Analysis Overview
SHA256
092106302a786b6a726503c027a8aa8e68df31d4e81dce380033e45a04dd1e9b
Threat Level: Known bad
The file prorat_v1.9.zip was found to be: Known bad.
Malicious Activity Summary
Adds autorun key to be loaded by Explorer.exe on startup
Modifies WinLogon for persistence
Modifies firewall policy service
Modifies security service
Adds policy Run key to start application
Manipulates Digital Signatures
Registers new Print Monitor
Sets file execution options in registry
Modifies Installed Components in the registry
Modifies system executable filetype association
UPX packed file
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Adds Run key to start application
Modifies WinLogon
Maps connected drives based on registry
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in System32 directory
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies system certificate store
Modifies registry class
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Checks SCSI registry key(s)
Runs net.exe
Modifies data under HKEY_USERS
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 01:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 01:53
Reported
2024-04-15 01:59
Platform
win11-20240412-en
Max time kernel
293s
Max time network
291s
Command Line
Signatures
Adds autorun key to be loaded by Explorer.exe on startup
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad | C:\Windows\services.exe | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\Documents\prorat_v1.9\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords\Addresses\NonAutoResolve | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords\Addresses\AutoResolve | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces\IfIso | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords\Addresses\NonAutoResolve | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords\Addresses\AutoResolve | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords\Addresses | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords\Addresses | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\TenantRestrictions | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | C:\Windows\services.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Security | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\PortKeywords | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\ACSERVICE | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters | C:\Windows\services.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\Documents\prorat_v1.9\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Users\Admin\Documents\prorat_v1.9\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Windows\services.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{000C10F1-0000-0000-C000-000000000046} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates\11194FAB14616ED8259FB94DCD17CE99DAB04CDD | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{6078065b-8f22-4b13-bd9b-5b762776f386} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{000C10F1-0000-0000-C000-000000000046} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2010 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCTLUsage | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{6078065b-8f22-4b13-bd9b-5b762776f386} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{6078065b-8f22-4b13-bd9b-5b762776f386} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{6078065b-8f22-4b13-bd9b-5b762776f386} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2223 | C:\Windows\services.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} | C:\Windows\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} | C:\Windows\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Users\Admin\Documents\prorat_v1.9\server.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} | C:\Windows\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components | C:\Windows\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} | C:\Windows\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} | C:\Users\Admin\Documents\prorat_v1.9\server.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3853CC31-559E-32A7-B749-89E04145A139} | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" | C:\Users\Admin\Documents\prorat_v1.9\server.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} | C:\Windows\services.exe | N/A |
Registers new Print Monitor
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor | C:\Windows\services.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\0 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\2 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\1 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe | C:\Windows\services.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\upx.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fservice.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\server.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\werfault.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler | C:\Windows\services.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\services.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\services.exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum | C:\Windows\services.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} | C:\Windows\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ | C:\Users\Admin\Documents\prorat_v1.9\server.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17} | C:\Windows\services.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\reginv.dll | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\services.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\Documents\prorat_v1.9\server.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Users\Admin\Documents\prorat_v1.9\server.exe | N/A |
