.log C:\Windows\Logs\CBS\CbsPersist_20240318050408.cab
C:\Users\Admin\AppData\Local\Temp\BF.exe
"C:\Users\Admin\AppData\Local\Temp\BF.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| AR | 181.99.122.153:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | www.uniqueweb.co.za | udp |
| ZA | 41.76.110.156:443 | www.uniqueweb.co.za | tcp |
| ZA | 41.76.110.156:443 | www.uniqueweb.co.za | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| AR | 181.99.122.153:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | sajdfue.com | udp |
| AR | 190.224.203.37:80 | sajdfue.com | tcp |
| AR | 190.224.203.37:80 | sajdfue.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| DE | 167.235.207.130:80 | 167.235.207.130 | tcp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| NL | 195.20.16.82:443 | tcp | |
| NL | 195.20.16.82:443 | tcp | |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| US | 8.8.8.8:53 | triedchicken.net | udp |
| US | 104.21.91.214:443 | triedchicken.net | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | carthewasher.net | udp |
| US | 172.67.161.113:443 | carthewasher.net | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
Files
memory/1736-1-0x00000000005A0000-0x00000000006A0000-memory.dmp
memory/1736-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1736-3-0x0000000000400000-0x0000000000477000-memory.dmp
memory/1204-4-0x00000000039F0000-0x0000000003A06000-memory.dmp
memory/1736-5-0x0000000000400000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AC46.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\FAB.exe
| MD5 | 9afae1e5aaf1ffd9a39aef0bfc360f1c |
| SHA1 | 25412f0e7aa8fa4584bfbfef5dee0746a07a0f4d |
| SHA256 | b90d1767ecd240187bf3814f38b22a6254f72b89d046c99c9f1a6b7aa6a5d4f5 |
| SHA512 | 44c1a4c2e17f067db01827432660328c2fa2536d31561594f7711c29999074ef39e1b98edeb268574921c52a11d081dbb9368e579ea2155756c4e4cf53e57761 |
memory/2844-26-0x0000000000500000-0x0000000000592000-memory.dmp
memory/2844-28-0x0000000001E80000-0x0000000001F9B000-memory.dmp
memory/2844-27-0x0000000000500000-0x0000000000592000-memory.dmp
memory/1780-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1780-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1780-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1780-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1780-58-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1788-60-0x00000000002F0000-0x0000000000382000-memory.dmp
memory/1788-61-0x00000000002F0000-0x0000000000382000-memory.dmp
memory/2492-68-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2492-69-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 0fb83292a6190a38b8b44f50fd97f709 |
| SHA1 | 1b8c217779da5dfa37e72b79e6b5bfbba505896a |
| SHA256 | 5e8bda4df54e2c095a153bad4c526516a92ff45b7513b92f8827414e49458fa3 |
| SHA512 | 68e4e0aeec5d5dfc6fe7d7b1913614df0af02c6e410d5a020fa8e059f8e2a78eaddee06603f847b132806d5da8214da85917e775b1fe3ad602a4bde84dcd4e7a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 30e368f8801f641c0643e3e8ed13e6cf |
| SHA1 | c8c1f507fe61e9c6765295d5257a32035134028b |
| SHA256 | 78b36c0768c634396635e73f1cc47415f3fcc9a223131f1d801c0fb4bc840f3e |
| SHA512 | 6873c135a320f9caf90748cd90d684605322a798407b28cf63506881d52bd67bb6334f7d961616c4059a188ae3617648f84d8d7d4ca30663cd32b8c1fc3edb57 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 70857a52684aed0daca38f0fee0282c8 |
| SHA1 | 4d2e664c6dae3908a2f7baa780d35d8e0c36a010 |
| SHA256 | 9d922fa24a57b9419804dd8ecf7ed8cacaa2fe523d5e6368f8d552972f5d5a16 |
| SHA512 | 8dcb89ee31204f664d2dc3982e24f2e8099106cd5b5f351502adc7a6159131e16f0c1fc53c9ced3eaf59298f569ee5fcdda67778a496e3772ebf0f1743873bf5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7ee53bc6e7586744d28a22440282643f |
| SHA1 | b8a703f0bd90316b208ee5ae9f342f593518ac03 |
| SHA256 | 58f79db18a49e33a1e82ca525ba3b49c1a1d2584898b199006ae69ccb263bffb |
| SHA512 | 77efb68a4d2ec36afc38bfa7de52680125d5f9d180c3c73272addfe9b1f952d80b53fcf66ac5ff62c0145381fc2cec19f85f3f5de343f9c3c781f3e4d88430f0 |
C:\Users\Admin\AppData\Local\Temp\Cab3B9A.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2492-82-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2492-83-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2492-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2492-90-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2492-89-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
| MD5 | 47704f454af8641dac1af2e2768d7881 |
| SHA1 | e3341bfdec84f69684aecde18cab2864519c7728 |
| SHA256 | a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64 |
| SHA512 | 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25 |
memory/944-105-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2928-104-0x0000000000800000-0x0000000000900000-memory.dmp
memory/2928-107-0x0000000000230000-0x0000000000261000-memory.dmp
memory/944-108-0x0000000000400000-0x0000000000644000-memory.dmp
memory/944-111-0x0000000000400000-0x0000000000644000-memory.dmp
memory/944-112-0x0000000000400000-0x0000000000644000-memory.dmp
memory/2492-113-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2492-124-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\Temp\Tar59F4.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar5C6A.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
memory/1776-184-0x0000000000220000-0x0000000000224000-memory.dmp
memory/1776-182-0x0000000000960000-0x0000000000A60000-memory.dmp
memory/1600-181-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1600-185-0x0000000000400000-0x0000000000406000-memory.dmp
memory/944-192-0x0000000000400000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\35E1.exe
| MD5 | 00d3d15bddcdcb12d2b3415635a3778b |
| SHA1 | 6d07775acd0435589ed3c0e2563b063c19cb706b |
| SHA256 | 2c0ac289c78b3438d6662555818a2a159baff4d9d447fcb4ed15517fcad7b251 |
| SHA512 | 318d901e4310cd3bd8361bbd341311005d05b57591c35d74eab5553f8d0f8479d664b27f2f606f013a40b46f7e0d09e8564f9cff1b7bc76853b77d4a508249f1 |
memory/2128-214-0x00000000002F0000-0x0000000000FD5000-memory.dmp
