Malware Analysis Report

2024-12-07 02:02

Sample ID 241111-xjw7qstfqf
Target 8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5
SHA256 8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5
Tags
bootkit discovery persistence upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5

Threat Level: Shows suspicious behavior

The file 8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence upx

Loads dropped DLL

Checks BIOS information in registry

Deletes itself

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Enumerates connected drives

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Runs net.exe

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 18:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 18:53

Reported

2024-11-11 18:56

Platform

win7-20240903-en

Max time kernel

150s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\More Games\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\PROOF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\SystemCertificates\CA\Certificates\CA7788C32DA1E4B7863A4FB57D00B55DDACBC7F9 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\SystemCertificates\CA\Certificates\CA7788C32DA1E4B7863A4FB57D00B55DDACBC7F9\Blob = 030000000100000014000000ca7788c32da1e4b7863a4fb57d00b55ddacbc7f91400000001000000140000003ae10986d4cf19c29676744976dce035c663639a04000000010000001000000042f8529fe545103fdd848980a8647f290f0000000100000030000000ed080184c5a30d366162d70be6fbb98ed70ace8650c3b7bccc7687cddaffb50f7d12eea1a961cc6f7fd0da9b3422f9fa19000000010000001000000076935b5c5a037216daaf8aac76df42c11800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000d7030000308203d3308202bba003020102021056671d04ea4f994c6f10814759d27594300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374204543432043657274696669636174696f6e20417574686f726974793076301006072a8648ce3d020106052b81040022036200041aac545aa9f96823e77ad5246f53c65ad84babc6d5b6d1e67371aedd9cd60c61fddba08903b80514ec57ceee5d3fe221b3cef7d48a79e0a3837e2d97d061c4f199dc259163ab7f30a3b470e2c7a1339cf3bf2e5c53b15fb37d327f8a34e37979a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604143ae10986d4cf19c29676744976dce035c663639a300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010019eceb9d892c200b04801d18de429972991632bd0e9c755b2c15e229406deeff72dbdbab901f8c95f28a3d087242895007e239156c0187d9161af5c0752bc5e6561107dfd898bc7c9f1939df8bca006473bc46109b93238dbe16c32e08829c863374763b284c8d034285b3e2b22342d51f7a756a1ad17caa6721c4333a396d53c9a2ed6222a8bbe2556c996c436b9197d10c0b93021dd2bc697749e61b4df7bf147803b0a6ba0bb4e1857f2fdc423bad740148ded66ce11998095e0ab36747fe1ce0d5c128ef4a8b44312604378d8974362eefa5220f83744992c7f710c20c29fbb7bdba7fe35fd59ff2a9f474d5b8e1b3b081e4e1a563a3ccea0478906ebff7 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\Logo1_.exe
PID 3044 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\Logo1_.exe
PID 3044 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\Logo1_.exe
PID 3044 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\Logo1_.exe
PID 2800 wrote to memory of 2784 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2800 wrote to memory of 2784 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2800 wrote to memory of 2784 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2800 wrote to memory of 2784 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2784 wrote to memory of 2856 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2784 wrote to memory of 2856 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2784 wrote to memory of 2856 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2784 wrote to memory of 2856 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2760 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe
PID 2760 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe
PID 2760 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe
PID 2760 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe
PID 2760 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe
PID 2760 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe
PID 2760 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe
PID 2800 wrote to memory of 1216 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2800 wrote to memory of 1216 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe

"C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$aB28.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe

"C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 download.mql5.com udp
US 8.8.8.8:53 content.mql5.com udp
NL 78.140.180.43:443 download.mql5.com tcp
NL 78.140.180.86:443 content.mql5.com tcp
SG 47.241.33.233:443 tcp
RU 88.212.244.84:443 tcp
ZA 156.38.206.18:443 api6.mql5.net tcp
BR 177.154.156.125:443 api8.mql5.net tcp
SG 139.99.68.28:443 tcp
AU 47.74.84.54:443 tcp
CN 8.133.165.136:443 tcp
NL 78.140.180.43:443 download.mql5.com tcp
US 206.221.189.58:443 tcp
IN 147.139.41.121:443 tcp
US 8.8.8.8:53 api7.mql5.net udp
HK 47.242.172.9:443 api9.mql5.net tcp
US 142.0.194.252:443 api11.mql5.net tcp
DE 195.201.80.82:443 download.mql5.com tcp
US 142.215.208.235:443 api7.mql5.net tcp
US 206.221.189.58:443 tcp
US 206.221.189.58:443 tcp
IN 148.113.1.241:443 api3.mql5.net tcp
DE 195.201.80.82:443 download.mql5.com tcp
HK 27.111.161.152:443 api11.mql5.net tcp
NL 78.140.180.43:443 download.mql5.com tcp
US 142.215.208.235:443 api7.mql5.net tcp
ZA 156.38.206.18:443 api6.mql5.net tcp
BR 177.154.156.125:443 api8.mql5.net tcp
DE 195.201.80.82:443 download.mql5.com tcp
NL 78.140.180.43:443 download.mql5.com tcp
US 142.215.208.235:443 api7.mql5.net tcp
JP 199.254.199.227:443 api9.mql5.net tcp
IN 148.113.1.241:443 api3.mql5.net tcp
HK 27.111.161.152:443 api11.mql5.net tcp
ZA 156.38.206.18:443 api6.mql5.net tcp
BR 177.154.156.125:443 api8.mql5.net tcp
IN 148.113.1.241:443 api3.mql5.net tcp
JP 199.254.199.227:443 api9.mql5.net tcp
AU 66.203.112.227:443 tcp
IR 185.252.31.15:443 tcp
RU 88.212.232.132:443 api4.mql5.net tcp
SG 117.20.41.198:443 tcp
CN 8.133.165.136:443 tcp
NG 104.166.145.86:443 tcp

Files

memory/3044-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aB28.bat

MD5 a51a03d685a6e0177626ef7e900b2a71
SHA1 d57febc1c5d30e035a83a7308d36e91769bc6d97
SHA256 3ec21e296551270573d01a030b712c8972220d4c636c63d9de714227a21c5e07
SHA512 ad6f877d77b08be9f06468d972861a7d4dc817d4f02f2fa69338fde61b3c6096d8f1ce0b10ba11b1a9b167f1e1262a2cc7c7d53caa2df4e11da76cd5fc17dae8

C:\Windows\Logo1_.exe

MD5 c9d09ed5a9fb6ff02ee27466c5086f32
SHA1 6027c3fdfadd41ada1f3a81093c3f573c0469dc6
SHA256 aa6aefd84f99e73c4c008ff6f054caa58a82d8e6bb352423c1f0b379d4c4fa02
SHA512 23dd78981e8db2f8adedc817b6552af78be54243cd9780753f76149041a8dc30e07c2b8f92f17965ff0c07869e2e3fa95255e35c60a24265d86d4696150c5f3d

memory/2800-20-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3044-16-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe.exe

MD5 9a6211856955a5bbd5b82d47b960f3ca
SHA1 5b3e3280a10c7d662c947bed762fd89e742b1cff
SHA256 1d15bcfb5877e4f668865240667148841d5024484347265a966fd0372df792a1
SHA512 1df215dc0403982c6bd055c1a23b0aa9075b9ecd04054b44bcc202cc560d658b33eecd4309e8875fa1252711cb65254ee1f9e3e612078e0e0018360fb6553a9f

memory/2760-27-0x0000000002390000-0x00000000026E5000-memory.dmp

memory/2768-29-0x0000000000400000-0x0000000000755000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabE26.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarE39.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2768-72-0x0000000000860000-0x0000000000861000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41a48d1b4a27c3bb4aad4632bd99b221
SHA1 1e49464194452d68f71ff9e660a03160d2a063ae
SHA256 0a97074168801d67fd7a994c224594b2dec0932dfb7428d3e9618cc26b0a9b44
SHA512 e433c572f8ed7f1b4cd8c47a70f2d26d8dafb565ba4bf71b30c645b99327e8f87ba5b2a4ac60e4cacb3018b7256bb9e1638f1467f099aab705feabc62200d3b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8A4AA6A226E1870F0261713C59F1CB84

MD5 42f8529fe545103fdd848980a8647f29
SHA1 ca7788c32da1e4b7863a4fb57d00b55ddacbc7f9
SHA256 a6cf64dbb4c8d5fd19ce48896068db03b533a8d1336c6256a87d00cbb3def3ea
SHA512 1a3994c12d65e9c96b4c4ebcf79e8b291b620177520a7d0482a2b6043dd150a9f2ce1627d130309390e3ac6be98af5f2b50c1993c478976d0c9a9638c46a61bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01b400956e04103a6cba5a1341326aae
SHA1 6dca53bf74adcc3e07dde31d50cc3bce78424d3c
SHA256 80d7567074c81faafdcb7813772ebf1489254daae9b0739ef0edac7fbea95462
SHA512 044b999b2e6a229c852905b83bac74a71d4036249ade3c6dc98b2ed79e92af6daf058a64cf06c3b3c004b5fa63bd40377195bd12dda3bc82a8efdfb447e376b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 079a6fc4add90d72b8f276dd2ef5d5ac
SHA1 2efd26161a57dadfc2c76a29cd8c843e1de4389d
SHA256 924e475f8db7daf86257f27d37160761927fb9e53b78be9d06241b9133fe2a48
SHA512 31ff5507ff220611273234723495ad8f47db4f12c1b69764280d486748c60f20723cbe92f6ae976a5c53ee5dc5515c045e96525c5e813037b1f8b5707318163c

memory/1216-276-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2800-279-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2768-280-0x0000000000400000-0x0000000000755000-memory.dmp

memory/2800-282-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\_desktop.ini