| File created | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\SysWOW64\winkey.dll | C:\Windows\services.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system\sservice.exe | C:\Users\Admin\Documents\prorat_v1.9\server.exe | N/A |
| File created | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File opened for modification | C:\Windows\ktd32.atm | C:\Windows\services.exe | N/A |
| File created | C:\Windows\p_ekran.jpg | C:\Windows\services.exe | N/A |
| File opened for modification | C:\Windows\system\sservice.exe | C:\Users\Admin\Documents\prorat_v1.9\server.exe | N/A |
| File opened for modification | C:\Windows\services.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Windows\SysWOW64\fservice.exe | N/A |
| File created | C:\Windows\system\sservice.exe | C:\Windows\services.exe | N/A |
| File opened for modification | C:\Windows\ktd32.atm | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\services.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\services.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\services.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\services.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\services.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\services.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters | C:\Windows\services.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport | C:\Windows\services.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\services.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters | C:\Windows\services.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\services.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\services.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK | C:\Windows\services.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\services.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport | C:\Windows\services.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NSCSINGLEEXPAND | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BE2-3C52-11D0-9200-848C1D000000} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{754FF233-5D4E-11d2-875B-00A0C93C09B3} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{38F03426-E83B-4E68-B65B-DCAE73304838} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4E7BD74F-2B8D-469E-8CB2-BC60BB9AAE22} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B85537E9-2D9C-400A-BC92-B04F4D9FF17D} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\DisableWelcomePage | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{78A9B22E-E0F4-11D0-B5DA-00C0F00AD7F8} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\DisableDevTools | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7k.dll | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm72.dll | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F41E8255-3897-4cf4-AEC7-4F85171A0B3C} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B401C5EB-8457-427F-84EA-A4D2363364B0} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AD5FBDB8-C518-47F7-B4F1-F1F58D21A716} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{130D7743-5F5A-11D1-B676-00A0C9697233} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\BlockPopups | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1C} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\StartPage | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PHISHINGFILTER | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{d99f7670-7f1a-11ce-be57-00aa0051fe20} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BEC-3C52-11D0-9200-848C1D000000} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BC1-3C52-11D0-9200-848C1D000000} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B2F87B84-26A6-11D0-B50A-00A024488F73} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_APP_PROTOCOL_WARN_DIALOG | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0D080D7D-28D2-4F86-BFA1-D582E5CE4867} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\2260E52C41EDD4EE1DBA0B1051B9AE675947F956 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B0A6BAE2-AAF0-11D0-A152-00A0C908DB96} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5l.dll | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1138506a-b949-46a7-b6c0-ee26499fdeaf} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{20D04FE0-3AEA-1069-A2D8-08002B30309D} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\ThirdPartyCookies | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6E84D662-9599-11D2-9367-20CC03C10627} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{13FA0C3E-6B1C-4d8b-88CD-6DA8E1CA7653} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\8FD22F348F4EDB71C386D77A35137186C317825E | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6z.dll | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{93C5524B-97AE-491E-8EB7-2A3AD964F926} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4C85388F-1500-11D1-A0DF-00C04FC9E20F} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCE-9B79-11D3-B654-00C04F79498E} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DNT | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{369303C2-D7AC-11D0-89D5-00A0C90833E6} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{33FDA1EA-80DF-11D2-B263-00A0C90D6111} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm59.dll | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm57.dll | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BF3FF9A2-AC03-40a1-BA0F-F31076325AA7} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{288F1523-FAC4-11CE-B16F-00AA0060D93D} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{22852EE3-B01B-11CF-B826-00A0C9055D9E} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DE4735F3-7532-4895-93DC-9A10C4257173} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{705EC6D4-B138-4079-A307-EF13E4889A82} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4EDCB26C-D24C-4e72-AF07-B576699AC0DE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{233A9692-667E-11d1-9DFB-006097D50408} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF} | C:\Windows\services.