memory/2128-227-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2128-230-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2128-234-0x00000000002F0000-0x0000000000FD5000-memory.dmp
memory/2128-233-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2128-237-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2128-232-0x0000000000080000-0x0000000000081000-memory.dmp
\Users\Admin\AppData\Local\Temp\7C55.exe
| MD5 | c00114cd21c605efb9f433a0a026d92d |
| SHA1 | 91266036843eb217edba0ab5728a1ea4e0577597 |
| SHA256 | 1fc7c3d55e038721889650c9cdf34b34a302892586756d2f2e4d8b3b9d1ecc9f |
| SHA512 | b98bd8ac8cd00cc574b61d96cebf0937796d880505567e63d11febaa1dcbceade0a725ab8051c5581a7922f7e37a71147e002c8e181fdc9da641e28ae6246a46 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2dbcde154784dd29a071ebe70f215400 |
| SHA1 | 1d9d7206c102a66b93b4a092bb35fcdaa9bdbf97 |
| SHA256 | 3cdf2e044ed45e7192e280a81bd8b331926ebc71fe579e1a5e97abf1aaae423a |
| SHA512 | b2f5d428d82ded18d0cbd1396486c3bba5dee10d71e936450bac78827962f66a6cec4e1c9a3d638602422de8f59a70c43402da6ddf33b6438e56e3b0568a48f6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 18f342db7bf388a61d2438eef33779d7 |
| SHA1 | 70b44d8a0f8abb9a51c97d4fe7c0ecadd80a968d |
| SHA256 | 9ea1f07776b717ca54e5cfa26cecea828f9bed9cc308374a75ce53a14f517048 |
| SHA512 | 1f1d5e0682661903e8e8fe7f8c3687d16f2787e2c24159ad96c03a95985e2306b6725f63558b91cb22c74271579edace41396dc727ee0bdec268d2ef6440aa3d |
C:\Users\Admin\AppData\Local\Temp\BF.exe
| MD5 | 18451e629b555a1792e7033e81d7e170 |
| SHA1 | 2567dc75290f6854d7670bb0f0db2c034ea88666 |
| SHA256 | 35c5391e67f45c635d47a12264d279180003f0d2378dc03de7c268b98ef88df1 |
| SHA512 | bcb8fcd0bd5e0d1e304a5b1a7f33ebe2d36a7cfefd321a3f188befddbb2252abac2050b8be2374f66df59acf98480032a51e835b313c246acd5578e250f2f517 |
memory/2052-356-0x0000000002640000-0x0000000002A38000-memory.dmp
memory/2052-357-0x0000000002A40000-0x000000000332B000-memory.dmp
memory/2052-358-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2128-360-0x00000000001E0000-0x00000000001E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\35E1.exe
| MD5 | 77852c53759b2c953027cab542ec51e9 |
| SHA1 | c3d8d36d99e5178897e61103002d43edf56fb9a8 |
| SHA256 | a5d1dcdc1e4aab187913489fc2a997397b8ba7e2a26ff91f969d64fa90902088 |
| SHA512 | cdda4e690ae2ef99093037218032145aea3cf6b67d32008f46bd9d8a58248e64aed8947506751356e9861eb0c6d9d78d230acf8d2d0bdf32937f1ac5a7c00986 |
\Users\Admin\AppData\Local\Temp\35E1.exe
| MD5 | 9e52aa572f0afc888c098db4c0f687ff |
| SHA1 | ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b |
| SHA256 | 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443 |
| SHA512 | d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62 |
\Users\Admin\AppData\Local\Temp\35E1.exe
| MD5 | 21259b589c498c73ff64f3f52e5f0f1f |
| SHA1 | 2849e84ae9d4628edb919a441cb8d723121f0733 |
| SHA256 | 552b3752553666bfab557271659ff11968fbffa72130b12ab21d51f9212b8263 |
| SHA512 | 964396160a4b1d8fbf2d8450dedce059118ff58a9d13741572748a924425e8d17d75a080656790ffd8f247e95284d956d3b3ce482fcbe344e87905fe6cd78027 |
C:\Users\Admin\AppData\Local\Temp\BF.exe
| MD5 | 1cfc57f78aa40c737bc85f48b4e8c68e |
| SHA1 | 60379d9bfb7205b24aa3faa7e5e2305a34c2c43e |
| SHA256 | fb16a0642b4ad6a192ffd053f7511edf9827c665289e1ac9ac0ee99dcc327656 |
| SHA512 | c81ebdeebb0303df2b1a6c8838c4b471a8a69922eae116fc6ed6f74ce6acf5783363eb87c4ce3d2657f4ba08916fc3151a9de55e4dd52fb65ed03d5c471e29d8 |
memory/2052-369-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2428-384-0x00000000025C0000-0x00000000029B8000-memory.dmp
memory/2428-385-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1212-387-0x0000000004270000-0x0000000004271000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 363510f38e2a03ca1560f18a41632df8 |
| SHA1 | 571fb78ec53495025b305c19a058bcbf2560759b |
| SHA256 | 8255d70d31ee91d3fe39d2afad4ae91cb4c1194080e15812d0c3ec07e464d969 |
| SHA512 | 384cc1a6a28dfe06ea5ad41090f940fc829eb7c6f865963dba615b09eccb3bb967b1a240a192968b67b578e5a97a6d70dc01b0be6ae1305bbdc11b125fff43b8 |
C:\Windows\rss\csrss.exe
| MD5 | 0007c87c3be80582157c775489efea2e |
| SHA1 | 101fbf91e85a8f3eb2550d42e90bb66562cb30b7 |
| SHA256 | 4f5841784853d08f39c563fd51202c9067e2a0bcd647c2e5d41e8ce541ee98f9 |
| SHA512 | 8d46f0da5a8274a2f46396dfe8afb69e5dbb16d3a15733ef0ac1dc803ff90263888bbfc53df8d609ec076625cc4ed86e870edfcd5ff8424f8dd33ad0416c29b1 |
\Windows\rss\csrss.exe
| MD5 | 1cd5c9a7b01911b28b167987c9e822b2 |
| SHA1 | c999d26b1f7a5f97cb2aac9a88bdfb5fa6478c0e |
| SHA256 | b47f1783fc2d793d1ed6e8b0d5b4d0802e5c658228c4ea125f37e8054936f9be |
| SHA512 | fe90b1dd096c51c375b5e9878c3371d08a0b10dc90c9614c4634f5b54bdf7a37f69ebce7d5c846037695104d1d47cff64d73cf34bb9a2fff9c090d38c8a743fb |
memory/2428-397-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2372-400-0x00000000026C0000-0x0000000002AB8000-memory.dmp
memory/2372-401-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 1447669070e9338158bd188954477739 |
| SHA1 | 03c7da5d50dd1439b57f9335e1b07c3fb85b6494 |
| SHA256 | 4a449d206777534b5f5169a3686e2f414da0e2bf9fc358b79566053c691f28da |
| SHA512 | 9790c42ecca69995e727e30cd870603cbc24e6e0a4009245eeed52caaa11ec34e8938d5408b7fea441bbfe818e95a4d9a86c755e68a9c03caee39adae4349bf5 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 897c371f0a435e6bf8df7cf3b04606bd |
| SHA1 | a93f9aca0b3eb22b419ab0490eeb01318f52c9aa |
| SHA256 | 35fef4ef1ac40cc6d7e52722898737d395c331f4b7a257cfa930831a53f950a2 |
| SHA512 | 2d32906fa7d534695e3036107d25f694c1db9b7c8a307e4eabf28ff263286ff168e93c18b575d1cdbd4ff81c694a0df8ba211e9c53ada9dc15db830467d1456c |
memory/2988-409-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 247937c88190a3ac477a6bd45c892409 |
| SHA1 | d6cebdb2026a248b2fedb9026f9e1427f1936478 |
| SHA256 | fd4f6b9dbcc29a4c31700bdb12ce32eac8875730a8e8dd633d725f9bddbac2f5 |
| SHA512 | 893ea7e06f85b5ce2d5b8fa3456cc17abf72675e33482e25e47af02f5c526e1e6fec36dacc3c68b79063348de8aed847803648dd06923458086651c1386261ea |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 396d51721693d4f2f9f317265bf29bf7 |
| SHA1 | e0560869602d62ca866d5b6b0023ba169ab5aa0a |