MD5 f2c90f51b459c8c4f917ecc6829657c3
SHA1 3b580d9e09ccb0c3e8343687e9a167dbe66fe0f4
SHA256 5f6a20b6350a78505d3c636d39cbfeebc0ca00bf25ac096a5f1bb4fa3ceb4708
SHA512 1ac4d8b070f0838b1e8470d0a09d22b684a12bae0a4d7b7874a0b9cc8ef88042813453638a7289911dc710fe3a848cfdc22b91268328a3c37cbb1e4f32979347

memory/2800-289-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2800-294-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2800-340-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2800-346-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2800-348-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2800-2123-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 06691a8cf63a33d3838bfbc21186cb82
SHA1 5d76a3b2132b8ee166dc9e3b110bcdd2f65229f2
SHA256 c2c786a41fab427da5eea5c18966b01e18ecfc883b6cced1b8cf9c9c5d1be0b9
SHA512 f381086d3cb602115141906acb8c845bb26af8a15a6a424acfd5d21e2def01f752e052a32ad46508912b4f65216ac56e1fa332ce5bf715f3d60c7b4e7818e676

memory/2800-3583-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 4cfdb20b04aa239d6f9e83084d5d0a77
SHA1 f22863e04cc1fd4435f785993ede165bd8245ac6
SHA256 30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA512 35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 18:53

Reported

2024-11-11 18:56

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office 15\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\beeps\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\es-MX\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_92812\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Defender\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\applet\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\Logo1_.exe
PID 3144 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\Logo1_.exe
PID 3144 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe C:\Windows\Logo1_.exe
PID 5048 wrote to memory of 2228 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5048 wrote to memory of 2228 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5048 wrote to memory of 2228 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2228 wrote to memory of 4484 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2228 wrote to memory of 4484 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2228 wrote to memory of 4484 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4492 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe
PID 4492 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe
PID 4492 wrote to memory of 4204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe
PID 5048 wrote to memory of 3432 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 5048 wrote to memory of 3432 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe

"C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF1A3.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe

"C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 download.mql5.com udp
US 8.8.8.8:53 content.mql5.com udp
DE 195.201.80.82:443 download.mql5.com tcp
NL 78.140.180.86:443 content.mql5.com tcp
NL 78.140.180.43:443 download.mql5.com tcp
SG 47.241.33.233:443 tcp
US 206.221.189.58:443 api3.mql5.net tcp
RU 88.212.244.84:443 tcp
IN 147.139.41.121:443 tcp
ZA 156.38.206.18:443 api6.mql5.net tcp
US 8.8.8.8:53 api7.mql5.net udp
BR 177.154.156.125:443 api8.mql5.net tcp
HK 47.242.172.9:443 api9.mql5.net tcp
SG 139.99.68.28:443 tcp
US 142.0.194.252:443 api11.mql5.net tcp
AU 47.74.84.54:443 tcp
DE 195.201.80.82:443 download.mql5.com tcp
CN 8.133.165.136:443 tcp
NL 78.140.180.43:443 download.mql5.com tcp
DE 195.201.80.82:443 download.mql5.com tcp
US 8.8.8.8:53 82.80.201.195.in-addr.arpa udp
US 8.8.8.8:53 86.180.140.78.in-addr.arpa udp
US 8.8.8.8:53 43.180.140.78.in-addr.arpa udp
IN 148.113.1.241:443 api3.mql5.net tcp
HK 27.111.161.152:443 api11.mql5.net tcp
NL 78.140.180.43:443 download.mql5.com tcp
US 142.215.208.235:443 api7.mql5.net tcp
ZA 156.38.206.18:443 api6.mql5.net tcp
DE 195.201.80.82:443 download.mql5.com tcp
BR 177.154.156.125:443 api8.mql5.net tcp
JP 199.254.199.227:443 api9.mql5.net tcp
US 8.8.8.8:53 58.189.221.206.in-addr.arpa udp
US 8.8.8.8:53 252.194.0.142.in-addr.arpa udp
US 8.8.8.8:53 18.206.38.156.in-addr.arpa udp
US 8.8.8.8:53 125.156.154.177.in-addr.arpa udp
US 8.8.8.8:53 9.172.242.47.in-addr.arpa udp
US 8.8.8.8:53 241.1.113.148.in-addr.arpa udp
US 8.8.8.8:53 152.161.111.27.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 235.208.215.142.in-addr.arpa udp
IN 148.113.1.241:443 api3.mql5.net tcp
US 142.215.208.235:443 api7.mql5.net tcp
ZA 156.38.206.18:443 api6.mql5.net tcp
HK 27.111.161.152:443 api11.mql5.net tcp
BR 177.154.156.125:443 api8.mql5.net tcp
US 142.215.208.235:443 api7.mql5.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 227.199.254.199.in-addr.arpa udp
JP 199.254.199.227:443 api9.mql5.net tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/3144-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\Logo1_.exe