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-834482027-582050234-2368284635-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "ProRat V1.9" | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\JIT | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2a6eb050-7f1c-11ce-be57-00aa0051fe20} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\TabRoaming | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.0 | C:\Windows\services.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "239" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\DefaultIcon | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\IMEFILES.CImeFileNameRedirectionManager | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template\shell | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4773A25-CDB6-54BB-931A-ACDCAFA3FD7D}\ProxyStubClsid32 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1DDDB704-CF99-4B8A-B746-DABB01DD13A0} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2B9-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\System.Security.Cryptography.SHA1CryptoServiceProvider | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.DirectMusicContainer\CurVer | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.DirectSoundWavesReverbDMO.1 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{58562769-ED52-42F7-8403-4963514E1F11} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46B89F5A-769D-4792-AD9A-E3755915CBC3}\ProxyStubClsid | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F6B9-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\RegisterControl.Register\CurVer | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CB5DD948-AAB3-405F-9F29-79468F1F5971}\15.0.0.0 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.m4v\shell\AddToPlaylistVLC | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppXvsddybna5mfqpzfzrh0x2nnv0v7ettv3 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CF3EC7F-AC62-4CD6-BB30-39A464CB52CB} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CD101-0000-0000-C000-000000000046} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EABCECDB-CC1C-4A6F-B4E3-7F888A5ADFC8}\DataFormats\GetSet\0 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F37F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\NotInsertable | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B115690A-EA02-48D5-A231-E3578D2FDF80} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.M4A\shellex | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D4E0AF84-DA6F-3F0D-8577-30854A8D9718} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FA2D2B3A-C8A1-4581-98D6-4F91A766F765}\ProxyStubClsid32 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A4C466B8-499F-101B-BB78-00AA00383CBB}\ProxyStubClsid32 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\DocObject | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DC7A02CD-2E47-406C-BA5A-B08EC00C4238} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000209F0-0000-0000-C000-000000000046} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.Notebook.1\shell\OpenAsReadOnly\command | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.m2v | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\Verb\1 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\DefaultExtension | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefStFrObject.1.0 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F99B94BA-D4D0-5C43-B174-FFD7E6E5131C}\ProxyStubClsid32 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\DataFormats\GetSet\2 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.zpl\shell\Open | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.bmp\ShellEx\ContextMenuHandlers | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\InprocHandler32 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020821-0000-0000-C000-000000000046}\Verb\1 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AcroAccess.AcrobatAccess\CLSID | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4495AD01-C993-11D1-A3E4-00A0C90AEA82}\TypeLib | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2535fa2e-d302-5069-a6b9-79d89d032ac9} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{24A8012D-86BE-4CFC-A442-2187076A21E7} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0375-0000-0000-C000-000000000046}\ProxyStubClsid32 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D6FCA954-F7AE-4EAC-8783-85F5E4ABD840} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\System.AppDomainSetup | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D6E78E55-7EE7-4A31-BF3E-B01E819599BA}\15.0.0.0 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8CCD0AC2-B1AD-11CE-8276-00AA004BA6AE} | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WSFFile\ShellEx | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\DataFormats\GetSet\0 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82B02374-B5BC-11CF-810F-00A0C9030074}\InprocServer32 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Word.RTF.8\shell\New\command | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\TIFImage.Document\DefaultIcon | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage\21866 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CertificateAuthority.ServerExit | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.DirectMusicScriptAutoImpSegmentState\CurVer | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.srw\AppX9rkaq77s0jzh1tyccadx9ghba15r6t3h | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.appxbundle\AppXa4x21t18evxksm0kbe6znaz8jjrjvs9e | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2E1511D-502D-4BD0-8B3A-8A89A05CDCAE}\ProxyStubClsid32 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.gif\ShellEx | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\System.ArgumentException | C:\Windows\services.