| SHA256 | d1fe95635221230a84d613b5bd11588a133ceb47c0acaec5499720e5a1eb32e9 |
| SHA512 | f056f45e6d0369ed1093e65df4a050add876facab2b208880b6447806a85be0a1a986d0b5472ead3e923a025ed3aacf4320ca8faa91b000b3c844f8b07099970 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 0b393afb1dc97b94195bdff76a72606b |
| SHA1 | 1733c6244b574281a39aef547d751def2a7c3705 |
| SHA256 | 8eead92e3b6e171bc9e360a553d4ad162feea7779c1e5493c96d9c6c5020de4a |
| SHA512 | 8ba0e997f2e80d6dcdc9c87a3d012876415717cf0071b6819b656d830fcbb7cb6d16be9cc52c5e8377ae238999231324eec36a7bc32501c611c081db08be3ce0 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | bcdb8640ff1a54de6e251c2bc17b0594 |
| SHA1 | c4928227350c8467ec21d42d32c8997c7d36d742 |
| SHA256 | 722cf751b78a3ad8e446dfbba7d20855f6ebff69dfc7b9037a293a5e5fc8cae4 |
| SHA512 | ba95b9055ccccc4e55b4fa248269872c93f73512ce4ad0d0cc7f33c27a50876b17503b6c5c6a48564b17b3bba6eb86f65d92bd42e3733c56f6eb6770570e48d4 |
memory/2988-423-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57f94e292db54af58ec8d6711873f673 |
| SHA1 | 4649827ba39428dfbc574977e2f3ab4019243501 |
| SHA256 | 335db7c9977ee100ddfaeba0786c9a7f34b79458dc18dad69f407ad3a7e2e4f2 |
| SHA512 | ce4ab8ebc8c494877416339e15b2325e94c561b126cbf946a56a480f42a0e046a8a66c8ab6724a29b81574defef91e00bbf345df7b6944fc11cef3927d22d99d |
memory/1212-488-0x0000000004270000-0x0000000004271000-memory.dmp
memory/2372-490-0x0000000000400000-0x0000000000D1C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-18 05:00
Reported
2024-03-18 05:06
Platform
win10-20240214-en
Max time kernel
277s
Max time network
295s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1440 created 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\674\Http.pif | C:\Windows\Explorer.EXE |
| PID 1440 created 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\674\Http.pif | C:\Windows\Explorer.EXE |
| PID 1440 created 1448 | N/A | C:\Users\Admin\AppData\Local\Temp\674\Http.pif | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\D77D.exe = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
ZGRat
Downloads MZ/PE file
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url | C:\Windows\SYSTEM32\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url | C:\Windows\SYSTEM32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F463.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CDCD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F23F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3E9B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B667.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\674\Http.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C0F7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\674\Http.pif | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3E9B.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\D77D.exe = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1076 set thread context of 2968 | N/A | C:\Users\Admin\AppData\Local\Temp\F463.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4496 set thread context of 68 | N/A | C:\Users\Admin\AppData\Local\Temp\3E9B.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
| PID 1696 set thread context of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\C0F7.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1440 set thread context of 4580 | N/A | C:\Users\Admin\AppData\Local\Temp\674\Http.pif | C:\Users\Admin\AppData\Local\Temp\674\Http.pif |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\2717123927\3950266016.pri | C:\Windows\explorer.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| File created | C:\Windows\rescache\_merged\4032412167\2900507189.pri | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\CDCD.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\D77D.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f9c000000000000002000000e80703004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000069d012d9f178da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80703004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000ce63bed7f178da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80702004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000026f2fc246d5fda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133524060308000891" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C0F7.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe
"C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CD72.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\F463.exe
C:\Users\Admin\AppData\Local\Temp\F463.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1216
C:\Users\Admin\AppData\Local\Temp\CDCD.exe
C:\Users\Admin\AppData\Local\Temp\CDCD.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D09C.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1028
C:\Users\Admin\AppData\Local\Temp\F23F.exe
C:\Users\Admin\AppData\Local\Temp\F23F.exe
C:\Users\Admin\AppData\Local\Temp\3E9B.exe
C:\Users\Admin\AppData\Local\Temp\3E9B.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Users\Admin\AppData\Local\Temp\B667.exe
C:\Users\Admin\AppData\Local\Temp\B667.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Jeffrey Jeffrey.bat & Jeffrey.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 674
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Sitemap + Sublimedirectory + Cow + Rss + Josh 674\Http.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Cdt + Thumbnail + Powers + Tamil + Capabilities + Novel + Cos + Breach + Canal + Hobby + Debut + Patricia + Neural + Translations + Fist + Able + Warner + Shapes + Ancient + Plans + Greg + Go + Drain + Mpeg + Necessary + Robertson + Islam + Generations + Trim + Around + Companion + Maiden + Kills + Eat + Brunswick + Ww + Determines + Login + Heads + Wv + Vampire + Consequence + Tba 674\F
C:\Users\Admin\AppData\Local\Temp\674\Http.pif
674\Http.pif 674\F
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\C0F7.exe
C:\Users\Admin\AppData\Local\Temp\C0F7.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & echo URL="C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & exit