MD5 c9d09ed5a9fb6ff02ee27466c5086f32
SHA1 6027c3fdfadd41ada1f3a81093c3f573c0469dc6
SHA256 aa6aefd84f99e73c4c008ff6f054caa58a82d8e6bb352423c1f0b379d4c4fa02
SHA512 23dd78981e8db2f8adedc817b6552af78be54243cd9780753f76149041a8dc30e07c2b8f92f17965ff0c07869e2e3fa95255e35c60a24265d86d4696150c5f3d

memory/5048-8-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3144-11-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aF1A3.bat

MD5 1694dbbebd809cb0400210de77dab0ad
SHA1 fd890425f2639071859468a0e6af8e836674af1a
SHA256 44ee0576d93c637ad7092f72152ed0f7afdd2962152f33af300c3c070ef2c76c
SHA512 adf9cd6fcc88cd685877f1decba44da623c21c7a423ff60469d1642ad71ef4d1c91614adb225f08198f5b44d03341bd294000163bf280899fb781a620514bd29

C:\Users\Admin\AppData\Local\Temp\8be0adff1f3e21ad9fdbc9172d209779a01202e8603c410eb4feeabfe174e9b5.exe.exe

MD5 9a6211856955a5bbd5b82d47b960f3ca
SHA1 5b3e3280a10c7d662c947bed762fd89e742b1cff
SHA256 1d15bcfb5877e4f668865240667148841d5024484347265a966fd0372df792a1
SHA512 1df215dc0403982c6bd055c1a23b0aa9075b9ecd04054b44bcc202cc560d658b33eecd4309e8875fa1252711cb65254ee1f9e3e612078e0e0018360fb6553a9f

memory/4204-19-0x0000000000400000-0x0000000000755000-memory.dmp

memory/4204-23-0x0000000000400000-0x0000000000755000-memory.dmp

memory/5048-24-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2045521122-590294423-3465680274-1000\_desktop.ini

MD5 f2c90f51b459c8c4f917ecc6829657c3
SHA1 3b580d9e09ccb0c3e8343687e9a167dbe66fe0f4
SHA256 5f6a20b6350a78505d3c636d39cbfeebc0ca00bf25ac096a5f1bb4fa3ceb4708
SHA512 1ac4d8b070f0838b1e8470d0a09d22b684a12bae0a4d7b7874a0b9cc8ef88042813453638a7289911dc710fe3a848cfdc22b91268328a3c37cbb1e4f32979347

memory/5048-32-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5048-38-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5048-42-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 66e0b3f0bf4d1aee670813c2791c56a4
SHA1 e09d9f35f982e1e992783191b5af94dcb670e6b3
SHA256 1cc4cd390cdd5c48aa1926b86ba2fe40207998a4c7f4212bc49db2c2e9aa1571
SHA512 72c3a88ea33b92f271995482b7e28e991e662231f71adf4d8cb63bc45e160391ba9a621c5fcf03d6bee20967518c9f9742b43d3b9a0b2258c454a4b77e991014

memory/5048-50-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5048-1239-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

MD5 8d50309d9450e29606adf85e3bc9b655
SHA1 e259dd151a259c6b7a44716799022399d661dd4e
SHA256 1c63450eabafc6bcf60c506dbceeaadb802745e970f7123525ef4095b7ee7264
SHA512 f342ef724a867b949bdee3794c06d4292274b603d92a1d7596aa66047871b933b8de7fa068f2a684a4973dc7627d0501bbc3ca8fa11c4c9ef273d21b70b8932b

memory/5048-4790-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 2500f702e2b9632127c14e4eaae5d424
SHA1 8726fef12958265214eeb58001c995629834b13a
SHA256 82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512 f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

memory/5048-5259-0x0000000000400000-0x0000000000434000-memory.dmp