Malware Analysis Report

2024-12-08 03:08

Sample ID 240510-pmr37aec4s
Target 78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a
SHA256 78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a
Tags
privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a

Threat Level: Known bad

The file 78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a was found to be: Known bad.

Malicious Activity Summary

privateloader

Privateloader family

Enumerates connected drives

Loads dropped DLL

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 12:27

Signatures

Privateloader family

privateloader

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 12:27

Reported

2024-05-10 12:29

Platform

win7-20231129-en

Max time kernel

117s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 496 wrote to memory of 2516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 496 wrote to memory of 2516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 496 wrote to memory of 2516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 496 wrote to memory of 2516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 496 wrote to memory of 2516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 496 wrote to memory of 2516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 496 wrote to memory of 2516 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe

"C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C15281C20EC1D786C04617FCFC71F531 C

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/1392-0-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\{2073965F-C2FC-4F3E-96E4-5DE7DC4B658B}\decoder.dll

MD5 7117e33f9b1dc041b477060f8f8c3a0c
SHA1 97fbcb6676bfb43d36701805c86eac3567f61bca
SHA256 a350f06808b517dd2b7f363dca6119c072d08d1677e379ce48267bc7d95f1517
SHA512 31f484d210e575dc8f522d1b3c16d2a77601be172287d8f7ff009a5700820e028c9c1366d543872edaec002a7e2e5fe5880ad303cde8d28a60fe0359db4307fe

C:\Users\Admin\AppData\Local\Temp\{2073965F-C2FC-4F3E-96E4-5DE7DC4B658B}\C4B658B\ProtonVPN_win_v2.2.1.msi

MD5 f6aa49d5ced9ac06a18475ad3a723491
SHA1 df29589ec5720f6b548ab59967ca175a7838c372
SHA256 d2e84903464f44fbf0644f3e987dde0becd3d960259712817a012328590a0556
SHA512 24a9f6f051fe85d3061ddd041ee90ab25dffee6a176b689a49e0714336274c4c11c2657c7a75ccc7eac7b0c2162ba9659778945d0a1190e2ecb05cfe0a32003d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar1683.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 1b1f8d684e8beef509d9a47bf0be7e10
SHA1 18f8724baec4bf00d461150cbbe3b19e2278cdcc
SHA256 18c83547a4075955fde01fff4942397ae0a858e90da38b7054b99d2eb4a69fbd
SHA512 684ca25246d550495f7220b39d136faa4150c0701ebd40a811e0adc4acddf70ebe2444e818f02bb237d3b7f388891c27b03e2e93196365a5b7d4864d60e72137

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\Temp\MSI196F.tmp

MD5 3b171ce087bb799aafcbbd93bab27f71
SHA1 7bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256 bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA512 7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1392\DialogBitmap.bmp

MD5 19e61f2dfd494cd64a9cfba3d4afe964
SHA1 1ba29dafa629be32ac85dd68a4c5bac261c46a88
SHA256 f7c03fa72a65dd9f9fd2abce0510d75933db3355ada0733f71ecaf7caae74f97
SHA512 392aeda85bbc0a5c69178cd44866408fda2bc4607348b6779124473a7099446359eaf8b2ee1e8121dfd0b7a0da6e8cf6f383729da94fb1a3ed3767dc3a6e15eb

memory/1392-178-0x0000000000240000-0x0000000000241000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 12:27

Reported

2024-05-10 12:29

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410 C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1 C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3204 wrote to memory of 3380 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3204 wrote to memory of 3380 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3204 wrote to memory of 3380 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe

"C:\Users\Admin\AppData\Local\Temp\78f313c6f45e23738ba0af184cfad17d4593261935f4650f9f3d36421075e39a.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 4CF4C37B9173C7E9196A4193829A077F C

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\{2073965F-C2FC-4F3E-96E4-5DE7DC4B658B}\decoder.dll

MD5 7117e33f9b1dc041b477060f8f8c3a0c
SHA1 97fbcb6676bfb43d36701805c86eac3567f61bca
SHA256 a350f06808b517dd2b7f363dca6119c072d08d1677e379ce48267bc7d95f1517
SHA512 31f484d210e575dc8f522d1b3c16d2a77601be172287d8f7ff009a5700820e028c9c1366d543872edaec002a7e2e5fe5880ad303cde8d28a60fe0359db4307fe

C:\Users\Admin\AppData\Local\Temp\{2073965F-C2FC-4F3E-96E4-5DE7DC4B658B}\C4B658B\ProtonVPN_win_v2.2.1.msi

MD5 f6aa49d5ced9ac06a18475ad3a723491
SHA1 df29589ec5720f6b548ab59967ca175a7838c372
SHA256 d2e84903464f44fbf0644f3e987dde0becd3d960259712817a012328590a0556
SHA512 24a9f6f051fe85d3061ddd041ee90ab25dffee6a176b689a49e0714336274c4c11c2657c7a75ccc7eac7b0c2162ba9659778945d0a1190e2ecb05cfe0a32003d

C:\Users\Admin\AppData\Local\Temp\MSI5650.tmp

MD5 3b171ce087bb799aafcbbd93bab27f71
SHA1 7bd69efbc7797bdff5510830ca2cc817c8b86d08
SHA256 bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4
SHA512 7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1552\DialogBitmap.bmp

MD5 19e61f2dfd494cd64a9cfba3d4afe964
SHA1 1ba29dafa629be32ac85dd68a4c5bac261c46a88
SHA256 f7c03fa72a65dd9f9fd2abce0510d75933db3355ada0733f71ecaf7caae74f97
SHA512 392aeda85bbc0a5c69178cd44866408fda2bc4607348b6779124473a7099446359eaf8b2ee1e8121dfd0b7a0da6e8cf6f383729da94fb1a3ed3767dc3a6e15eb