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Users\Admin\AppData\Local\Temp\D77D.exe
C:\Users\Admin\AppData\Local\Temp\D77D.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
C:\Users\Admin\AppData\Local\Temp\D77D.exe
"C:\Users\Admin\AppData\Local\Temp\D77D.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\674\Http.pif
C:\Users\Admin\AppData\Local\Temp\674\Http.pif
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\svchost.exe
svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 197.159.94.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sdfjhuz.com | udp |
| SL | 102.220.249.156:80 | sdfjhuz.com | tcp |
| SL | 102.220.249.156:80 | sdfjhuz.com | tcp |
| US | 8.8.8.8:53 | 156.249.220.102.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.uniqueweb.co.za | udp |
| ZA | 41.76.110.156:443 | www.uniqueweb.co.za | tcp |
| US | 8.8.8.8:53 | 156.110.76.41.in-addr.arpa | udp |
| US | 8.8.8.8:53 | theonlyreasonwhywe.pro | udp |
| US | 172.67.218.191:443 | theonlyreasonwhywe.pro | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| US | 8.8.8.8:53 | wisemassiveharmonious.shop | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | colorfulequalugliess.shop | udp |
| US | 172.67.185.152:443 | colorfulequalugliess.shop | tcp |
| US | 8.8.8.8:53 | 191.218.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.185.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | 243.51.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nessotechbd.com | udp |
| US | 192.185.16.114:443 | nessotechbd.com | tcp |
| US | 8.8.8.8:53 | 114.16.185.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
| US | 8.8.8.8:53 | 59.39.141.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| TR | 94.156.8.100:80 | 94.156.8.100 | tcp |
| US | 8.8.8.8:53 | 100.8.156.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 81.94.159.197:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| FR | 142.250.75.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 238.75.250.142.in-addr.arpa | udp |
| NL | 195.20.16.82:443 | 195.20.16.82 | tcp |
| US | 8.8.8.8:53 | 82.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gZrMmkMPXNMnXLftODCxOMCJtQlce.gZrMmkMPXNMnXLftODCxOMCJtQlce | udp |
| US | 8.8.8.8:53 | www.upload.ee | udp |
| FR | 51.91.30.159:443 | www.upload.ee | tcp |
| US | 8.8.8.8:53 | triedchicken.net | udp |
| US | 104.21.91.214:443 | triedchicken.net | tcp |
| US | 8.8.8.8:53 | carthewasher.net | udp |
| US | 104.21.82.182:443 | carthewasher.net | tcp |
| US | 8.8.8.8:53 | 159.30.91.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.91.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.82.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| FI | 95.216.123.85:80 | 95.216.123.85 | tcp |
| US | 8.8.8.8:53 | 85.123.216.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-us-west1.nanopool.org | udp |
| US | 104.238.180.207:10300 | xmr-us-west1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 207.180.238.104.in-addr.arpa | udp |
| US | 209.141.39.59:443 | dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly | tcp |
Files
memory/96-2-0x0000000000570000-0x000000000057B000-memory.dmp
memory/96-1-0x0000000000760000-0x0000000000860000-memory.dmp
memory/96-3-0x0000000000400000-0x0000000000477000-memory.dmp
memory/96-5-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3392-4-0x0000000000C90000-0x0000000000CA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CD72.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\F463.exe
| MD5 | 1421ea7453ce9591f7e34fe27c60ec64 |
| SHA1 | 323f57dc3e5162ce587193feb94523659bff6d7b |
| SHA256 | 0efbfc7d5a16c3aa07e8420ef2447e4bdd2dd7556e353f4d1d10d42a61d1a615 |
| SHA512 | 5c6ab2729452157be0cfb715f298ae81db12e40c69b081734797fd0cee79470b5c5df127337e1bca31087f55167d764ab2287e08a3895917176464eb8761ed29 |
memory/1076-20-0x0000000000590000-0x0000000000606000-memory.dmp
memory/1076-21-0x0000000073450000-0x0000000073B3E000-memory.dmp
memory/1076-22-0x0000000004F20000-0x0000000004F30000-memory.dmp
memory/2968-25-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2968-28-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1076-29-0x00000000028A0000-0x00000000048A0000-memory.dmp
memory/1076-31-0x0000000073450000-0x0000000073B3E000-memory.dmp
memory/2968-32-0x00000000028A0000-0x00000000048A0000-memory.dmp
memory/2968-33-0x00000000007E0000-0x00000000007E1000-memory.dmp
memory/2968-34-0x0000000000400000-0x000000000044B000-memory.dmp
memory/2968-35-0x00000000028A0000-0x00000000048A0000-memory.dmp
memory/2968-36-0x0000000000400000-0x000000000044B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CDCD.exe
| MD5 | 7105665581245cd0aab6feb437b9c0c6 |
| SHA1 | a71c98c935628e2dfb92446de406e755558bee27 |
| SHA256 | 8008e7add0cd8b03960d961b20b6f58dc9f02bbb246ac16fda9d214f7a62714f |
| SHA512 | 4122c64170063e3f65f66e33016ee42590cf9392c042b840341557f746f23f2a2badc7cfa0de53dd386e2abc9649a7ce8143b96da1481e4679ce76e18396b5ef |
C:\Users\Admin\AppData\Local\Temp\CDCD.exe
| MD5 | 35c4383a85f2039a72ecd1e1145a013e |
| SHA1 | e3a3e799d5d9ae1562b5345d6679a636a1bb1853 |
| SHA256 | 6fe972f418a3f60be8e01c31e8d3e487d13eefb301647edf950c5e75aae0a0d7 |
| SHA512 | a22d08857d9479bbe7d320af04f9592fd8b99cff980fda4e1e8b09cd21eb850405248f95c1a9d4771ed27b38700d5d795265469dfb219a761a5a4c3f70e4098c |
memory/2900-41-0x0000000000E90000-0x0000000001B75000-memory.dmp
memory/2900-51-0x00000000007A0000-0x00000000007A1000-memory.dmp
memory/2900-49-0x0000000000790000-0x0000000000791000-memory.dmp
memory/2900-52-0x00000000007B0000-0x00000000007B1000-memory.dmp
memory/2900-53-0x0000000000B90000-0x0000000000B91000-memory.dmp
memory/2900-55-0x0000000000E00000-0x0000000000E01000-memory.dmp
memory/2900-54-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
memory/2900-50-0x0000000000E90000-0x0000000001B75000-memory.dmp
memory/2900-61-0x0000000000E10000-0x0000000000E50000-memory.dmp
memory/2900-60-0x0000000000E10000-0x0000000000E50000-memory.dmp
memory/2900-59-0x0000000000E10000-0x0000000000E50000-memory.dmp
memory/2900-58-0x0000000000E10000-0x0000000000E50000-memory.dmp