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\PasspointTrustedRoots | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates\6CA22E5501CC80885FF281DD8B3338E89398EE18 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\8A334AA8052DD244A647306A76B8178FA215F344 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AAD Token Issuer | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates\11194FAB14616ED8259FB94DCD17CE99DAB04CDD | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\D73F0C22273FA4C717A3A735F7E992F31190F010 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\OemEsim | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\PasspointTrustedRoots\Certificates | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92B46C76E13054E104F230517E6E504D43AB10B5 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\OemEsim\CRLs | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\B68D8F953E551914324E557E6164D68B9926650C | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\PasspointTrustedRoots\Certificates\51501FBFCE69189D609CFAF140C576755DCC1FDF | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\A4B37F4F6DE956922273D5CB8E7E0AAFB7033B90 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\PasspointTrustedRoots\Certificates\BB4924831847952BDB1A12B038EC5154ADCBDE43 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\OemEsim\CTLs | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\OemEsim\Certificates | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5 | C:\Windows\services.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Windows\services.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop | C:\Windows\services.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Windows\services.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI | C:\Windows\services.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\prorat_v1.9.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe
"C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe"
C:\Users\Admin\AppData\Local\Temp\upx.exe
C:\Users\Admin\AppData\Local\Temp\upx.exe --best C:\Users\Admin\DOCUME~1\PRORAT~1.9\server.exe
C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe
"C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe"
C:\Users\Admin\Documents\prorat_v1.9\server.exe
"C:\Users\Admin\Documents\prorat_v1.9\server.exe"
C:\Windows\SysWOW64\fservice.exe
C:\Windows\system32\fservice.exe
C:\Windows\services.exe
C:\Windows\services.exe -XP
C:\Windows\SysWOW64\NET.exe
NET STOP srservice
C:\Windows\SysWOW64\NET.exe
NET STOP navapsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP srservice
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STOP navapsvc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\prorat_v1.9\server.exe.bat
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004EC
C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\17dd443e9be04f0eae08628fd714324e /t 3316 /p 1572
C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe
"C:\Users\Admin\Documents\prorat_v1.9\ProRat.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39d0855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | you.no-ip.com | udp |
| N/A | 127.0.0.1:5110 | tcp | |
| N/A | 127.0.0.1:5112 | tcp | |
| US | 8.8.8.8:53 | www.icq.com | udp |
| US | 8.8.8.8:53 | tcp | |
| US | 104.21.13.178:80 | www.yoursite.com | tcp |
| US | 8.8.8.8:53 | yahoo.com | udp |
| RU | 5.61.236.229:80 | www.icq.com | tcp |
| US | 67.195.204.74:25 | mta7.am0.yahoodns.net | tcp |
| N/A | 127.0.0.1:49928 | tcp | |
| N/A | 127.0.0.1:49932 | tcp | |
| N/A | 127.0.0.1:49938 | tcp | |
| N/A | 127.0.0.1:49940 | tcp | |
| N/A | 127.0.0.1:49946 | tcp | |
| N/A | 127.0.0.1:5112 | tcp | |
| N/A | 127.0.0.1:49968 | tcp | |
| N/A | 127.0.0.1:5110 | tcp | |
| N/A | 127.0.0.1:5112 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| US | 20.44.10.122:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| GB | 2.18.66.48:443 | tcp | |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| US | 20.44.10.122:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| NL | 23.62.61.194:443 | r.bing.com | tcp |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| US | 20.44.10.122:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 2.18.66.48:443 | tcp | |
| US | 20.44.10.122:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp | |
| GB | 2.18.66.48:443 | tcp |
Files
memory/1572-0-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/1572-1-0x0000000004E10000-0x0000000004E11000-memory.dmp
memory/1572-2-0x0000000008590000-0x0000000008591000-memory.dmp
memory/1572-3-0x0000000000400000-0x0000000000B19000-memory.dmp
C:\Users\Admin\Documents\prorat_v1.9\server.exe
| MD5 | d83893901425b5265e3e52a74d4dd674 |
| SHA1 | beed9c6aecce19e45581bff3f057c4820de22891 |
| SHA256 | 81626eae5739197f842961ad13e523011bcf4cec7dd4b4d996c728b5568d600d |
| SHA512 | 5d21a1a78fc7c6edeead5464abbc081e321aa97c5eb479c8a2be259bcf719f288b9eb675f3cd5eca7d04a7003f39b628ce69c0aa64bf399cadf4c20d44bbaaa8 |
C:\Users\Admin\AppData\Local\Temp\upx.exe
| MD5 | 9857f7401eff1ddfba4123ba9d5ee08a |
| SHA1 | 654e685483a30e9b99eaac630aa53d95c52d8b27 |
| SHA256 | 5976edd4a39e8524bb0295d2873286cc0a288215abefdf2c04b32915ba906368 |
| SHA512 | d2a320d0b4b1781cc3f85c8d564c6c08b69f46db7a9b3c0ffed92aadcad6c6425b9c38495830b8ca9d1734edbec434a10616623fbc2da8836d54b28951315c34 |
memory/5000-29-0x0000000000400000-0x0000000000448000-memory.dmp
C:\Users\Admin\DOCUME~1\PRORAT~1.9\server.exe
| MD5 | 3bbb8a80703bdc47db5aded77c6ffbff |
| SHA1 | 8d17db3977d3c42b54d892e9d1dc1ae577fd98c6 |