memory/2900-62-0x0000000000E10000-0x0000000000E50000-memory.dmp
memory/2900-63-0x0000000000E10000-0x0000000000E50000-memory.dmp
memory/2900-64-0x0000000000E90000-0x0000000001B75000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F23F.exe
| MD5 | 450039a02217c53bd983eaf1fd34505a |
| SHA1 | 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda |
| SHA256 | d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0 |
| SHA512 | cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080 |
memory/2436-69-0x00007FF666BF0000-0x00007FF667852000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3E9B.exe
| MD5 | e1e7d85a00bffe0f041a397629f015dc |
| SHA1 | 183c4c167ca1dbaabd8873628ec59764fcbc6da9 |
| SHA256 | 55bb4c22b5c15f92c66c447afbab1f5d36720fa05a5bab3f7d67c5a5e44f075e |
| SHA512 | 9f1acf1f42da9f7bde944edc728c22f8b30e6dfd58bba042ef54eacfb444d79a61615e6481ee46667c5ff78ac2e4ac8c3c86c321ee763bcd5b2194715e7a8a09 |
C:\Users\Admin\AppData\Local\Temp\3E9B.exe
| MD5 | 175f44aacfbd36443175aa7fc29c285b |
| SHA1 | 798972037500bdc3699940a14c042b1e413486f6 |
| SHA256 | 2f5567968b8129d297698c1b0d4db583c939fbd822f01b8fba401b9985491b0c |
| SHA512 | 658872faabc4b193bb118777686a6be4f808de606e760ef2fe14a968c59d74d137c05aa7cba9ef77c96d92e6e027f62348baff709c037f2be1bb3a05052741dc |
memory/4496-74-0x00000000728A0000-0x0000000072F8E000-memory.dmp
memory/4496-75-0x0000000000840000-0x0000000000D94000-memory.dmp
memory/4496-76-0x0000000005630000-0x00000000056CC000-memory.dmp
memory/4496-77-0x00000000057A0000-0x00000000057B0000-memory.dmp
memory/4496-78-0x0000000005DD0000-0x00000000062FC000-memory.dmp
memory/2436-79-0x00007FF666BF0000-0x00007FF667852000-memory.dmp
memory/4496-80-0x00000000728A0000-0x0000000072F8E000-memory.dmp
memory/4496-81-0x00000000057A0000-0x00000000057B0000-memory.dmp
memory/2436-82-0x00007FF666BF0000-0x00007FF667852000-memory.dmp
memory/2436-83-0x00007FF666BF0000-0x00007FF667852000-memory.dmp
memory/4496-84-0x0000000006300000-0x000000000653C000-memory.dmp
memory/4496-85-0x0000000005C00000-0x0000000005C12000-memory.dmp
memory/4496-86-0x0000000007680000-0x0000000007812000-memory.dmp
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/2436-92-0x00007FF666BF0000-0x00007FF667852000-memory.dmp
memory/4496-93-0x0000000005C90000-0x0000000005CA0000-memory.dmp
memory/4496-94-0x00000000057A0000-0x00000000057B0000-memory.dmp
memory/4496-95-0x00000000057A0000-0x00000000057B0000-memory.dmp
memory/4496-96-0x00000000057A0000-0x00000000057B0000-memory.dmp
memory/4496-97-0x00000000057A0000-0x00000000057B0000-memory.dmp
memory/68-99-0x0000000000400000-0x000000000063B000-memory.dmp
memory/4496-98-0x00000000057A0000-0x00000000057B0000-memory.dmp
memory/4496-100-0x00000000057A0000-0x00000000057B0000-memory.dmp
memory/4496-102-0x0000000007D30000-0x0000000007E30000-memory.dmp
memory/4496-105-0x0000000007D30000-0x0000000007E30000-memory.dmp
memory/4496-106-0x00000000728A0000-0x0000000072F8E000-memory.dmp
memory/68-104-0x0000000000400000-0x000000000063B000-memory.dmp
memory/68-107-0x0000000000400000-0x000000000063B000-memory.dmp
memory/68-108-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2436-146-0x00007FF666BF0000-0x00007FF667852000-memory.dmp
memory/68-147-0x0000000000400000-0x000000000063B000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2436-169-0x00007FF666BF0000-0x00007FF667852000-memory.dmp
memory/2436-170-0x00007FF666BF0000-0x00007FF667852000-memory.dmp
memory/2436-175-0x00007FF666BF0000-0x00007FF667852000-memory.dmp
memory/2436-176-0x00007FF666BF0000-0x00007FF667852000-memory.dmp
memory/2436-177-0x00007FF666BF0000-0x00007FF667852000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B667.exe
| MD5 | 7769e93085751e0b35729827dc22e8d5 |
| SHA1 | 1d20bac0f5e0e8e28d466834463463cc911a5baa |
| SHA256 | 8dd36a9b8a11b166aab0584253115650ec392591e7958c0cba3f1adef483f402 |
| SHA512 | b3b658440f973b7e913681e645b21aa6c102fb4d43480f5e9952f756bfd42288bf2e56a4fef02929994d09cf82c857a7772eb1b6703ab69f924383a2ecdbe56c |
C:\Users\Admin\AppData\Local\Temp\Jeffrey
| MD5 | e121db542d18a526f078c32fd2583af5 |
| SHA1 | 69e677442ccb6d6fe1d2a3029cf44aac473f5f55 |
| SHA256 | fcaf08c62c974ca0fb7537213a7867ab0f9fb41e52dde118b758b7ea05f63ca2 |
| SHA512 | 9d8c2bd284a624b68a2fafd93445648f69ffd47374f1d3cfd1857d2951bbc2a6cbe971fdb5e10d5f513dbb5188d59ee8e5715c86e3a1bf23e6df7feec960bebe |
C:\Users\Admin\AppData\Local\Temp\Sitemap
| MD5 | 9aa3fa871956c05e6c502841714a3ca3 |
| SHA1 | fe9b5580fd142b32ee94342e5403ff9454517f9e |
| SHA256 | fdd3ef368438e0267bb64c89cee31fd6d4cd4207030ff12c14849ae3eb97ea32 |
| SHA512 | 70046f0cd491c13d73a17969a325000c1daa303ee7c7b30fb56cee784002c9d309ff6aad2d9df30b9b80b3f257303a678a01050e24bf6ca92c563a27f0302873 |
C:\Users\Admin\AppData\Local\Temp\Sublimedirectory
| MD5 | 9ac55fb2a8700521a9fc03c830483b45 |
| SHA1 | 07d4aefbc148a0f3af2543f9dc9e07f0a1e9ebb6 |
| SHA256 | 964d3d31f56f7147c8b25f0d26223808aaddc704d13749e282be5e75330c66e1 |
| SHA512 | ae2b430466ffb8fc4a9e943d514e812cb4f3d4db6260575c36ea5141ea9e0c28d5a92b2a2e85eb96757f87e2efe7412bb3ca5208c55373ce51f608321f0f2505 |
C:\Users\Admin\AppData\Local\Temp\Cow
| MD5 | 3e929f7b28251914c43d3435f2f437dd |
| SHA1 | 9564974824f4fe1b9b6bdc5bd1e1065fc11678bc |
| SHA256 | e870073c8d6fe150149ec7d7fba4e948f7efca3ed51c86fe81a86a60f7e906ad |
| SHA512 | 41919c496f7989fd7ae2c3d3b122ee69ec3c2f4c89bea0247f6b19b3d8b78fa4264b8733efc707cd98d25f68a15937e644f31eff36068035b0c94a790efd8478 |
C:\Users\Admin\AppData\Local\Temp\Rss
| MD5 | decffdc214d187300d81458730076975 |
| SHA1 | 0d26a032a42e2b1d6cce51c88262fb99d5d85045 |
| SHA256 | 81c7087173132ecbecf5d04a7eefc5074d0d2fb54b46f48416f6a2e211a4e927 |
| SHA512 | 615dcffeeaeaebe4d83aa5e8e31e7c48c2ef6ba60890ba92f09ba0b482e1b163e778c46134ed032ccaf1a0c77bfcd9b9391c7b0528b7e3a1274db0bbf4249c76 |
C:\Users\Admin\AppData\Local\Temp\Josh
| MD5 | dbb02def36f898899c81dbe071eaaf75 |
| SHA1 | ddd36cf26cffd70cdca8ffa36fc13097c56092c3 |
| SHA256 | 431dfb2a32ca2bdc4f43a7d35521abceab83b069f7a63845e1eccc03133cc1ea |
| SHA512 | 115536f35f7e99919fd44742199aeebd17979e84bc8f531bbfd019f7641a838bbc8011b8df046563f16df269f6c5c8c7ab900db6f7918026fbe2366b4a88d3a1 |
C:\Users\Admin\AppData\Local\Temp\Cdt
| MD5 | ba823d75b6712149e7241d1c2f6695ef |
| SHA1 | 9f351074e85afc8254aaa5df0561377c8b68874c |
| SHA256 | 7d9468f4301186c054a25dd5290770a9acec5c3e03937a5a99ae17d0af786377 |
| SHA512 | 563c98418647956e8892b855e6a9c9b5994e50f8a41c2857c0a06abf59151d729ad53676d38e1f6addd7186b3f707ce06a313f5a3482327624985f9f50bc8167 |
C:\Users\Admin\AppData\Local\Temp\Thumbnail
| MD5 | e68e0d804f78aadf2b7da5190971cc56 |
| SHA1 | b10f5a2dfc947cd7ecdc14bbf37ab4ceb5e1eaf9 |
| SHA256 | fe05a76fbb09e4fa60386db924b5bff738c3ce9be3bd0a1f9c082317c8c86bee |
| SHA512 | e5600c6ab0f3d41b47c0b92f5e32a26eb42ca34392a9e1ba373e2b0b7f884ae4c47949dee26a05ba20a3467299f01b4e50aa2c2acd1a47f5152a83e2abfa7cda |
C:\Users\Admin\AppData\Local\Temp\Tamil
| MD5 | 5b825ccfab154d5de20e806e687ecb89 |
| SHA1 | d311d7b23a70f5e1ba875e020d37e05a3a4c4552 |
| SHA256 | 19d5510298ed882c13538159f6d600afb2b0cbca2e21307b23d4ffc7b951b436 |
| SHA512 | e31cac21acdd002e14b7e40cf0af6efb65ed3b803348d885ca2dc5d38b4b3b03b1548cb78258515a1cce9b6eccefa31fef02ed6212b0e9170c4e4ba71e9d8f03 |
C:\Users\Admin\AppData\Local\Temp\Powers
| MD5 | 0c851a1587662cb3c4b3f4e79b9d40e4 |
| SHA1 | 405bcebd4ebefa55e2e51fd9a5f9a468f25020e5 |
| SHA256 | 869aadd31861f94ebedb8c7601f310b4c87091c950040cb56115e83801955e26 |
| SHA512 | c9fa7643f8c0dda69eea577dcb3868f20f22c68f49e9726f2bd1cb9f4b134a31ea5d5fead51577ba29f795de394549396dff55432df232baba40f025ac2593c8 |
C:\Users\Admin\AppData\Local\Temp\Canal
| MD5 | c3a1a56b238bd452b6b59169cc99ec03 |
| SHA1 | 88a35ade6f7f14e2df8d731317afc72612074a51 |
| SHA256 | a1f3e11d023c1b288bf20d8290fbb532397bcf5de9b5094ffd9e01faf15af90f |
| SHA512 | 163287a8864978a7de323e61e5a168b75e97dcd36e8448a00d05f2e8c00b2a9c878e372a56f12288bb92c86f89a6dd6d56ae0282fb09d919e7ffe85349643525 |
C:\Users\Admin\AppData\Local\Temp\Patricia
| MD5 | d9bd01e58c378e5a43b47b93ccf11b30 |
| SHA1 | 4f57381303c5cb2d6f0012d190ce11d696efde77 |
| SHA256 | df1836f2bef8704260148cc27c0f83b54e7bba141cb9274de315082f55983d1a |
| SHA512 | 4ed8db053adec650c71c34c843173bc2f25078ee37099ed91ad922ca57346dfd543949fe14d70b158aeabb0a0c69219548b44866c701cfe45e3c2954a1a00755 |
C:\Users\Admin\AppData\Local\Temp\Debut
| MD5 | 309a79e7ee30ead5653c0e33c937bf20 |
| SHA1 | 808165ca516179e0749cd74b57ebf2ec92e77a9e |
| SHA256 | a8801707877eed3c2e26a3c17dfe73fa1f497e0c7c50510a2209752f2d28c233 |
| SHA512 | 0bde1c86c60452f042d5d70962d1e78483ee33d69cee5a9fefc47681b9136ff4cf64ba2b2197f050d97f5ff26161e4b79981f1a848f25f48957f2660a706a6b8 |
C:\Users\Admin\AppData\Local\Temp\Hobby
| MD5 | cd17d8568d3cb4f7a115c0c9657aa3c1 |
| SHA1 | 389429708df886ee004b3d4c54cbb9a2e089859e |
| SHA256 | ed71c9321bf22505bc8aeb4eada537151b1d0cce36d4a68a63c312e1d278be3d |
| SHA512 | 005277a31916c4f81780ede19a26e735a302db57f97b0c643ca1a959165b54f7c911a7ee1d1c79e0df599e9c201d3daa9f7cc48359367753fa152a04a739cd33 |
C:\Users\Admin\AppData\Local\Temp\Breach
| MD5 | 9324e493902fe2c6ffcf04f088c34e08 |
| SHA1 | 866c7b4c73f99f673dd3f2035e34d843c262f256 |
| SHA256 | 6f50e1f49fca502dbab2f5d9b5ed372870222ba77e4317806a27bdd032dfd222 |
| SHA512 | c1d4bbd0444d2bbfb255766c846ec71623833b887609f995a09c95e323ec39137d74d8b55229055561fa2248418fd7cf28f531d467ed79f292f41518d3cee9e0 |
C:\Users\Admin\AppData\Local\Temp\Cos
| MD5 | c8599aa35a19083f6c5f80151f55315c |
| SHA1 | 3e315507bc934d0ebdf68328b5d60e7fcab41a3b |
| SHA256 | 339dbf69ba0f0dfbc7d4833ca4900017f2ab5999484e1194041a538589867e7f |
| SHA512 | dc6d2169226606b2880f02cff18eeda182ed39dc55fd29626cfeb464c6c59fddb7f079bfc7386dc30f9fbc089fc8e40649f5b109fbbf172a2710cdd7814ecdf1 |
C:\Users\Admin\AppData\Local\Temp\Novel
| MD5 | 9c5c2a336e6c94e60e8ca1a981235806 |
| SHA1 | 887ed6cee2cc4b3da3acceb5b0553b24ec0e6617 |
| SHA256 | 7726ad699b2cfa9778d6dc2c289c9a4f46b0d9a7c5db2e39e76f18e43ac86070 |
| SHA512 | 1aa7daea097f7064bfbeef2621c4d88b08c77af0b6047cb78f84d749f94a49674f72b007e7a8422407aa045a12dd72d74a53df50811a2ca6eefb2eaf3446c2fb |
C:\Users\Admin\AppData\Local\Temp\Capabilities
| MD5 | d34ef2c6ce15a8747df5431a864f0613 |
| SHA1 | fe62b64f13b149525066fe73f227df044255cddb |
| SHA256 | 879e43c64cb2cb8fcb5df47040d65e4127997f5b845d0a87692a632af3ae04b9 |
| SHA512 | 0e0dfcd55a61c0d42a262cf1fbe7b29d4c10a60902986030d784aa9abdb60fd1e76ba7ca4a1e62b89a90c00b6d02874e827801faec8adcb113209152e4f77c24 |
C:\Users\Admin\AppData\Local\Temp\Neural
| MD5 | 4c5c9f5368402dd77d8f8e0c31951625 |
| SHA1 | 719e5a648399121cf1402d36734631f95c723d18 |
| SHA256 | d7d7df376fcf36b624b6b7c42bac9e409997daf2533fb13b47df979080bd89d7 |
| SHA512 | 1077177e69ca516d7fac2f48c650407007b05e6867140f0349779dc9e315da2291c8ecbf63d87533f86447c9920d83dbd1c509f9b97d6e653445cdd6661460ba |
C:\Users\Admin\AppData\Local\Temp\Translations
| MD5 | a40fabfc3d4fe0e77cf03156b0541015 |
| SHA1 | 7a8c301d0a3834a212af25812cb9f51afa8425d4 |
| SHA256 | fb58698a4c4b63b75f32a80188681d5a7489ac856c2e4f66040ec75d86594864 |
| SHA512 | f34e5b24f65916dad8cb8bdb920b008b3110dc89f0fd7de378c1dde905738572921098286f2bcc8df1615a4f4dd638c28cef8decb0ae68a8bba29600dd249c11 |
C:\Users\Admin\AppData\Local\Temp\Shapes
| MD5 | 7aaaa1a6965448912a128a631bbd06be |
| SHA1 | d3917e8d8780c9296c6bba2066a3fccd08e04253 |
| SHA256 | f9dd85538a77f5e563a03d1d846b2ed4e447fc002c4a3f35f6630fb6b068bf85 |
| SHA512 | 02f233fa2df94f057eb453a571e5ccbe882dafb71a5f65c5ad159ed1aa56157dcf25fb954b9340dd43de0e4413b89447bcb5b5664c6966185710df9802474b52 |
C:\Users\Admin\AppData\Local\Temp\Warner
| MD5 | f83e3a79f793337194e79e4bb5c3b073 |
| SHA1 | 6d4ef4fc71fbabc6f56265388d87d997e47194dc |
| SHA256 | e6c10154860c14f05f94129e411439105ea9da7fe9bb372b5cf107978aed6844 |
| SHA512 | 5133a73e3c9da5cef73cd6504e2bdfad81517a1b3dd8e3bd970ad6c2ba8fd02e305cc7b0884771b313ce44fd181e685be5c21426ed1c6d098bace464c5a02775 |
C:\Users\Admin\AppData\Local\Temp\Ancient
| MD5 | a02c222cf530ee003a3893c4c78770c2 |
| SHA1 | bdaaf55f6f97ad1c4493f1bb7b683cb3f47aa0f3 |
| SHA256 | 192ca40b43714d9220f9c753befa6b87c9d95ac36d2eea8b762c67e1267981b5 |
| SHA512 | 1225b9d79b853801089c216e75afc3ec093337858cf54657a746c43e6392aa66f9fdbc922bc13472f41407947acde71d2a2cabbdbdd34241e56410d7d61b0368 |