| SHA256 | aa33258ecc634e4a81fc945c646a8f62ef1a6ab5b11811ae21001bd4c372d7e4 |
| SHA512 | 80de46bfb6dbcc9e67dc08be0dce9744a1a811a9287c5285479ad29d867ef4ec0a3bb3b2ff2f681402cb5e1b6b7a94f46daf90f7209bd5c4ee91e927b4440616 |
memory/5000-34-0x0000000000400000-0x0000000000448000-memory.dmp
C:\Users\Admin\Documents\prorat_v1.9\server.exe
| MD5 | b5593ae68a69e3eb32b71702b57e5604 |
| SHA1 | b59ea6f91e5c40d290614cff3a0a11942903c977 |
| SHA256 | c67f8ae3139e836abae1b747cb98eb05e6f22479d01eb069ad9995c454a932a7 |
| SHA512 | c0cf9e7f7dbe4fc7ef8c8fd0f13b76dfd40ce72cd81c963541dda4784aaa615ebbf7ba1b755eb7aa79678babbac8637f4956f99198298abaa5b3f589da57e191 |
memory/1572-39-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/1572-40-0x0000000004E10000-0x0000000004E11000-memory.dmp
memory/1572-41-0x0000000008590000-0x0000000008591000-memory.dmp
memory/236-42-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/236-43-0x0000000001D10000-0x0000000001D11000-memory.dmp
memory/236-44-0x0000000008790000-0x0000000008791000-memory.dmp
memory/236-45-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/1572-47-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/244-49-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/244-55-0x00000000025D0000-0x00000000025D1000-memory.dmp
memory/492-58-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/492-65-0x0000000002490000-0x0000000002491000-memory.dmp
memory/3324-68-0x0000000002830000-0x0000000002831000-memory.dmp
C:\Windows\SysWOW64\winkey.dll
| MD5 | b4c72da9fd1a0dcb0698b7da97daa0cd |
| SHA1 | b25a79e8ea4c723c58caab83aed6ea48de7ed759 |
| SHA256 | 45d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f |
| SHA512 | f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066 |
memory/3324-73-0x0000000000400000-0x00000000005FC000-memory.dmp
C:\Windows\SysWOW64\reginv.dll
| MD5 | 562e0d01d6571fa2251a1e9f54c6cc69 |
| SHA1 | 83677ad3bc630aa6327253c7b3deffbd4a8ce905 |
| SHA256 | c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6 |
| SHA512 | 166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea |
memory/492-84-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/3324-75-0x0000000010000000-0x000000001000B000-memory.dmp
memory/244-87-0x0000000000400000-0x00000000005FC000-memory.dmp
C:\Users\Admin\Documents\prorat_v1.9\server.exe.bat
| MD5 | 28f1251544be9063412bc751ff699b43 |
| SHA1 | 2cc135681f346d58c1887220bf6f5f915106654c |
| SHA256 | 79c4343ca9f08fe04a7121eb3c571ae36269701edd7b4a22954df897b16a08d7 |
| SHA512 | 5ea3864ef47f19877a6e73aef05d14f1e5dc4bd3469b5db21dde019aec8f049869332307962b1939a1824ce6b5b8e8c4b9ae0b900a4352ddafb09015179db42a |
memory/1572-93-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/1572-94-0x00000000070F0000-0x00000000070FB000-memory.dmp
memory/3324-95-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/1572-97-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/3324-99-0x0000000002830000-0x0000000002831000-memory.dmp
memory/3324-100-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/3324-101-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/1572-112-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/3324-121-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/3324-122-0x0000000010000000-0x000000001000B000-memory.dmp
C:\Windows\ktd32.atm
| MD5 | c9f1f1b442cb2e7da8547431265c3874 |
| SHA1 | 085d9704c28d296f7dcd5d3e68ebe8d3cb3fcfb9 |
| SHA256 | bea8de09b43567e75598ba93edda57b72ab0d33867764b9a54e55e88209c0ec9 |
| SHA512 | f96d2dbb355f19cd205ead3c9e4b283e88acf93ef13421ba320d3ccb0a45c09acf9d6f8d1fa96aa58381bbf66ae844529cd1db2755597ec91c55e4df9f8fa2c3 |
memory/1572-131-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/1572-132-0x00000000070F0000-0x00000000070FB000-memory.dmp
memory/3324-133-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/1572-135-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/3324-137-0x0000000000400000-0x00000000005FC000-memory.dmp
C:\Windows\ktd32.atm
| MD5 | c01880119d51c2b143a002e5515839f3 |
| SHA1 | 6fec27a6043282e4ff5f1d13ab384693fcbedbde |
| SHA256 | 81f331b83d455445066c56d09a15b10b87eb5a1b207871d1e573882c3501d6b7 |
| SHA512 | a52d563c4df0c59da8dc579a2136336889ec4c8b74d01e6f38efb03746f5790bc349e8994e7a77b4dd45f03f3ae5dc06fe50c4df0244701201617f5816a15025 |
memory/1572-155-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/3324-162-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/3324-163-0x0000000010000000-0x000000001000B000-memory.dmp
memory/1572-164-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/3324-166-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/1572-168-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/3324-170-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/1572-172-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/3324-174-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/1572-176-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/3324-178-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/1572-180-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/3324-182-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/1572-184-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/3324-186-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/1572-188-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/3324-190-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/1572-196-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/3324-199-0x0000000000400000-0x00000000005FC000-memory.dmp
memory/4936-207-0x0000000000400000-0x0000000000B19000-memory.dmp
memory/4936-208-0x0000000001CE0000-0x0000000001CE1000-memory.dmp
memory/4936-209-0x0000000007870000-0x0000000007871000-memory.dmp
memory/4936-212-0x000000000ADD0000-0x000000000ADDB000-memory.dmp
memory/4936-217-0x0000000001CE0000-0x0000000001CE1000-memory.dmp
memory/4936-222-0x0000000007870000-0x0000000007871000-memory.dmp