C:\Users\Admin\AppData\Local\Temp\Able
| MD5 | 13fd06533f068d719a2b9f300096ca41 |
| SHA1 | f054659e3fb8516b759b8f819d12acb9c173ab6a |
| SHA256 | b43ce17ba094fb6dbfffb9d06874f74f17acc0ca791d49fc2a0e83eeebda06f9 |
| SHA512 | f8cc9e163900c0594d2d76d0b8cc5a02399c15b68341ec7dd336abb754f7360b9b75623fa3666a1cf8df080e11ef1a759197076b0c7275701812e3b6e02c0422 |
C:\Users\Admin\AppData\Local\Temp\Plans
| MD5 | 5e136f53a54f61eeb099c76021dba233 |
| SHA1 | 1b9f5ffa3b8c1cf3a1ce8fe58786e2b3617825d3 |
| SHA256 | ed6ad54fc60499182bf34b7dd96c25c04ff155c33fbe205b2579deb03f15a041 |
| SHA512 | 493110347fa229d48e4c6d8a735dc56bfa34d5da3b70d485c56ef35d47b92d694e0ba84784487168be98931699bcf019ff1d831f1dffc2fde1fd27aec7ae03a8 |
C:\Users\Admin\AppData\Local\Temp\Greg
| MD5 | 265344b2c8ca35ae60227ff6639481f5 |
| SHA1 | 49bf4e7aab05a697409a4cc8f04c5b2ed1e78e79 |
| SHA256 | 349c58fc4a15001ff0875d2a9f797d536045804c99350e0f43203ade07c41b59 |
| SHA512 | 2248bd383433d3dd541eb74f3e2404f83e1f379b11d9e7de9bf6903460cfba9b1955d089439883126ce6c08a67a3e12beb63126a74a1a86dc461ca8f232f442d |
C:\Users\Admin\AppData\Local\Temp\Fist
| MD5 | 71afb2f733859a29cfcf25e58625284c |
| SHA1 | 248df6b7026fd2771dd65ed3b542ca0185dbb6dc |
| SHA256 | d57110136c0fa135b3dd2f4b83d48af60fc8d918372aeec2a3eac0333135f120 |
| SHA512 | 047874d945a67bda6f9e1bbeedf15e728be8ed212683f29dab0ee6d3d26a1265f1b3ab008e8b10c7c8bf6a5bf37f1ca637d54eb5ae99dd7ae67ff4fcdc16e5af |
C:\Users\Admin\AppData\Local\Temp\Go
| MD5 | b153dbfec41fa6a8b005978bc571befe |
| SHA1 | 9752d98549edff58b4c0ede5a654832c22f97d38 |
| SHA256 | f59cbe377d6d4df992d6caaa0ccbbe7a5506741c9e63a716a0284cb2ae720814 |
| SHA512 | eef43707eb9b7e047a8c8307ffac9ce4b1eb0383186280b9112eb278e4fb97c339e14cbbb334eaf9e13719280978a12c7d8d3615e8ab25e176530836799c002a |
C:\Users\Admin\AppData\Local\Temp\Necessary
| MD5 | d2635aadbd169174c362c0052a33e396 |
| SHA1 | 601bf240df1f218670acda168020ba7736cf821c |
| SHA256 | de7612db6d35cfd9670d56dfd6497802bbcda88c787e6b83b1438df598bd9e96 |
| SHA512 | 0cdfb4d1560a01a6c5c1406ee7f2ac27229756a7bc35865a3437e05443b9e6eb9ed18c04131268d190c33d03a05c7190381be828c1208ecd0819bade943d2a58 |
C:\Users\Admin\AppData\Local\Temp\Robertson
| MD5 | 547c335ac69f9da2f963745762672f44 |
| SHA1 | f9d6f6c943b91988020176a827f592f8f46f2670 |
| SHA256 | 8a7e8e502a6041ccac7c06b222cabc9e7aa39523a1c5edc33097e5506b6ad3cc |
| SHA512 | 1a1561b11224c74dbe791ee12c67e74ecbb8f8d63720a392ea1f6c9f0b448ff226ae920253e6a00023db74963c83605c82822722b1cc3c2ed8bf6862b22f497c |
C:\Users\Admin\AppData\Local\Temp\Mpeg
| MD5 | af66ed102029338945a5ae7af6e68867 |
| SHA1 | 2a590d37a9e25203f41fe28be7b3702bdac34e28 |
| SHA256 | 4f5603c2539d330e9576ab577fe08cd58e6a191620e962c570af439ec4808c6b |
| SHA512 | 83d5afa258752706ce85f5e57a59e04e0c8e2e856eb12d4e419237eaf2669bf1ffbd1ab87eabc34e0e7c3e4584a4288aa39285cfbfd398d04f8bd2248cf27609 |
C:\Users\Admin\AppData\Local\Temp\Drain
| MD5 | 99667047563ffb1f92319045c1fa496f |
| SHA1 | 9eba1534190dac88d7231e00cf2372477479a262 |
| SHA256 | 3f6dfc93ffd2c876839d824993a4234df1d16a3f0b5d284c66e32bc2264867ea |
| SHA512 | e8d39f341df2decde92d2bf7066de6ccf3b3b2d6c4e57d353a60ee409fb7d54444d55e8c02a266da4ec94e719e149685120c72c6db7c35e863cef7f1f844c9d9 |
C:\Users\Admin\AppData\Local\Temp\Islam
| MD5 | 5e0c4a84587a2ba5295805c9623704a4 |
| SHA1 | 1108e298b95830a0c0a265f89082a5412c11d865 |
| SHA256 | aafa12d671f2eba209cda92d296b29f1abdf359faa3e0f064b7626bf25d89acd |
| SHA512 | 2dab73ed3fae2c1f1ecb38aa1ebbbbe55326fa6bcd562cac2c4adc004e9ab1ccf392aa5c7741419452433b25ea4474508fa5ed65ff02ba01f0ec07b5589dfa08 |
C:\Users\Admin\AppData\Local\Temp\Generations
| MD5 | bf36de53f9099fb8780cc1f08121ec9d |
| SHA1 | 0a3289cd4e8526291b1d78231801c71f62201134 |
| SHA256 | d83f481d8af694bddf44486601adc6960190380ba091f8ae468e0282d86aca96 |
| SHA512 | b66e6ee71e534156eab1fe0e8aa8311a3b41bef397b2bbd89d41a891e2f249a8b7af8c594951058a30751436da61272befd5f3797b3b5e7c8ee63c7901a7c6f8 |
C:\Users\Admin\AppData\Local\Temp\Maiden
| MD5 | 66362a1847593eb45b46b84215c52779 |
| SHA1 | 61519bccdb7c3cbe547bcdadcb8ac81d638593fd |
| SHA256 | 83dba2694db89c8c473f401de7ac74391297428a5162283b4ce7581967bb3ea0 |
| SHA512 | 9c568437f2870f258c77be39e724c9790d5f70ee35529aa79956bd70211267eeaf3d41b7b6eaedc1cc1c85d01ceeca7cd4991a13848a6489ff31acfe15dac23b |
C:\Users\Admin\AppData\Local\Temp\Brunswick
| MD5 | d9d300fcd0f6c260b49dc70799cb3ed5 |
| SHA1 | 9f1c1ed5aba8635a35abf2705c9fa7e64c297f19 |
| SHA256 | e559f9fdef25eb57dc27c4ea285afd85aef5b3f4dc91f8ca94d195a347e02b9d |
| SHA512 | d86cf2df5ce022b6724ebf45a720e26155da5415e1715f1ecc9bc135b66226aa851e09584220f3ceaf6b74267d99c2d5991299f5994c859f59a4847b94e8e9bf |
C:\Users\Admin\AppData\Local\Temp\Eat
| MD5 | f3955d3be816c87209db5f1a76de0c84 |
| SHA1 | 0381898c2fc21e02b8f913cc1083727a23936bcf |
| SHA256 | c51346378e3a0cf5fafa09c0953b4559c140111d086d939c6b0f9adf497fa108 |
| SHA512 | 935294f0c695fbec87509c48d48eb78325ddf5d7a98881b8bccc1469b73ca1a6e044cb9faabbb9c8f151a66bd72a9e10bc7cae821e019e24ae94601b65a6179a |
C:\Users\Admin\AppData\Local\Temp\Login
| MD5 | a0aa8b540b7964573ef0e5ef933d716d |
| SHA1 | cbe8d346bf1d8fb1fec7780abed82023705aae5b |
| SHA256 | 0e337b94bd79194a28a752f7d9a30eacda6e871f5222d7a6c7bc4656ef24d869 |
| SHA512 | d5d6cf1b5fd1cf8e057379a7f4a0116d2742d1f8411822546654dfa6c488b0b34f1e7c99a309f2712bb81570627b3c309af81d0e9afc7d97da54e6c41f6f0b47 |
C:\Users\Admin\AppData\Local\Temp\Determines
| MD5 | d8ed6006ce530f87b672a686ba240bbb |
| SHA1 | 75eaa85a7f408b76b10d8defdf9af47cfec1b2ee |
| SHA256 | d212e9bc86ba456be932f1b7711161d3e76e8bdaea52677771c698a12c1b2878 |
| SHA512 | 1809f8a1e5ef0b9b4fb3bc5921affbbed655c2f6f938250280891228c79e878992d69f98356ff05fb7510423a76f4b73b6fa0a2ee45d8c2166e2b98deb86b4a2 |
C:\Users\Admin\AppData\Local\Temp\Ww
| MD5 | 36caf6a78bb2c801bde7dca1ef9a5d01 |
| SHA1 | 85b4d86b4c8764df6b320bdf687a03dc0bfdcf1b |
| SHA256 | 419db5c7038033e93c48d2ab4f98fa8bbea3af2eafe7bec55b5a780270e1b65f |
| SHA512 | 1a5b9e5d94b1b2f8a09ec51447e85e41cc1aba0b84ec09a4d073296c7638837221caf458fc4709b8915610fbffe1e7466c51a0f5cccaf8e674aa86dc03bade23 |
C:\Users\Admin\AppData\Local\Temp\Vampire
| MD5 | f8d8af1244d907483b3602c06d014d01 |
| SHA1 | adb2338050a56f96b1e3fbcfecc2670a1267c4e7 |
| SHA256 | 5a8f568c186f5b1421467401617ac1274d73401ece3b58012db20b8edd91f1bf |
| SHA512 | 494af12b22803928ff942ebe63beadde2f7e037ec75f26a3b71ca04f5cecd9f210ed5a3df80bfb1f61f4d33adc15c4089723541418ffbf4c9e12214e91e0af24 |
C:\Users\Admin\AppData\Local\Temp\Tba
| MD5 | b611ed5adb13d4d55cbf14877ee9cbac |
| SHA1 | 0b1192569159aeb336e93bd302bbbba6b6bffb32 |
| SHA256 | 71562437f71db557d8cd852c26eb56886570c52a1cb0a3caf91beee50411e75a |
| SHA512 | 9e123d91cacc50f047fc3ad3fe2ec69f160fe701db64ee8111c6bf601235193c00829e9935abd4384395aa4307dfcb005cc7f003d0845bd1fac2b0f1f4c12168 |
C:\Users\Admin\AppData\Local\Temp\Consequence
| MD5 | de1424f331992013ce3ba62af1e4826a |
| SHA1 | 26674a8742de94813fb030b917683aac8bf1a9f1 |
| SHA256 | a491ea9e895108e0cbac7182c064c67711f11af8d41edb82c58cf358445706e7 |
| SHA512 | 8571489c1e7ed8379faee062b606022efcec69bc66a81bdbd0794aa73e00ca9e6dd7e1c86a20313a34f9faf71f26fcfbcb24478ba2ea8edaa1cbb4983fae4262 |
C:\Users\Admin\AppData\Local\Temp\Wv
| MD5 | c70f41c337d8197f721664643d06d196 |
| SHA1 | 17e9e9a9ee5d0f3d79be0f496ea18d126611caac |
| SHA256 | 20787d11bebf1d505fe4a97444dc457b532e03659b390026daf9e8fc194fd6e8 |
| SHA512 | 9c5a2a11f0549a5f845c90b3408b1d9e11c03e5d654b14f97b4919f3bf9cde642d6f48a63e338b087d063e642c58fdf1a973160446714314280f5e8aa197fe75 |
C:\Users\Admin\AppData\Local\Temp\Heads
| MD5 | c7d64462e2a604fc6a9c81fcea175876 |
| SHA1 | 7fe743ecf7e3c4b7b8a3205476e311b71daf1be3 |
| SHA256 | fba0fe192d4a788fd787f6c657a27237a5dd092cd01fb6f783a10603f041736c |
| SHA512 | 6c97d6171df66f8c9f7b6453347fc5e8f93728d36174b3283287f9052a68223787e565ce7a6efe7cb6e7bdba5d82c204ce80289f8de25fb5e9f564b36b4545fe |
C:\Users\Admin\AppData\Local\Temp\Kills
| MD5 | 13dc546d0daadc9b174fa60d4e58bf4c |
| SHA1 | 5a62bb74dbf964a10b98890508389ffa01f4b423 |
| SHA256 | 7b006fbcb0e8b1d4559be81f7e8e66d3e7025e0d8063b5c9b956f3712886bd21 |
| SHA512 | 142d6afe9475b179f1bd75414c487f88695a741b92e0895725231510e2c0fab6121ea463ca3429e4c2e5af0725fd196e8f11137d490722c913105b7a611bb507 |
C:\Users\Admin\AppData\Local\Temp\Companion
| MD5 | 529e8f5a689da689d3651e1c039bb324 |
| SHA1 | f9557b98debebc842274feb085712187a1d9cf37 |
| SHA256 | 5a0e9f3158ba1c1ee5fa3423292993ab9fa1edbe1afa5aa4597a272534f1ef22 |
| SHA512 | 610583262b7df4e3611f425813a57c10a5c6814b5a33864296bef83574b268858451b55d059f60660e89d2b683d489255f6dafe8b711f410e4935ff0c9a02d36 |
C:\Users\Admin\AppData\Local\Temp\Around
| MD5 | 1de412303c8d8449cad0f64aec5dad0c |
| SHA1 | 3fc923a66906aea4c8e30358277f1ed3b723e15c |
| SHA256 | 37ea73ebc91feab33bea461c97c7495d260069041b9ee2e4526444cfb4035da3 |
| SHA512 | d56a13cd0648849e9a5f965f3b8eb9e00222408d8a5ee42a095e11c0be10f49782036c00e468d2ef26080bf6855e8794c8ee45bd7ec1b08166233691f619e9b1 |
C:\Users\Admin\AppData\Local\Temp\Trim
| MD5 | 9806a4ee54225558e00a86e6f15ff6c7 |
| SHA1 | 308c952352eda64d06c982ca826fba193c8dcf27 |
| SHA256 | 5c9d5114e0f13978f10f4d726f2e585f049bf4dc2b735be00389476d2737dc9b |
| SHA512 | 657de9473896f623c6975a50618051e4b6a5098af4b69f9d20d5b736c70029548a4ac108d830b332ac9837f9a9902bdbf75f6560d61c7328706ccd09dbf76af4 |
memory/1696-285-0x0000000000860000-0x00000000008CE000-memory.dmp
memory/1696-286-0x00000000716D0000-0x0000000071DBE000-memory.dmp
memory/3636-289-0x0000000000400000-0x000000000063B000-memory.dmp
memory/1696-296-0x0000000002BC0000-0x0000000004BC0000-memory.dmp
memory/3636-297-0x0000000000400000-0x000000000063B000-memory.dmp
memory/1696-300-0x00000000716D0000-0x0000000071DBE000-memory.dmp
memory/3636-299-0x0000000000400000-0x000000000063B000-memory.dmp
memory/68-301-0x0000000000400000-0x000000000063B000-memory.dmp
memory/2436-304-0x00007FF666BF0000-0x00007FF667852000-memory.dmp
C:\Users\Admin\AppData\Roaming\dahifsh
| MD5 | 1daf51676edf7053884f8643c1a126de |
| SHA1 | 865000f10c6395f072e9afa628a4a9b6abbd5e35 |
| SHA256 | a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669 |
| SHA512 | 199aba789dbc8962a90651cb91c89cd37c38f34282fdb9df6836803602830285a69be18dc7cbb78c2223b181a09afedd721a73993552aff313450bfde60a30b1 |
memory/2960-310-0x0000000002990000-0x0000000002D8D000-memory.dmp
memory/2960-311-0x0000000002D90000-0x000000000367B000-memory.dmp
memory/2960-312-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3392-314-0x0000000000C80000-0x0000000000C81000-memory.dmp
memory/1016-320-0x0000000007340000-0x0000000007376000-memory.dmp
memory/1016-319-0x0000000071D20000-0x000000007240E000-memory.dmp
memory/1016-322-0x0000000007490000-0x00000000074A0000-memory.dmp
memory/1016-321-0x0000000007490000-0x00000000074A0000-memory.dmp
memory/1016-323-0x0000000007AD0000-0x00000000080F8000-memory.dmp
memory/1016-325-0x0000000008350000-0x00000000083B6000-memory.dmp
memory/1016-326-0x0000000008270000-0x00000000082D6000-memory.dmp
memory/1016-324-0x0000000007A60000-0x0000000007A82000-memory.dmp
memory/1016-327-0x0000000008430000-0x0000000008780000-memory.dmp
memory/1016-328-0x00000000087E0000-0x00000000087FC000-memory.dmp
memory/1016-329-0x0000000008860000-0x00000000088AB000-memory.dmp
memory/3636-330-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcpalcnc.qec.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\ProgramData\DHCGIDHD
| MD5 | 7ba3332547a12c91af827c55fd6c4a75 |
| SHA1 | 3f745c5f9646d07b6c411d2d9eec4e2ee5642114 |
| SHA256 | ca33c12d9db2a3384382b1d7dc0f33fd743a6a27b6f8dbe259a16098683a1940 |
| SHA512 | 5db2bdab187c0fbddc2d8d3f38e6e0ee3906914ed3dd704893663385fb0ac62df82f65c42e2549c1707af40b29a5316811b543e7de7a8f176c3899a442452f00 |
memory/1016-377-0x0000000009860000-0x000000000989C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKJXGONT\nss3[1].dll
| MD5 | 5b6b3209a0a77392bc8a83b0ef0cd547 |
| SHA1 | 2be86e2eb93ab87b6d932a2db0cde87b697c538e |
| SHA256 | 56c5047bc309e33043222a62432e9708dc1852253cc0cc2241498168353483e8 |
| SHA512 | 910fde392725204af6a4960f6d2d1b47653a1bc3a4dc68e130784f88f525aa5745df32a5dd2079f3329117d02fca9f9cd0949ff96ed492758924161233aee4a2 |